Building the IBM 4758 secure coprocessor

Meeting the challenge of building a user-configurable secure coprocessor provided several lessons in hardware and software development and continues to spur further research. In developing the 4758, we met our major research security goals and provided the following features: (1) a lifetime-secure tamper-responding device, rather than one that is secure only between resets that deployment-specific security officers perform; (2) a secure booting process in which each layer progressively validates the next less-trusted layer, with hardware restricting access to its secrets before passing control to that layer; (3) an actual manufacturable product - a nontrivial accomplishment considering that we designed the device so that it does not have a personality until configured in the field; (4) the first FIPS 140-1 Level 4 validation, arguably the only general-purpose computational platform validated at this level so far; and (5) a multipurpose programmable device based on a 99-MHz 486 CPU internal environment, with a real operating system, a C language development environment and relatively high-speed cryptography