A flexible architecture for systematic implementation of SoC security policies

Modern SoC designs incorporate several security policies to protect sensitive assets from unauthorized access. The policies affect multiple design blocks, and may involve subtle interactions between hardware, firmware, and software. This makes it difficult for SoC designers to implement these policies, and system validators to ensure adherence. Associated problems include complexity in upgrading these policies, IP reuse for systems targeted for markets with differing security requirement, and consequent increase in design time and time-to-market. In this paper, we address this important problem by developing a generic, flexible architectural framework for implementing arbitrary security policies in SoC designs. Our architecture has several distinctive features: (1) it relies on a dedicated, centralized, firmware-upgradable plug-and-play IP block that can implement diverse security policies; (2) it interfaces with individual IP blocks through their “security wrapper”, which exploits and extends test/debug wrappers; (3) it implements a security policy as firmware code following existing security policy languages; (4) it can implement any security policy as long as relevant observable and controllable signals from the constituent IPs are accessible through the security wrappers; and (5) it realizes a low-overhead communication link between security wrappers of IP blocks and the centralized, dedicated controller. The approach builds on and extends the recent work on developing a centralized infrastructure IP for SoC security, referred to as IIPS, that interface with IP blocks using their boundary scan based wrappers. While this architecture is generic and independent of security policy types, we provide case studies with several common policies to show the flexibility and extendibility of the architecture. We also evaluate its viability in terms of overhead in area and power.