Presentation
Securing Chiplet Integration: A System-in-Package Security Architecture.
DescriptionChiplets enable a new design methodology where monolithic System-on-Chips (SoCs) are disaggregated into several chip(let)s integrated together within a System-in-Package (SiP).
The ultimate achievement in this respect is the ability to mix and match heterogeneous chiplets (in different technologies, but most importantly from different vendors). For this vision to happen, it is required that the different chiplets can securely authenticate together and subsequently ensure trustworthy services. This results in three security functions: chiplets hardware bill of material (HBOM) mutual verification, chiplets software bill of material (SBOM) aggregation, verification and reporting (together referred to as "remote attestation"), and key management / payload isolation by cryptography (together referred to as "data protection").
These three functions can leverage known protocols, typically implemented in software. But to run properly, they require the preliminary creation of dedicated key pairs allocated for security services in each chiplet. This occurs at hardware level, ideally within a root of trust (which can leverage injected keys or intrinsic keys, diversified from a PUF).
This presentation will cover the different enrollment steps (hierarchy of certificates, chained in a PKI) throughout lifecycle. We'll detail as well the challenge of key renewal, after compromission or expiration of their crypto-period, transitioning to post-quantum cryptography, etc.
Altogether this approach allows to formalize the security problem and inventory the underlying assets. It stems from a preliminary protection profile (PP) that will be disclosed and made available for comments. The version 1.0 of the PP is due in June 2025.
The ultimate achievement in this respect is the ability to mix and match heterogeneous chiplets (in different technologies, but most importantly from different vendors). For this vision to happen, it is required that the different chiplets can securely authenticate together and subsequently ensure trustworthy services. This results in three security functions: chiplets hardware bill of material (HBOM) mutual verification, chiplets software bill of material (SBOM) aggregation, verification and reporting (together referred to as "remote attestation"), and key management / payload isolation by cryptography (together referred to as "data protection").
These three functions can leverage known protocols, typically implemented in software. But to run properly, they require the preliminary creation of dedicated key pairs allocated for security services in each chiplet. This occurs at hardware level, ideally within a root of trust (which can leverage injected keys or intrinsic keys, diversified from a PUF).
This presentation will cover the different enrollment steps (hierarchy of certificates, chained in a PKI) throughout lifecycle. We'll detail as well the challenge of key renewal, after compromission or expiration of their crypto-period, transitioning to post-quantum cryptography, etc.
Altogether this approach allows to formalize the security problem and inventory the underlying assets. It stems from a preliminary protection profile (PP) that will be disclosed and made available for comments. The version 1.0 of the PP is due in June 2025.
Event Type
Engineering Presentation
TimeMonday, June 233:30pm - 3:45pm PDT
Location2008, Level 2
AI
Systems and Software
Chiplet