The first secure IoT stack for RISC-V: a secure implementation of FreeRTOS with hardware-enforced software-defined separation between OS, TCP/IP stack, and root of trust with TLS 1.3 / ECC for secure Internet of Things applications.
This reference implementation combines FreeRTOS, picoTCP, wolfSSL, and root of trust as physically isolated TEE zones
- X300 Bitstream : Rocket rv32 with thernet peripheral for ARTY A7 Board
- MultiZone Security trusted execution environment configured for 4 Zones
- Zone 1: FreeRTOS with 3 tasks (CLI user interface, PWM LED rainbow, Robotic arm control)
- Zone 2: PicoTCP terminating Ethernet port
- Zone 3: WolfSSL TLS 1.3 / ECC Root of Trust
- Zone 4: UART local console application
The MultiZone Secure IoT Stack supports a multitude of hardware targets. For a complete evaluation of the framework it is reccomended to use the open source softcore X300 developed by Hex Five Security. It is an enhanced version of the E300 SoC (Rocket rv32) maintained by SiFive - entirely free for commercial and non-commercial use. Like the E300, the X300 is designed to be programmed onto a Xilinx Artix-7 35T Arty FPGA.
Hardware prerequisites: Digilent ARTY A7 35T or 100T, Xilinx Vivado Lab, Olimex ARM-USB-TINY-H Debugger
- Download the latest X300 bitstream X300ArtyDevKitFPGAChip-1ab2531.mcs file from https://github.com/hex-five/multizone-fpga/releases
- Program the .mcs file to the Arty board using Vivado Lab
Software requirements: Install Hex Five reference RISC-V toolchain for Linux - directions specific to a fresh Ubuntu 18.04 LTS, other Linux distros generally a subset. To connect via TLS you'll need a TLS 1.3 client. If you itend to use OpenSSL, make sure you have version 1.1.1a or greater. At the time of writing, OpenSSL included in Debian 9 (stretch) and Ubuntu 18.04.2 is version 1.1.0, which does not support TLS 1.3.
sudo apt update
sudo apt upgrade -y
sudo apt install git make default-jre libftdi1-dev
sudo ln -s /usr/lib/x86_64-linux-gnu/libmpfr.so.6 /usr/lib/x86_64-linux-gnu/libmpfr.so.4
wget https://hex-five.com/wp-content/uploads/riscv-gnu-toolchain-20181226.tar.xz
tar -xvf riscv-gnu-toolchain-20181226.tar.xz
wget https://hex-five.com/wp-content/uploads/riscv-openocd-20181226.tar.xz
tar -xvf riscv-openocd-20181226.tar.xz
git clone https://github.com/hex-five/multizone-secure-iot-stack
cd multizone-secure-iot.stack
git submodule update --init --recursive
sudo apt-get install libusb-0.1-4
sudo apt-get install screen
If you have not already done so, you need to edit or create a file to place the USB devices until plugdev group so you can access them without root privileges:
sudo vi /etc/udev/rules.d/99-openocd.rules
Then place the following text in that file
# These are for the ARTY Board
SUBSYSTEM=="usb", ATTR{idVendor}=="0403",
ATTR{idProduct}=="6010", MODE="664", GROUP="plugdev"
SUBSYSTEM=="tty", ATTRS{idVendor}=="0403",
ATTRS{idProduct}=="6010", MODE="664", GROUP="plugdev"
# These are for the Olimex Head ARM-USB-TINY-H
SUBSYSTEM=="usb", ATTR{idVendor}=="15ba",
ATTR{idProduct}=="002a", MODE="664", GROUP="plugdev"
SUBSYSTEM=="tty", ATTRS{idVendor}=="15ba",
ATTRS{idProduct}=="002a", MODE="664", GROUP="plugdev"
Detach and re-attach the USB devices for these changes to take effect.
Add environment variables and a path to allow the Makefiles to find the toolchain
edit ~/.bashrc and ~/.profile and place the following text at the bottom of both files.
export RISCV=/home/<username>/riscv-gnu-toolchain-20181226
export OPENOCD=/home/<username>/riscv-openocd-20181226
export PATH="$PATH:/home/<username>/riscv-gnu-toolchain-20181226/bin"
Close and restart the terminal session for these changes to take effect.
cd multizone-secure-iot-stack/
make clean
make
This will result in a HEX file that is now ready to upload to the Arty board. There is know issue with the first upload after board power-on: if it upload takes more than a few seconds you may want to kill the openocd/gdb process and repeat the make load. Otherwise the first load may take up to two minutes.
make load
The system contains four zones:
- Zone 1: FreeRTOS with three tasks - CLI, LED PWM and Robot Control plus three interrupt handlers (BTN0-2)
- Press enter for a list of support commands
- Zone 2: TCP/IP + TLS Stack (picoTCP + wolfSSL) - accessable via ethernet port
- Ping to 192.168.0.2 (default address, set in Makefile)
- Telnet to port 23 or
- Connect via TLS: stty -icanon -echo && openssl s_client -tls1_3 -crlf -nocommands -connect 192.168.0.2:443
- Zone 3: Root of Trust and Session Key Storage
- Zone 4: MultiZone Console - access via USB UART at 115,200 buard 8N1
Press enter for a list of supported commands
TLSv1.3, Cipher TLS_AES_128_GCM_SHA256
Peer signing digest: SHA256
Peer signature type: ECDSA
Server Temp Key: ECDH, P-256, 256 bits
Server public key is 256 bit
Private Key ASN1 OID: prime256v1
Private Key NIST CURVE: P-256
X300 is an enhanced version of SiFive's Freedom E300 Platform to support MultiZone and IoT applications. The X300 is completely open source and free of charge for commercial and non-commercial use.
E300 | X300 |
---|---|
RV32ACIM | RV32ACIMU |
32.5 MHz clock | 65 MHz clock |
2 HW breakpoints | 8 HW breakpoints |
no Ethernet core | Xilinx EthernetLite Ethernet core |
1-way icache | 4-way icache |
no ITIM | ITIM at 0x0800_0000 |
16 kB DTIM | 64 kB DTIM |
no perf counters | 2 perf counters, hpmcounter3 and hpmcounter4 |
no CLICs | 3 CLICs (BTN0, BTN1 and BTN2) |
OpenOCD "make load": After power cycling the ARTY board the first upload takes a long time - see hex-five/multizone-fpga#1. An easy workarond is to manually reset the board with the RESET button or to restart the OpenOCD/GDB session on the computer.
- Secure IoT Stack manual.pdf
- MultiZone SDK manual.pdf
- Multi Zone API README.md
- Frequently Asked Questions http://hex-five.com/faq
- Contact Hex Five http://hex-five.com/contact
Please remember that export/import and/or use of strong cryptography software, providing cryptography hooks, or even just communicating technical details about cryptography software is illegal in some parts of the world. So when you import this software to your country, re-distribute it from there or even just email technical suggestions or even source patches to the authors or other people you are strongly advised to pay close attention to any laws or regulations which apply to you. Hex Five Security, Inc. and the authors of the software included in this repository are not liable for any violations you make here. So be careful, it is your responsibility.