At the core of ORWL's physical security are two secure microcontroller units (MCUs), one on the mainboard (Maxim’s MAX32550) and one in the key fob (STMicroelectronics’ ST54D). This update goes into detail about the secure MCUs.
The secure MCUs are the foundation of all ORWL’s physical security measures:
Clearly, if either of the secure MCUs is compromised, the entire system is compromised. As such, it’s worth digging deeper into what exactly makes them secure and trustworthy in the first place.
Secure MCUs have been around for a while, but their use has so far been limited to primarily industries dealing with confidential or sensitive data, such as finance, military, and medical. As far as we know, ORWL is the first personal computer to incorporate a secure MCU.
A typical secure MCU will have the same basic functionality as a regular MCU, but with some extra features specifically geared toward protecting data from unauthorized access and corruption.
A common feature of secure MCUs is a conductive mesh, called a die shield, built into the actual packaging of the integrated circuit, completely surrounding it. Die shields can detect physical intrusion and thereby trigger the secure MCU to destroy sensitive data before an adversary gains access. They also serve as electromagnetic shielding to prevent certain kinds of side-channel attacks.
The mainboard secure MCU is an ARM Cortex M3 with the following security features, to name a few:
The key fob secure MCU is an ARM Secure Core that implements the secure element aspect of near-field communication (NFC) and also has a die shield.
The datasheets linked to above for the Maxim and ST secure MCUs used in ORWL and its key fob are not full datasheets. Unfortunately, the only way to access the full datasheets for either of these parts, and indeed every other secure MCU we know of, is to enter into a non-disclosure agreement (NDA) with the manufacturer. Clearly, this is less than ideal - we all know security through obscurity does not work. Why, then, should we trust they are secure at all? There are two basic answers to this question: third-party verification and widespread adoption.
Having datasheets available under NDA is better than not having datasheets at all. We have entered into these NDAs and, in theory, anyone else who really wants to verify everything for themselves could enter into them as well. Of course, this is onerous, which is one reason we’ve engaged Penumbra, a third-party security company, to independently verify the security of ORWL. This work is ongoing and we will make the results public.
Secure MCUs and the security standards they implement (e.g., ISO/IEC 7816-3) are used in millions of devices to safeguard sensitive information. For example, every payment card industry (PCI) point of sale system uses such secure MCUs. The total value of financial transactions alone going through secure MCUs every year is likely in the trillions of dollars. On one hand, there is a lot of incentive to find vulnerabilities in secure MCUs. On the other hand, there is a corresponding incentive to be sure there are no vulnerabilities. In other words, if ORWL is compromised because of a flaw or backdoor in its secure MCUs, then so too is a vast financial network. While far from a guarantee of security, the empirical evidence suggests at least a minimal level. Of course, just because all your friends are doing something stupid, doesn’t mean you should do it too. That said, there is a certain reassurance to be had in a common destiny.
If security through obscurity doesn’t work, why are NDAs required by the manufacturers of secure MCUs? To be honest, we’re not entirely sure, but we think it’s because of some combination of protecting intellectual property and catering to legacy ideas of security within the military and finance industries. For example, our contact at Maxim cited PCI compliance as one reason for the NDA. Secure MCUs fall under PCI PIN Transaction Security (PTS), which is used to certify retail payment terminals, in contrast to PCI Data Security Standard (DSS), which is often derided as having little security value. Though we can’t find the exact section of the labyrinthine PCI standard requiring an NDA, it is a standard expectation within the industry.
While the secure MCUs we ship as part of ORWL will be fully functional out of the box, some people are interested in verifying and reprogramming them on their own. For example, you may want to sign all firmware with your own key instead of the unique key we generate for each ORWL. Whatever the reason, we will try to make this as easy as possible.
As a first step to giving users control over the firmware on their machines, we will soon announce a special "dev kit" pledge level that contains tools to build and verify all firmware from start to finish. You will still need to enter into NDAs with the manufacturers of the secure MCUs, but the dev kit should greatly streamline the process of putting together the right toolchain. Stay tuned.
By far the most opaque part of the mainboard secure MCU is its boot ROM firmware. This is burned into the chip by Maxim, the manufacturer. However, Maxim has agreed to make a custom version of the secure MCU with no firmware on it. The cost of this customization is $20,000, which we are willing to pay. The bigger problem is finding someone willing and able to write open replacement firmware. If we go this route, we would need considerable help from the community. Of course, once complete, the custom secure MCUs would be available for anyone to use. Please contact us with any pointers or suggestions!