Hardware Security Module

Overview

Key Features

• Root of Trust
  • Provides a hardware-based Root of Trust with a unique, immutable device ID
  • Supports cryptographic verification of device identity and integrity
  • Generate Public Key Infrastructure (PKI) keypairs that it can use to sign messages, including random number based challenges
• Authentication and secure communication
  • Ability to perform authentication, integrity verification and assets encryption/decryption using symmetric or asymmetric keys (PKI). Supports also Post-Quantum Cryptography (PQC) algorithms for future-proof security
  • Supports session establishment and encrypted data exchange via standard protocols, including PQC algorithms
• Key Management
  • Secure generation, derivation and operation of symmetric and asymmetric keys
  • Key secure storage and erasure
  • Predefined or static keys may be stored in on-chip memory or in an external flash only accessible by GRISoC
  • Generated keys are stored in an external flash memory only accessible by GRISoC
• Secure Random Number Generation
  • Based on NIST SP 800-90A/B structure
• Hardware accelerated cryptographic functions (NIST FIPS 180-4, 197, 198-1, 202)
  • SHA-256, SHA-3, AES 128, AES 256, HMAC, HKDF
• Self-Protection and Isolation
  • Hardware-based isolation ensures separation from external SoC and system resources
  • Minimal external communication, based on mailbox interface, limits attack vectors
• Operations
  • Users can customize the platform and manage secret keys using their proprietary software libraries
  • The software running on the Isolated SoC determines how to manage keys, facilitates secure key operations, boot authentication, and communication setup
• Debug
  • The isolated SoC has a dedicated interface for debugging and customization
  • The debug interface can be permanently disabled after deployment
  • Debug and customization activities are facilitated via the GRMON debug tool.

Block Diagram

Technical Specifications