Reconfigurable Trusted Computing in HardwareThomas Eisenbarth1, Tim Güneysu1, Christof Paar1,Ahmad-Reza Sadeghi1, Dries Schellekens2, Marko Wolf11Horst Görtz Institute for IT Security, Ruhr-University of Bochum, Germany2K.U. Leuven, ESAT/COSIC, Leuven-Heverlee, BelgiumABSTRACTTrusted Computing (TC) is an emerging technology towardsbuilding trustworthy computing platforms. The TrustedComputing Group (TCG) has proposed several specifica-tions to implement TC functionalities by extensions to com-mon computing platforms, particularly the underlying h ard-ware with a Tru sted Platform Mod ule (TPM).However, actual TPMs are mostly available for worksta-tions and servers nowadays and rather for specific domainapplications and not primarily for embed ded systems. Fur-ther, the TPM specifications are becoming monolithic andmore complex while the applications demand a scalable andflexible usage of TPM functionalities.In this paper we propose a reconfigurable (hardware) ar-chitecture with TC functionalities where we focus on TPMsas proposed by the TCG specifically designed for embed-ded platforms. Our approach allows for (i) an efficient andscalable design and update of TPM functionalities, in par-ticular for hardware-based crypto engines and accelerators,(ii) establishing a minimal trusted computing base in hard-ware, (iii) including the TPM as well as its functionalitiesinto the chain of trust that enables to bind sensitive data tothe underlying reconfigurable hardware, and (iv) designinga manufacturer ind epen dent TPM. We discuss possible im-plementations based on current FPGAs and point out theassociated challenges, in particular with respect to protec-tion of the internal TPM state since it must not be subjectto manipulation, replay, and cloning.Categories and Subject Descriptors: B.7.1 [IntegratedCircuits]: Types and Design Styles; C.3 [Special-Purposeand Application-Based Systems]; E.3 [Data Encryption]General Terms: Design, Measurement, S ecu rity.Keywords: Field Programmable Gate Array (FPGA),Trusted Computing, Trusted Platform Module (TPM).Our special thanks go to Jean-Pierre Seifert, Berk Sunar,Russell Tessier, and Pim Tuyls.Permission to make digital or hard copies of all or part of this work forpersonal or classroom use is granted without fee provided that copies arenot made or distributed for profit or commercial advantage and that copiesbear this notice and the full citation on the first page. To copy otherwise, torepublish, to post on servers or to redistribute to lists, requires prior specificpermission and/or a fee.STC’07, November 2, 2007, Alexandria, Virginia, USA.Copyright 2007 ACM 978-1-59593-888-6/07/0011 ...$5.00.1. INTRODUCTIONTrusted Computing (TC) is a promising technology to-wards building trustworthy computing platforms. A recentinitiative to implement TC by extending common comput-ing platforms with hardware and software components is dueto the Trusted Computing Group (TCG), a consortium ofIT enterprises [24]. The TCG specified the Trusted Plat-form Module (TPM) which provides a small set of crypto-graphic and security functions, and is assumed to be thetrust anchor in a computing platform. Currently, TPMs areimplemented as dedicated crypto chip mounted on the mainboard of computing devices, and many vendors already shiptheir platforms equipped with TPM chips. The functionali-ties provided by the TPM allow to securely bind (sensitive)data to a specific platform meaning that the data is onlyaccessible when the underlying platform has the valid anddesired configuration.However, there are several issues to deal with: first, actualTPM chips are currently mainly available for workstationsand servers and rather for specific domain applications, inparticular barely not for embedded systems.1Second, TPMspecifications are continuously growing in size and complex-ity, and there is still no published analysis on the minimalTPM functionalities that are practically needed. In addi-tion to this, TPM u sers have to completely tru st implemen-tations of TPM manufacturers, e.g., regarding the compli-ance t o the TCG specification. This also d emands the userto trust the TPM implementation that no malicious func-tionalities have been integrated (like trapdoors or Trojans).Finally, the TCG adversary model considers software at-tacks only, but manipulations on the underlying hardwarecan circumvent any whatso ever sophisticated software secu-rity measures. Currently, TPM chips are connected to theI/O system with an unprotected interface that can be eaves-dropped and manipulated easily [16].In this paper, we address most of these issues by propos-ing a reconfigurable architecture in hardware that allowsa scalable and flexible usage of trusted computing func-tionalities. Our implementation proposal is based on Fieldprogrammable Gate Arrays (FPGA). FPGAs are reconfig-urable hardware devices offering a flexible solution for inte-grated hardware architectures. Their size and capabilitieshave greatly evolved during the last years and have made1At least there exist proposals from Brizek et al. [6] andthe TCG [24] for a tailored TPM to support also mobiledevices and further approaches [3] to implement TPM hard-ware functionality into isolated software sandboxes (whichin turn would require a fully trustworthy CPU).them competitive to static ASIC chips. Particularly, re-cent FPGAs provide a sufficient gate complexity to createcomplete (Configurable) System on a Chip (CSoC) environ-ments since microprocessor soft cores, crypto acceleratorsand high-throughput I/O components can be included ina single FPGA design. These flexible FPGA applicationsare synthesized into bit streams and stored in an externalPROM or Flash memory. On power-up of an SRAM-basedFPGA2, the bit stream is loaded into the device since theloaded hardware configuration is lost after system shutdown.To our knowledge, there has been no proposal for buildingTC capabilities (e.g., TPM functionalities) in reconfigurablehardware architectures. Our approach allows, amongstother things, to bind a reconfigurable application to the un-derlying TPM and even to bind any higher layer software tothe whole reconfigurable architecture. Based on the asym-metric means of an TCG-conform TPM, this can be used asan effective and flexible protection of Intellectual Property(IP) to provide device-specific application software.We believe t hat FPGA devices can provide a promisingbasis for a variety of TC applications in embedded