The First TEE For RISC-V

MultiZone Security for RISC-V

The first Trusted Execution Environment (TEE) for RISC-V processors

For RISC-V applications that require strong hardware security, MultiZone® Security provides hardware-enforced software-defined separation for multiple equally secure domains, with full control over data, programs and peripherals. Contrary to traditional solutions, MultiZone® Security requires no additional IP blocks or changes to existing firmware. Open source libraries, third party binaries and legacy code can be configured in minutes to achieve unprecedented levels of safety and security. MultiZone® Security is based on free and open standards, open sourced on GitHub, and licensed free of charge for evaluation and royalty free for commercial use.

MultiZone Security is the first Trusted Execution Environment for RISC-V – it enables development of a light weight, policy-based security environment for RISC-V that scales from tiny single-core IoT devices to multi-core SMP Linux applications.

MultiZone® Security consists of the following components:

  • MultiZone® nanoKernel – lightweight, formally verifiable, bare metal kernel providing policy-driven hardware-enforced separation of ram, rom, i/o and interrupts.
  • MultiZone® Messenger – communications infrastructure to exchange secure messages across zones on a no- shared memory basis.
  • MultiZone® Configurator – combines fully linked zone executables with policies and kernel to generate the secure boot firmware image.
  • MultiZone® Secure Boot – 2-stage secure boot loader to verify integrity and authenticity of the firmware image (sha-256 / sha-512 / ECC)

How does MultiZone Security work?

MultiZone Security integrates seamlessly into your existing IDE such as Eclipse or command line based toolset.

  • Application blocks are written, compiled and linked separately for each zone producing a set of elf or hex file.
  • MultiZone Policies are set to achieve the desired ram, rom, i/o and interrupt isolation for each zone – RWX, with granularity down to 4 bytes.
  • Finally the MultiZone Configurator is invoked to combine zone elf/hex files with the MultiZone runtime into a signed firmware image.
  • The full system can be written, compiled and debugged with your existing GNU or Eclipse toolset.

Features
  • Preemptive real time scheduler: round robin / cooperative, configurable time tick, cpu overhead < 1%
  • Formally verifiable, completely written in assembly, self-contained – no 3rd party library dependencies
  • Unlimited number of isolated Trusted Execution Environments (zones)  – hardware-enforced, policy-defined
  • Up to 32 memory-mapped resources per zone – i.e. flash, ram, i/o, uart, gpio, timers, etc.
  • Any combination of top-of-range and naturally aligned configuration – minimum granularity 4 bytes
  • Any combination of read, write, execute policy – resource overlapping allowed although not recommended
  • Built-in support for fencing configurable on a per-zone basis – i.e. cache / pipeline / instruction / load /store
  • Full support for PLIC and CLIC Interrupts – fully configurable zone / interrupt mapping
  • Full support for secure user-mode interrupt handlers – even without ‘N’ extensions
  • Full support for low-latency vectored interrupts, preemptable interrupts, and Wait For Interrupt – suspend mode
  • Built in trap & emulate for most protected instructions – i.e. CSR read only
  • Secure inter-zone communications infrastructure based on messaging – no shared memory / buffers
  • C library wrapper for protected mode execution – via ECALL exception handling mechanism
  • Signed boot suitable for 2-stage boot room and/or public key / root of trust / PUF  – SHA-256 / ECC
  • Command line configurator utility compatible with any operating system capable of running Java 1.8

Development Environments
  • Eclipse IDE including MCU and GNU Toolchain plugins and OpenOCD / JTAG / GDB live debugging
  • AndeSight™ IDE with ICE or OpenOCD
  • SiFive FreedomStudio IDE including MCU and GNU Toolchain plugins and OpenOCD / JTAG / GDB live debugging
  • Linux and Windows command line tools (make, gcc, gdb, etc.) – native Linux, Java 1.8 required for Windows
  • Built-in Board Support Packages for X300 (Rocket), Andes N(X)25, SiFive E31 and S51

System Requirements
  • 32 bit or 64 bit RISC-V ISA with ‘S’ or ‘U’ extensions
  • Physical Memory Protection compliant with Ver. 1.10
  • 4KB FLASH and 1KB RAM

Resources

MultiZone technology is protected by patents US 11,151,262 and PCT/US2019/038774

Back To Top