Linux for the 4758

The focus of the 4758/Linux project is to explore operating system support for secure embedded devices. Our specific target is the IBM 4758 secure coprocessor, a FIPS-140 level 4 tamper responsive device with hardware cryptographic support and physical tamper protection.

The project consists of two parts: The first part is to make Linux suitable as a standalone OS for small embedded devices. This consists of making Linux crash/powerdown safe, adding flash file system support, reducing the memory foot print by reducing data structure sizes and removing unnecessary abstractions such as buffer caches, and by providing an efficient development environment.

The second part of the project is to deal with the security aspects of the device. This consists of handling the tamper responsive features (such as inverting memory periodically to prevent memory imprints caused by electron migration), encrypting all file system content (so that in the event of a physical penetration the content of the flash memory is encrypted), and the handling of trust. The latter breaks down into many issues such as secure bootstrap, recovery to a trusted state in the event of a security break down, and importing foreign code into the secure environment.

By using Linux as the base operating system we are able to provide a well-known API and programming model (thus making it easier to develop applications that run within the secure environment), and leverage and contribute to the open source embedded systems community.

Recent Results

We have ported Linux to the IBM 4758 secure coprocessor, the first general purpose OS running within a secure coprocessor. We are working hard towards an open-source release of part of the code. This release will include:

• Patches for the Linux-2.2.17 kernel to add support for the 4758.
• Patches for JFFS (flash file system) to add support for the 4758.
• Patches to enabled compressed executable support. This reduces the amount of storage space required inside the 4758.
• A new protocol stack for efficient host/card communication over the PCI bus. This stack implements a socket based communication protocol similar to TCP/IP but very lightweight and datagrams are delivered reliably.
• Many device drivers to support the 4758 specific devices. These include cryptographic accelerators, battery backed up memory driver, and communication drivers.
• A host file system client which allows Linux running on the 4758 to access the file systems on the host. This is intended for development. It reduces the development time by eliminating the need for copying the application into the 4758. The client communicates with a server process on the host which is also included in the distribution.
• A bootstrap loader to start Linux. For development, the bootstrap loader is also capable of using the host file systems and eliminating installing the kernel on the card.
• Driver for the host to communicate with the 4758's and its secure uploading mechanism. Bundled with driver is the new protocol stack (same as above) to communicate with the applications on the card.
• Tools to sign kernel executables and file system images for secure download onto the 4758.

The host device driver was jointly developed with Cryptographic Appliances and their continuing feedback and assistance has been invaluable.

The following components exist in the lab but will be released at a later date:

• A file system for battery backed memory (BBRAM). This allows BBRAM to be shared among multiple applications. BBRAM is the part of memory that is zapped upon a tamper detection.
• Signed executable support. This extends the secure bootstrap mechanism to applications such that only approved applications can be executed inside the 4758.
• Outgoing Authentication, a mechanism by which a remote party can securely tell what is running.

The 4758/Linux Group

The group currently consists of Joan Dyer, Ronald Perez, Reiner Sailer, and Leendert van Doorn . We are working closely with the groups that are developing future secure coprocessors.

Contact

For more information contact Leendert van Doorn.