Using IP cores and a pre-integrated IP platform, engineers at SoC Solutions built a custom microcontroller platform in less than two weeks.

Today’s seemingly limitless access to information has also brought forth a need to secure personal and corporate information from unauthorized access and to protect privacy. This need for secure data not only applies to securing wired and wireless communications, but is also imporant in applications where access control, data integrity, confidentiality, and authentication are required. For this reason, cryptography will find its way into a host of common devices, including bank ATMs, kiosks, information portals, video surveillance equipment, building access controls, and the like.

The problem of securing data is a complex one, and applications requiring cryptographic processing are varied. Many devices need 3DES (Triple Data Encryption Standard) hardware acceleration, because software implementations are simply too slow. In addition, most designs require a combination of features not readily available in off-the-shelf components.

To implement a custom interface or protocol that meets the product’s specific functional requirement, you must either develop with FPGAs or spin an ASIC. In both cases, the most common approach is to first code the design in a hardware description language such as Verilog or VHDL, and then synthesize the design to the targeted silicon, such as a Xilinx Virtex™ FPGA.

In this article, we will describe how we built a secure microcontroller platform using our PiP-EC02 Embedded Controller IP platform with the addition of our 3DES core.

A Better Approach

At SoC Solutions, we believe the best approach to implementing these secure designs is to start with an IP platform, or IP reference design, which we define as a pre-developed, pre-integrated Verilog or VHDL design. Also known as soft designs or soft cores, these can be targeted to FPGA devices.

3DES Secure Data Encryption/Decryption Application
Many applications, such as online private information transfers, require that data files or streamed information be secured by encrypting the payload data. 3DES is considered to be very secure because it can use three separate keys to encrypt data.

Our secure microcontroller implements a smart device that stores 3DESencrypted data in memory; it then decrypts the data before storing it back to memory. This is useful where data is provided as medium to large data files (or streams) and where the microprocessor has limited bandwidth to do the math-intensive encryption (or decryption) while simultaneously processing other tasks or applications.

The 3DES core uses a three-key con-catenated DES algorithm to provide 192 bits of security. Keys can be stored in memory or input through a software application, which is run on the secure microcontroller’s microprocessor core. The microprocessor controls data movement to and from memory. It also sets up the 3DES engine. Extra microprocessor bandwidth is available for additional application software. We used a 32-bit microprocessor, although a Xilinx MicroBlaze™ core could also be used in our secure microprocessor design. Figure 1 is a flow diagram of an encryption/decryption microcontroller device.

Reference Design
The two main hardware components of the reference design are the microprocessor core chip and a platform FPGA, such as a Xilinx Spartan™ or Virtex device. All of the functions (excluding the microprocessor) are implemented in the FPGA using SoC Solutions’ IP platforms and soft cores.

The secure microcontroller reference design provides the basis, or starting point, for the custom design. This implementation uses the microprocessor to load memory, control the start of encryption/decryption, and then verify the stored result. In a typical application, a communications port such as Ethernet, PCI, USB, or a simple COM port would be used as a data I/O port.

The design includes a direct memory access engine to read and write data from/to the 3DES core to internal FPGA SRAM or external memory. Also included are an internal SRAM controller, an interrupt controller, timers, UARTS, and an external bus interface.

The process of encrypting or decrypting a file is simple. The microprocessor fills memory from data acquired either under software control or through a COM port. The microprocessor then sets up the DMA engine with a source address, destination address, and a block length. The processor writes a start bit to the DMA engine and then “lets ‘er rip.” The DMA engine reads a sub-block from the source address, sends it to the 3DES core for processing, and then writes the processed sub-block results to the destination address.

Timers can be used to poll the DMA engine dma_done flag to know when the operation is complete. The interrupt controller can also be used to signal the end of the 3DES operation.

Co-Development is the Key

We developed our secure microcontroller in less than two weeks. Figure 2 shows the development method we used.

Week 1
To get the design started quickly, we used the SoC Solutions PiP-EC02 pre-integrated embedded controller platform. The PiP-EC02 contained the needed microprocessor controller subsystem, which included an advanced high-performance bus (AHB) and ARM™ peripheral bus (APB) on-chip, interrupt controller, two timers, internal SRAM controller, 16550 UART, AHB arbiter, and external memory controller (EBI). The IP block implementation is shown in Figure 3.

Next, we designed an interface for the 3DES core to the AHB. We selected the AHB to enable fast DMA for 3DES processing. The 3DES interface and wrapper consisted of a combination of a custom DMA controller, input FIFO (16x32), output FIFO (16x32), and the 3DES core. The PiP-EC02 provided the AHB arbiter template. Using the arbiter template to make the DMA connection to the system bus was a very simple design process.

The complete design was then simulated using a Mentor Graphics Modelsim XE (Xilinx Edition) simulator supplied by Xilinx. The PiP-EC02 provided the AHB functional model (BFM), as well as all the test fixtures we needed to test the microprocessor subsystem. We wrote a simple test bench to load memory, start the DMA engine, and then check the encrypted (or decrypted) results that were stored back into memory.

Week 2
Now we were ready to try our design in real hardware. To debug our secure microcontroller, we chose the SoC RDS02 Rapid Development System – illustrated in Figure 4 – which allowed us to use Microsoft Visual Studio™ tools to quickly make software changes and debug the hardware on the fly. We used the Xilinx ChipScope™ integrated logic analyzer (ILA) to debug the actual design on the Virtex-E development board, shown in Figure 5. All of these tools were run on the same computer. Stepping through code and triggering the ILA was very easy.

Using the RDS02 proved to be an ideal way to debug, because we tried many, many software iterations. Each iteration took only seconds to recompile and re-run. By comparison, the same software iteration would have been far more time-consuming if we had used typical microprocessor development tools. It would have taken up to five minutes to reload the system flash memory using the JTAG port.

Once we were satisfied our secure microcontroller hardware was solid and the software was debugged, it was time to port the design to a microprocessor. In our example, we ported the design to an ARM7™ board called the “Brain Board,” shown in Figure 6.

Here again, we took advantage of the PiP-EC02. The PiP-EC02 package provided the boot code and software drivers we needed for the UART, memory controllers, timers, and interrupt controller. As for software, all we had to do was add C/C++ code developed on the RDS02 – and modify the RDS02 API function calls to call ARM7 load and store functions. To do this, we used software-defined macros to retarget the API function calls – nothing much to it.

The hardware port was also just a matter of a simple edit to the AHB microprocessor interface and a Verilog, Synplicity, and Xilinx recompile. We then retested the secure microcontroller design on the Brain Board running ARM code, and we were done – a prototype in less than two weeks.

Secure Microcontroller Features

• PiP-EC02 embedded controller platform
• AHB, SRAM controller, interrupt controller, UART, timers, AHB – APB bridge, external bus interface, general purpose I/O
• 3DES cryptographic processor core
• DES – DMA controller

3DES security is just the kind of value-add our customers are turning to as a way of differentiating their products from the competition. By using a co-development approach instead of coding the design first and then synthesizing it, we were able to design in security in less than two weeks. For more information on SoC Solutions, visit www.xilinx.com/products/logicore/alliance/soc/soc.htm or contact sales@socsolutions.com.

Printable PDF version of this article.  (04/02/03) 310 KB