Design Methodology and Metrics for Robust and Highly Qualified Security Modules in Trusted Environments

Cyberattacks and cybercriminal activities constitute one of the biggest threats in the modern digital era, and the frequency, efficiency, and severity of attacks have grown over the years. Designers and producers of digital systems try to counteract such issues by exploiting increasingly robust and advanced security mechanisms to provide secure execution environments aimed at preventing cyberattacks or, in the worst case, at containing intrusions by isolation. One of the most significative examples comes from General Purpose Processor (GPP) manufacturers such as Intel, AMD, and ARM, which in the last years adopted the integration of dedicated resources to provide Trusted Execution Environments (TEEs) or secure zones. TEEs are built layer by layer on top of an implicitly trusted component, the Root-of-Trust (RoT). Since each security chain is only as strong as its weakest link, each element involved in the construction of a TEE starting from the RoT must be bulletproof as much as possible. In this work, we revise and propose a design methodology to implement in both hardware (HW) and software (SW) highly featured and robust security blocks by highlighting the key points that designers should take care of, and the key metrics that should be used to evaluate the security level of the developed modules. We also include an analysis of the state of the art concerning RoT-based TEEs, and we illustrate a case study that documents the implementation of a cryptographic coprocessor for the secure subsystem of the Rhea GPP from the European Processor Initiative (EPI) project, according to the presented methodology. This work can be used by HW/SW security module designers as a cutting-edge guideline.