TPM2.0-Supported Runtime Customizable TEE on FPGA-SoC with User-Controllable vTPM

TL;DR

This paper presents a novel FPGA-SoC TEE supporting TPM 2.0 with a user-controllable vTPM, enabling dynamic measurement and secure deployment of IP cores, enhancing security and flexibility in cloud environments.

Contribution

It introduces an FPGA-vTPM architecture supporting TPM 2.0 for FPGA-SoC TEE, enabling dynamic IP management and extending TPM commands for secure operations.

Findings

Prototype implementation on Xilinx Zynq UltraScale+ MPSoC.

Security analysis confirms enhanced protection features.

Performance evaluation demonstrates practicality and efficiency.

Abstract

Constructing a Trusted Execution Environment (TEE) on Field Programmable Gate Array System on Chip (FPGA-SoC) in Cloud can effectively protect users' private intel-lectual Property (IP) cores. In order to facilitate the wide-spread deployment of FPGA-SoC TEE, this paper proposes an approach for constructing a TPM 2.0-compatible runtime customizable TEE on FPGA-SoC. This approach leverages a user-controllable virtual Trusted Platform Module (vTPM) that integrates sensitive operations specific to FPGA-SoC TEE. It provides TPM 2.0 support for a customizable FPGA-SoC TEE to dynamically measure, deploy, and invoke IP during runtime. Our main contributions include: (i) Propose an FPGA-vTPM architecture that enables the TPM 2.0 specification support for FPGA-SoC TEE; (ii) Explore the utilization of FPGA-vTPM to dynamically measure, deploy, and invoke users' IPs on FPGA-SoC TEE; (iii) Extend the TPM command set to accommodate the sensitive operations of FPGA-SoC TEE, enabling users to perform sensitive tasks in a secure and verifiable manner according to the TPM 2.0 specification. We implement a prototype of TRCTEE on the Xilinx Zynq UltraScale+ MPSoC platform and conducted security analysis and performance evaluations to prove the practicality and enhanced security features of this approach.