A Protection Profile for Chiplet Systems (A13a)
The design of complex electronic systems has been evolving fast recently, with a shift to chiplet-based architectures. These consist of disaggregated systems, obtained in the assembling of a multitude of different domain-specific chips (referred to as chiplets). Let us give the example of two industries which benefit from chiplets’ paradigm. First of, datacenters, especially those which run Artificial Intelligence (AI) applications, require huge amount of computing power. This would require chips to be larger than the reticle size, hence the need to disaggregate the design into smaller silicon pieces (= chiplets). Second, automotive market is under the constraint of lower costs, while at the same time turning to softwarization. For this reason, the chips supporting sensing/perception, compute, and actuation shall be factored, such that there is more reuse across vehicle functions, and homogenization of the computing platform. Obviously, security gaps are created in a system consisting of multiple chips. As the use of chiplet systems is cross-industries, and also as such systems include multiple suppliers, there is a need for coordination. A Protection Profile (PP) is a suitable tool to set minimal expectations and to align actors on good practices. This talk accounts for the lessons learnt from the drafting of the PP for chiplet systems, and is structured in three parts: 1. PP description, incl. latest updates 2. Feedback on the drafting process 3. Use of the PP The PP is describing the security problems of chiplet systems. They can be broken down in two categories: supply-chain threats, and physical attacks between the chiplets. The first kind of threat can manifest as security issues during the operation, as one chiplet part of the system might run corrupted firmware. The second kind of threat is amplified by the fact the chiplets can be interconnected via an interposer, which in some cases is an active component. The PP has been presented while other documents related to chiplets and their security were prepared as well. For instance, IEEE sustains an Heterogeneous Integration Roadmap (HIR) within its Electronics Packaging Society (EPS). Also, Open Compute Project (OCP) is a Standard Defining Organization for datacenters, which proposes Foundational Chiplet System Architecture (FCSA), and other initiatives exist (such as OCA, RARS by IMEC, etc.). Interestingly, those documents are meant to allow collaboration and compatibility between the ecosystem, but do so informally. Therefore, the formal structure of the PP is acclaimed. During the process of PP preparation, most of the feedback from the stakeholders consisted in getting justification for the security requirements (SFR, SAR). Through the interactions, the consensus arose from the definition of \”chiplet systems missions\”. Those are: provisioning, ownership transfer, debug, secure boot, and remote attestation. From these missions, assets can be inventoried, threat agents can be identified, and eventually requirements can be derived. Therefore, the presenters stress that a PP is also used as a tool to define a get a holistic formulation of a rationale for the secure problem.