MPC190VMB

Freescale Semiconductor, Inc. Advance Information MPC190TS/D Rev. 0.2, 2/2003 Freescale Semiconductor, Inc... MPC190 Security Processor Technical Summary This document provides an overview of the MPC190 security processor, including a brief development history, target applications, key features, typical system architecture, device architectural overview, and a performance summary. 1 Development History The MPC190 belongs to the Smart Networks platform’s S1 family of security processors developed for the commercial networking market. This product family is derived from security technologies Motorola has developed over the last 30 years, primarily for government applications. The fourth-generation execution units (EU) have been proven in Motorola semi-custom ICs and in the MPC180, the first product in Motorola’s security processor line. 2 Typical Applications The MPC190 is suited for applications such as the following: • • • • • • Edge routers DSLAMS Broadband access equipment eCommerce severs Wireless base stations WAP Gateways 3 Features The MPC190 is a flexible and powerful addition to any networking or computing system supporting PCI. The MPC190 is designed to off-load computationally intensive security functions—such as key generation and exchange, authentication, and bulk encryption—from PowerQuicc II™ communications processors with integrated PCI (the MPC8265A and the MPC8266A) or from any processor through the use of a PCI bridge chip. The MPC190 is optimized to process all the algorithms associated with IPSec, IKE, WTLS/WAP and SSL/TLS. In addition, the MPC190 is the only security processor on the market (other than the MPC180) capable of executing the elliptic curve cryptography that is especially important for secure wireless communications. For More Information On This Product, Go to: www.freescale.com Freescale Semiconductor, Inc. MPC190 features include the following: • Freescale Semiconductor, Inc... • • • • • • • • • • 6 Public key execution units (PKEUs) that support the following: — RSA and Diffie-Hellman – Programmable field size 80- to 2048-bits – RSA-1024-64 key exchange in 2.0ms – 520 IKE handshakes/second — Elliptic curve operations in either F(2) m or F(p) – Programmable field size from 55- to 511-bits – ECC key exchange (155 bit key) in 5.7ms – 1000 IKE handshakes/second 3 Data encryption standard execution units (DEUs) — DES — 3DES — Two key (K1, K2, K1) or Three Key (K1, K2, K3) — ECB and CBC modes for both DES and 3DES 3 Message digest execution units (MDEUs) — SHA-1 with 160-bit message digest — MD4 or MD5 with 128-bit message digest — HMAC with either algorithm ARC four execution unit (AFEU) — Implements a stream cipher compatible with the RC4 algorithm — 40- to 128-bit programmable key Random number generator (RNG) PCI 2.2 compliant external bus interface, with master/slave logic. — 32-bit address/64 -bit data, 66MHz — 32-bit address/32 –bit data mode 9 Crypto-channels, each supporting multi-command descriptor chains — Static and/or dynamic assignment of crypto-execution units via an integrated controller — Buffer size of 2KBytes for each crypto-channel 1.8v supply, 3.3v I/O 252 MAP BGA, 2.0W power dissipation HiPerMOS4 0.25µm process 4 Typical System Architecture The MPC190 is designed to integrate easily into systems using PCI, including systems built with processors with integrated PCI bridges, such as the Motorola MPC8265A, as shown in Figure 4-1. The external processor accesses the MPC190 through its device drivers using system memory for data storage. The MPC190 resides in the PCI address map of the processor; therefore, when an application requires cryptographic functions, it creates descriptors for the MPC190, defining the cryptographic function to be performed and the location of the data. The MPC190’s PCI-mastering capability permits the host processor to set up a crypto-channel with a few short register writes, leaving the MPC190 to perform reads and writes 2 MPC190 Security Processor Technical Summary For More Information On This Product, Go to: www.freescale.com MOTOROLA Freescale Semiconductor, Inc. on system memory to complete the required task. Alternatively, all the execution units’ registers are available for direct read and write through the PCI interface. MPC190 EEPROM 60x Bus MPC8265 PCI Bus Freescale Semiconductor, Inc... Main Memory SRAM I/O or Network Interface Figure 4-1. MPC190 Connected to PowerQuicc II PCI Bus Figure 4-2 shows a configuration with the MPC190 communicating with the host processor via a PCI bridge, such as the MPC107. Main Memory MPC7xx, MPC74xx 60x Bus MPC107 PCI Bridge MPC190 PCI Local Bus Network Interface Card Figure 4-2. MPC190 Connected to PowerPC Host CPU Via Bridge 5 Architectural Overview A block diagram of the MPC190 internal architecture is shown in Figure 5-3. The PCI bus interface (PCI I/F) module is designed to transfer 32-bit or 64-bit words between the PCI v2.2-compliant bus and any register inside the MPC190. The MPC190 controller decodes descriptor headers (See 6.6, “Crypto-Channels.”) and writes them to the appropriate crypto-channel input buffer. The crypto-channel then processes the data pointers within the data packet descriptor and, via the PCI/IF module, initiates PCI bus mastering to transfer additional data and instructions from memory, as specified by the services MOTOROLA MPC190 Security Processor Technical Summary For More Information On This Product, Go to: www.freescale.com 3 Freescale Semiconductor, Inc. Data Packet Descriptors requested in the descriptor header. As data is processed, it is written to the individual execution units’ output buffers and then, via the PCI/IF module, the processed data is written back to system memory. cryptochannel cryptochannel cryptochannel FIFO FIFO FIFO cryptochannel Master/slave interface cryptochannel Control Freescale Semiconductor, Inc... cryptochannel PKHA x6 FIFO FIFO FIFO AuthenAuthentication Authentication tication X3 FIFO FIFO FIFO DES DES DES X3 FIFO FIFO FIFO FIFO ARC-4 RNG FIFO FIFO cryptochannel cryptochannel cryptochannel Figure 5-3. MPC190 Block Diagram 6 Data Packet Descriptors As an IPSec accelerator, the MPC190’s controller has been designed for easy use and integration with existing systems and software. All cryptographic functions are accessible through data packet descriptors, some of which have been defined as multifunction to facilitate IPSec applications. A data packet descriptor is diagrammed in Table 6-1. Table 6-1. Example Data Packet Descriptor Field Name Value/Type Description DPD_DES_CTX_CRYPT tbd Representative header for “DES using Context to Encrypt” LEN_CTXIN PTR_CTXIN length pointer Number of bytes to be written Pointer to context (IV) to be written into DES engine LEN_KEY PTR_KEY length pointer Number of bytes in key Pointer to block cipher key LEN_DATAIN PTR_DATAIN length pointer Number of bytes of data to be ciphered Pointer to data to perform cipher upon LEN_DATAOUT PTR_DATAOUT length pointer Number of bytes of data after ciphering Pointer to location where cipher output is to be written LEN_CTXOUT PTR_CTXOUT length pointer Length of output context (IV) Pointer to location where altered context is to be written nul length nul pointer length pointer Zeroes for fixed length descriptor filter Zeroes for fixed length descriptor filter nul length nul pointer length pointer Zeroes for fixed length descriptor filter Zeroes for fixed length descriptor filter LEN_NEXT PTR_NEXT length pointer Length of next data packet descriptor (bytes) Pointer to next data packet descriptor 4 MPC190 Security Processor Technical Summary For More Information On This Product, Go to: www.freescale.com MOTOROLA Freescale Semiconductor, Inc. PCI Interface Each data packet descriptor contains the following: • • Header—The header describes the required services and encodes information that indicates which EUs to use and which modes to set. Seven data length/data pointer pairs—The data length indicates the number of contiguous bytes of data to be transferred (not to exceed 2048). The data pointer indicates the starting address of the data, key, or context in system memory. A data packet descriptor ends with a pointer to the next data packet descriptor. Therefore, once a descriptor is processed and if the value of this pointer is non-zero, it is used to request a PCI burst read of the next descriptor. Freescale Semiconductor, Inc... Processing of the next descriptor (and whether or not an interrupt is generated) is determined by the programming of crypto-channel’s configuration register. Two modes of operation are supported: • • Interrupt at end of descriptor Interrupt at end of descriptor chain The crypto-channel requests a write-back of the descriptor header after processing a data packet descriptor. The value written back is identical to that of the header, with the exception that a DONE field is set. Occasionally, a descriptor field may not be applicable to the requested service. For example, if using DES in ECB mode, the contents of the IV field do not affect the result of the DES computation. Therefore, when processing data packet descriptors, the crypto-channel skips any pointer that has an associated length of zero. 6.1 PCI Interface The PCI interface manages communication between the MPC190’s internal execution units and the PCI bus. The interface is memory mapped; therefore, PCI target accesses and PCI initiator writes from the MPC190 must be addressed on 32-bit double-word (DWORD) boundaries. The MPC190 performs PCI initiator reads on byte boundaries and assigns the data to DWORD boundaries as appropriate. The PCI v2.2-compliant PCI interface supports 32-bit address and data transfers and up to 66 MHz / 64-bit data transfers. External support circuitry is required for voltage level conversion when connected to a 33 MHz / 32 bit 5V bus. The user should only be concerned with the external timing between the PCI interface and the external bus; internal timing is maintained by the PCI Interface. 6.2 MPC190 Controller The MPC190 controller manages on-chip resources, including individual execution units (EUs), FIFOs, the PCI Interface, and the internal buses that connect all the various modules. The controller receives service requests from the PCI interface and various crypto-channels, and schedules the required activities. The controller can configure each of the on-chip resources in three modes: • • • Host-controlled mode—The host is directly responsible for all data movement into and out of the resource. Static mode—The user can reserve a specific execution unit to a specific crypto-channel. Dynamic mode—A crypto channel can request a particular service from any available execution unit. MOTOROLA MPC190 Security Processor Technical Summary For More Information On This Product, Go to: www.freescale.com 5 Freescale Semiconductor, Inc. Crypto-Channels 6.3 Host-Managed Register Access All EUs can be used entirely through register read/write access. It is strongly recommended that read/write access only be performed on a EU that is statically assigned to an idle crypto-channel. Such an assignment is the only method for the host to inform the controller that a particular EU is in use. Freescale Semiconductor, Inc... 6.4 Static EU Access The Controller can be configured to reserve one or more EUs to a particular crypto-channel. Doing so permits locking the EU to a particular context. When in this mode, the crypto-channel can be used by multiple descriptors representing the same context without unloading and reloading the context at the end of each descriptor. This mode presents considerable performance improvement over dynamic access, but only when the MPC190 is supporting few (or one) contexts. Static EU access can also be used to reserve one particular public key execution unit (PKEU) for one type of computation. For example, one PKEU could be reserved for all private key RSA operations using prime P, and the other could be reserved for all computations using prime Q. Again, this presents a performance improvement because all fixed parameters can remain within the reserved PKEUs. This reduces the overhead of loading and unloading contexts and therefore improves performance. However, this is only a performance improvement if the lack of dynamically available PKEUs does not become a bottleneck in key agreement protocols. 6.5 Dynamic EU Access Processing begins when a data packet descriptor pointer is written to the next descriptor pointer register of one of the crypto-channels. Prior to fetching the data referred to by the descriptor and based on the services requested by the descriptor header in the descriptor buffer, the controller dynamically reserves usage of an EU to the crypto-channel. If all appropriate EU units are already dynamically reserved by other crypto-channels, the crypto-channel stalls and waits to fetch data until an appropriate EU is available. If multiple crypto-channels simultaneously request the same EU, the EU is assigned on a round-robin basis. Once the required EU has been reserved, the crypto-channel fetches and loads the appropriate data packets, operates the EU, unloads data to system memory, and releases the EU for use by another crypto-channel. If a crypto-channel attempts to reserve a statically-assigned EU (and no appropriate EUs are available for dynamic assignment), an interrupt is generated and status indicates illegal access. When dynamic assignment is used, each encryption/decryption packet must contain context that is particular to the context being supported. 6.6 Crypto-Channels The MPC190 includes nine crypto-channels that manage data and EU function. Each crypto-channel consists of the following: • • • • Control registers containing information about the transaction in process A status register containing an indication of the last unfulfilled PCI request A pointer register indicating the location of a new descriptor to fetch Buffer memory used to store the active data packet descriptor (See 6, “Data Packet Descriptors.”) Crypto-channels analyze the data packet descriptor header and request from the controller the first required cryptographic service. After the controller grants access to the required EU, the crypto-channel and the controller perform the following steps: 1. Set the appropriate Mode bits available in the EU for the required service. 6 MPC190 Security Processor Technical Summary For More Information On This Product, Go to: www.freescale.com MOTOROLA Freescale Semiconductor, Inc. Execution Units (EUs) Freescale Semiconductor, Inc... 2. Fetch context and other parameters as indicated in the data packet descriptor buffer and use these to program the EU. 3. Fetch data as indicated and place in either the EU’s input FIFO or the EU itself (as appropriate). 4. Wait for EU to complete processing. 5. Upon completion, unload results and context and write them to external memory as indicated by the data packet descriptor buffer. 6. If multiple services requested, go back to step 2. 7. Reset the appropriate EU if it is dynamically assigned. Note that if statically assigned, a EU is reset only upon direct command written to the MPC190. 8. Perform descriptor completion notification as appropriate. This notification comes in one of two forms—interrupt or header writeback modification—and can occur either at the end of every descriptor or at the end of a descriptor chain. 7 Execution Units (EUs) “Execution unit” is the generic term for a functional block that performs the mathematical permutations required by protocols used in cryptographic processing. The EUs are compatible with IPsec, WAP/WTLS, IEEE 1363, and Java Security processing, and can work together to perform high level cryptographic tasks.The MPC190’s execution units are as follows: • • • • • PKEU for computing asymmetric key mathematics, including Modular Exponentiation (and other Modular Arithmetic functions) or ECC Point Arithmetic DEU for performing block symmetric cryptography AFEU for performing RC-4 compatible stream symmetric cryptography MDEU for hashing data RNG for random number generation 7.1 Public Key Execution Unit (PKEU) The PKEU is capable of performing many advanced mathematical functions to support both RSA and ECC public key cryptographic algorithms. ECC is supported in both F(2)m (polynomial-basis) and F(p) modes. This EU supports all levels of functions to assist the host microprocessor to perform its desired cryptographic function. For example, at the highest level, the accelerator performs modular exponentiations to support RSA and performs point multiplies to support ECC. At the lower levels, the PKEU can perform simple operations such as modular multiplies. 7.1.1 Elliptic Curve Operations The PKEU has its own data and control units, including a general-purpose register file in the programmable-size arithmetic unit. The field or modulus size can be set in increments of 32 between 80 and 511 bits, supporting a wide range of cryptographic security levels. Because processing time is determined by field or modulus size, larger field / modulus sizes results in greater security but lower performance. For example, a field size of 160 is roughly equivalent to the security provided by 1024 bit RSA. A field size set to 208 roughly equates to 2048 bits of RSA security. The PKEU block contains routines implementing the atomic functions for elliptic curve processing—point arithmetic and finite field arithmetic. The point operations (multiplication, addition, and doubling) involve one or more finite field operations, which are addition, multiplication, inverse, and squaring. Point add and double each use of all four finite field operations. Similarly, point multiplication uses all EC point operations as well as the finite field operations. All these functions are supported both in modular arithmetic as well as MOTOROLA MPC190 Security Processor Technical Summary For More Information On This Product, Go to: www.freescale.com 7 Freescale Semiconductor, Inc. Execution Units (EUs) polynomial basis finite fields. The local control unit makes the necessary calls to the finite field blocks such that either of the two point operations are executed properly. 7.1.2 Modular Exponentiation Operations The PKEU is also capable of performing ordinary integer modulo arithmetic. This arithmetic is an integral part of the RSA public key algorithm; however, it can also play a role in the generation of ECC digital signatures and Diffie-Hellman key exchanges. Freescale Semiconductor, Inc... Modular arithmetic functions supported by the MPC190’s PKEU include the following: • • • • • • R 2 mod N A’ E mod N (A x B) R -1 mod N (A x B) R -2 mod N (A+B) mod N (A-B) mod N Where the following variable definitions: – – – – – A’ = AR mod N N is the modulus vector A and B are input vectors, E is the exponent vector R is 2 s, where s is the bit length of the N vector rounded up to the nearest multiple of 32. The PKEU can perform modular arithmetic on operands up to 2048 bits in length. The modulus must be larger than or equal to 129 bits. The PKEU uses the Montgomery modular multiplication algorithm to perform core functions. The addition and subtraction functions exist to help support known methods of the Chinese Remainder Theorem (CRT) for efficient exponentiation. 7.2 Data Encryption Standard Execution Unit (DEU) The DES execution unit (DEU) performs bulk data encryption/decryption, in compliance with the Data Encryption Standard algorithm (ANSI x3.92). The DEU can also compute 3DES and extension of the DES algorithm in which each 64-bit input block is processed three times. The MPC190 supports 2 key (K1=K3) or 3 key 3DES. The DEU operates by permuting 64-bit data blocks with a shared 56-bit key and an initialization vector (IV). The MPC190 supports two modes of IV operation: ECB (Electronic Code Book) and CBC (Cipher Block Chaining). 7.3 Arc Four Execution Unit (AFEU) The AFEU accelerates a bulk encryption algorithm compatible with the RC4 stream cipher from RSA Security, Inc. The algorithm is byte-oriented, meaning a byte of plain text is encrypted with a key to produce a byte of ciphertext. The key is variable length and the AFEU supports key lengths from 40 to 128 bits (in byte increments), providing a wide range of security strengths. RC4 is a symmetric algorithm, meaning each of the two communicating parties share the same key. 8 MPC190 Security Processor Technical Summary For More Information On This Product, Go to: www.freescale.com MOTOROLA Freescale Semiconductor, Inc. Performance Estimates 7.4 Message Digest Execution Unit (MDEU) Module The MDEU computes a single message digest (or hash or integrity check) value of all the data presented on the input bus, using either the MD4, MD5 or SHA-1 algorithms for bulk data hashing. • • • SHA-1 is a 160 bit hash function, specified by the ANSI X9.30-2 and FIPS 180-1 standards. The MD4/MD5 generates a 128 bit hash, and the algorithm is specified in RFC 1321. The MDEU also supports HMAC computations, as specified in RFC 2104. 7.5 Random Number Generator (RNG) Freescale Semiconductor, Inc... The RNG is a digital integrated circuit capable of generating 32-bit random numbers. It is designed to comply with FIPS 140-1 standards for randomness and non-determinism. Because many cryptographic algorithms use random numbers as a source for generating a secret value (a nonce), it is desirable to have a private RNG for use by the MPC190. The anonymity of each random number must be maintained, as well as the unpredictability of the next random number. The FIPS-140 compliant private RNG allows the system to develop random challenges or random secret keys. The secret key can thus remain hidden from even the high-level application code, providing an added measure of physical security. 8 Performance Estimates Bulk encryption/authentication performance estimates shown in Table 8-1 include data/key/context reads (from memory to MPC190), security processing (internal to MPC190), and writes of completed data/context to memory by MPC190, using typical 64-bit, 66MHz PCI system overhead. Table 8-1. Estimated Bulk Data Encryption Performance (Mbps) DES CBC 3DES CBC ARC4 MD5 SHA-1 3DES/ HMAC-MD5 64 byte 191 180 107 191 175 69 128 byte 337 284 186 363 327 130 256 byte 532 410 295 549 481 231 512 byte 784 539 428 736 629 357 1024 byte 1026 639 552 897 747 488 1536 byte 1139 680 630 968 796 558 The MPC190 supports single pass processing of encryption/message authentication. 9 Revision History Table 9-1 summarizes the revision history of this document. MOTOROLA MPC190 Security Processor Technical Summary For More Information On This Product, Go to: www.freescale.com 9 Freescale Semiconductor, Inc. Performance Estimates Table 9-1. Revision History Revision No. 0 Substantive Change(s) Initial release. Added revision history. 0.2 Updated with new template Freescale Semiconductor, Inc... 0.1 MOTOROLA MPC190 Security Processor Technical Summary For More Information On This Product, Go to: www.freescale.com 10 Freescale Semiconductor, Inc. Freescale Semiconductor, Inc... THIS PAGE INTENTIONALLY LEFT BLANK For More Information On This Product, Go to: www.freescale.com Freescale Semiconductor, Inc. HOW TO REACH US: USA/EUROPE/LOCATIONS NOT LISTED: Motorola Literature Distribution P.O. Box 5405, Denver, Colorado 80217 1-303-675-2140 (800) 441-2447 JAPAN: Freescale Semiconductor, Inc... Motorola Japan Ltd. SPS, Technical Information Center 3-20-1, Minami-Azabu Minato-ku Tokyo 106-8573 Japan 81-3-3440-3569 Information in this document is provided solely to enable system and software implementers to use Motorola products. There are no express or implied copyright licenses granted hereunder to design ASIA/PACIFIC: or fabricate any integrated circuits or integrated circuits based on the information in this document. Motorola Semiconductors H.K. Ltd. Silicon Harbour Centre, 2 Dai King Street Tai Po Industrial Estate, Tai Po, N.T., Hong Kong 852-26668334 Motorola reserves the right to make changes without further notice to any products herein. Motorola makes no warranty, representation or guarantee regarding the suitability of its products for any particular purpose, nor does Motorola assume any liability arising out of the application or use of any product or circuit, and specifically disclaims any and all liability, including without TECHNICAL INFORMATION CENTER: limitation consequential or incidental damages. “Typical” parameters which may be provided in (800) 521-6274 Motorola data sheets and/or specifications can and do vary in different applications and actual HOME PAGE: performance may vary over time. All operating parameters, including “Typicals” must be validated for each customer application by customer’s technical experts. Motorola does not convey any www.motorola.com/semiconductors license under its patent rights nor the rights of others. Motorola products are not designed, intended, or authorized for use as components in systems intended for surgical implant into the body, or other applications intended to support or sustain life, or for any other application in which the failure of the Motorola product could create a situation where personal injury or death may occur. Should Buyer purchase or use Motorola products for any such unintended or unauthorized application, Buyer shall indemnify and hold Motorola and its officers, employees, subsidiaries, affiliates, and distributors harmless against all claims, costs, damages, and expenses, and reasonable attorney fees arising out of, directly or indirectly, any claim of personal injury or death associated with such unintended or unauthorized use, even if such claim alleges that Motorola was negligent regarding the design or manufacture of the part. Motorola and the Stylized M Logo are registered in the U.S. Patent and Trademark Office. digital dna is a trademark of Motorola, Inc. All other product or service names are the property of their respective owners. Motorola, Inc. is an Equal Opportunity/Affirmative Action Employer. © Motorola, Inc. 2003 MPC190TS/D For More Information On This Product, Go to: www.freescale.com