Some microcontrollers have EEPROM on-chip. This provides non-volatile data memory while saving board space. However, as data security becomes more important, many modern embedded systems need a practical way to store data securely using non-volatile memory that is also resistant to outside hackers.
This article will describe how single-chip secure EEPROMs provide secure storage of non-volatile data that is resistant to hackers, without getting into the nitty-gritty of encryption. Instead, it will introduce a suitable example of a secure EEPROM from a well-known supplier, describe how it works, and how to go about applying it.
The need for secure EEPROM
Many embedded systems have benefitted from non-volatile data memory which has typically been EEPROM. EEPROM can be read and written under firmware control and retains its state when power is removed from the system, as compared to RAM which loses its state on power-down.
While EEPROM in microcontrollers has always been useful for storing program data that must be retained on power-down, it usually has the same security vulnerabilities as RAM. In some modern 8-bit, 16-bit, and 32-bit microcontrollers, there are methods of security that can prevent an area of data memory from being read under firmware control, or that can block data from being read by an external interface such as a debugger. In the past, this security could be referred to as adequate, but now there are situations where the hackers may possess the money, time, motivation, and resources to bypass this adequate security to gain access to critical systems.
Modern embedded systems have evolved to the point where many applications now require more robust data protection. This is especially true in some IoT nodes, security systems, vehicle to vehicle communications, modern medical devices, and autonomous vehicles. Data security may also be necessary to simply prevent system cloning. These are applications where EEPROM data compromised from a successful attack by malicious hackers may cause property damage or worse.
In these situations, EEPROM is required that is highly resistant to hackers that have significant resources. For such situations, high security EEPROM is available that can easily encrypt sensitive data such as passwords, cloning hashes, fingerprint data, sensor calibration information, and biometric data.
Microchip Technology has solved this design problem with a line of CryptoAuthentication™ devices. If these sound familiar, it’s because Microchip inherited the line as part of its Atmel acquisition. One such device from the line is the ATAES132A secure 32 Kbyte EEPROM (Figure 1).
Figure 1: The ATAES132A 32 Kbyte serial EEPROM is specifically designed with security features to protect data and internal registers. (Image source: Digi-Key Electronics)
The ATAES132A can be used like any standard 32 Kbyte serial EEPROM. It uses a standard SPI and I2C pinout, so it can replace standard serial EEPROMs on existing designs with no hardware modifications. This allows existing designs to be easily upgraded with additional security by only modifying application firmware.
However, it also has significant physical protection, encryption, and other designed-in security features that when enabled, will protect the EEPROM data and internal registers from all but the most determined hackers. Data can be protected using military grade AES encryption with up to sixteen 128-bit keys.
To start, the ATAES132A has many mechanical security mechanisms to prevent the device from being physically reverse engineered. The device is sensitive to certain changes in ambient temperature such as attempts to “deep freeze” the device to maintain memory contents. The device can detect de-capping attempts to expose the die. A metal shield covers the die, and if removed, the die detects exposure to light which may initiate a mechanism to destroy memory contents.
Finally, the internal memory contents are encrypted. The device may also include undisclosed security mechanisms known only to Microchip engineers, as Microchip keeps the specifics of these security mechanisms confidential. This provides extensive physical security to the secure memory, saving the developer from building complicated enclosures that provide a barrier to the EEPROM.
At power-up the ATAES132A can be configured to interface to most microcontrollers using either the SPI or I2C interface. When used in I2C mode, the Chip Select pin is not used and must be tied to power or ground. When configured for SPI mode, Chip Select is used, as per normal.
AES data encryption
Cryptography is implemented on the ATAES132A using AES-CCM with a 128-bit key. Put simply, data to be encrypted is put through a series of complex mathematical functions where it is combined with a 128-bit number which is programmed by the firmware developer. The complex math performed during AES encryption and decryption operations is all done by the ATAES132A, and except for setting up some variables and selecting the 128-bit keys, this process is transparent to the firmware developer, greatly easing product development.
ATAES132A memory map
The device can be simply used as a standard non-encrypted serial EEPROM. However, if a developer uses the advanced security features, then the device is structured and used very differently. The fastest way to understand the ATAES132A is to examine the memory map, which is deeper than that of a standard EEPROM as seen in Table 1.
Table 1: The ATAES132A memory map is deeper than that of a standard serial EEPROM. (Data source: Microchip Technology)
Most of the locations in the memory map are read or written using standard I2C or SPI commands.
EEPROM and the zone security configuration registers
The 32 Kbytes of data EEPROM memory is separated into sixteen 2 Kbyte zones. Each memory zone can be individually configured with or without security. Security settings for each of the 16 memory zones are set up in the Zone Security Configuration Registers area. The following are the basic security settings that can be individually set for each of the sixteen 2 Kbyte zones:
- Enable/Disable encryption to read data
- Enable/Disable encryption to write data
- Enable/Disable authentication to read data
- Enable/Disable authentication to write data
- Permanently set zone to read-only
These settings allow for a great deal of flexibility when setting up security for an application. One zone can be set to use no encryption, no authentication with read/write access, allowing reads and writes like any standard EEPROM. Another zone can require full encryption and authorization, providing high security for sensitive data.
Device configuration registers
The general behavior of the device is set up in the Device Configuration Registers area. This area also contains some read-only information on the device. This includes a unique 32-bit device serial number used to identify the device. Other registers allow memory zones or other registers to be set to read-only. This is called locking memory. Once a register or memory zone is locked, it is permanent and can never be unlocked.
Also in this area is the I2CAddr register, used to configure if the device is used in I2C or SPI mode. On device power-up the one-byte I2CAddr register is written. Bit 0 of I2CAddr determines the serial interface mode. If firmware writes a 0, the device is configured for SPI mode. If a 1 is written, it selects I2C mode. If I2C mode is selected, the 7-bit device address is 50h.
Command & response memory buffers
While memory locations in the device can be accessed using standard SPI or I2C addressing, the device also accepts commands similar to a microcontroller. A command and its operands, called a command block, may be one or more bytes and are always written directly to the Command & Response Memory Buffer at address FE00h. A command block is composed of one single-byte instruction, one or more bytes of operands, and a 2-byte checksum.
Available commands include data authentication, block reads from EEPROM zones, incrementing counters, and directly reading any protected memory or register that requires authentication. Responses to commands are read back from the same location FE00h. All writes to FE00h are commands sent to the Command Memory Buffer. All reads from FE00h are reads from the Response Memory Buffer.
The I/O Address Reset Register at FFE0h is a write-only register that is used to reset the command & response memory buffers. Writing any value to FFE0h performs two operations: the command memory buffer is cleared so that it can accept a new command block, and the response memory buffer is reset to zero so that the contents can be read from the beginning.
Resetting the response memory buffer allows firmware to re-read the entire response. This can be useful in code where an interrupt may have occurred while the host microcontroller was in the middle of reading the response memory buffer, and upon returning from the interrupt the data needs to be re-read from the beginning.
There are also commands to perform AES encryption and decryption for reads and writes to EEPROM. These computations are highly complex and will not be covered here. However, Microchip provides microcontroller drivers and firmware that easily perform all these functions so that minimal knowledge of AES encryption is required of the programmer.
Zone counter registers
This register area contains 16 read-only counters associated with each zone. Each memory zone is encrypted or decrypted using its 128-bit zone key. Each time a zone key is used, an associated 32-bit zone counter may or may not be incremented depending upon the setting in the associated zone counter configuration registers. For security purposes counters can never be decremented or reset.
Firmware may write directly to a zone counter to increment it to an initial value, but never to a value lower than the existing counter contents. Zone counters may be written and locked during manufacturing to limit the number of counts. When the counter reaches the maximum value of 2,097,151, the associated key can be permanently disabled to prevent using it for further encryption or decryption operations. This can be useful for limited use keys, such as allowing microcontroller firmware to be re-flashed a limited number of times.
For extra security each 32-bit zone counter is duplicated. This is to detect corruption of the zone counters in the event a power failure occurs during a zone counter increment. On application power-up, the firmware should read both counter values for all zone counters. If the values are different in a robust application, this would be evidence of an unauthorized power-down event, which could indicate an unauthorized attempt to disable the application security while it is operating.
The ATAES132A status register is a read-only register that indicates error codes, including incorrect checksums and command errors. It also indicates if the ATAES132A is in I2C or SPI mode, as well as the progress of commands and the validity of responses. It should be read before and after all reads, writes, commands, and responses. Errors can indicate outside attempts to interfere with the I2C or SPI connection between the host microcontroller and the ATAES132A. It is up to the host firmware to take the appropriate action, such as alerting an operator or sounding an alarm.
Setting up the ATAES132A during manufacturing
The ATAES132A device security should be setup during end product manufacturing. To lessen the chance of configuration errors, the ATAES132A should be configured while in-system. Initially all initial counter values and counter configurations should be set. Next, keys and encryption parameters should be programmed. Last, all initial EEPROM values should be programmed. The unique 32-bit device serial number can be read from the ATAES132A so it can be incorporated into the host microcontroller firmware.
It is recommended that all programmed EEPROM values be read back to insure proper configuration of the ATAES132A. If any values are not read back properly, or if the status register indicates a checksum or command error, the end product should be flagged and removed from production. Optionally, if there is enough spare EEPROM, a test encrypt and decrypt can be performed.
Figure 2: The Microchip DM320109 Xplained CryptoAuthentication starter and development kit provides an easy way to evaluate and develop code for the ATAES132A. It comes with extensive code examples, and interfaces to most PCs supporting Windows, Linux, or MacOS. (Image source: Microchip Technology)
The Microchip ATSAMD21J18A microcontroller has a USB interface for connecting to a PC development environment. It supports both I2C and SPI interfaces, and either can be used to interface to the ATAES132A. Once connected to the target PC using the supplied USB cable, the kit can be used to configure and monitor all features of the ATAES132A.
A second USB cable is provided to monitor and log data packets between the ATAES132A and the ATSAMD21J18A. This cable is connected between the Xplained board and an available USB port on the PC. The developer can then monitor the signals between the microcontroller and the EEPROM to observe the encrypted data moving between the two devices.
The Xplained kit comes with all firmware libraries and example code for the ATAES132A. With an understanding of the ATAES132A memory map and registers described here, the developer can easily customize the example code to fit their target application with minimal knowledge of the device’s encryption.
AES 128-bit encryption is a complicated subject. Despite that, developers can secure sensitive data in an EEPROM that has been specially designed for that purpose. Look for mechanical protections, strong encryption, special zoning and memory mapping, and custom or confidential features known only to the company and/or end user.