6.5.12 · D4Advanced & Emerging Architectures

Exercises — Open hardware ecosystem (OpenRISC, OpenTitan)

2,504 words11 min readBack to topic

Level 1 — Recognition

You should be able to answer these by recalling and pointing, no calculation.

L1.1 — Name the three layers

Recall Solution
  • ISA (the spec / contract between software and hardware) — e.g. RISC-V or OpenRISC ORBIS.
  • Microarchitecture / RTL (the actual gate-level implementation) — e.g. Ibex or mor1kx.
  • Toolchain (compiler, simulator, EDA flow) — e.g. GCC, Verilator, OpenROAD.

They are independent: a chip can be open at one layer and closed at another. See FPGA & RTL Verification for where the RTL layer lives.

L1.2 — Root of Trust in one sentence

Recall Solution

A Root of Trust is the first component to boot. It measures (hashes) and verifies each later stage before handing off control, so everything above it trusts it implicitly. OpenTitan is a silicon Root of Trust; its CPU core is Ibex, a RISC-V core.

L1.3 — Spot the true statement

Recall Solution

(c) is true. (a) is false — OpenTitan uses RISC-V (Ibex), not OpenRISC. (b) is false — an ISA is only a specification; a closed core can implement an open ISA. Statement (c) is exactly Kerckhoffs's Principle applied to silicon.


Level 2 — Application

Now you plug numbers into the two formulas from the parent note: (fixed-width code size) and the birthday bound .

L2.1 — Code size

Recall Solution
  • Why ? Every OpenRISC instruction is fixed at bits bytes, so bytes.
  • Addresses start at and step by : the -th instruction (counting from ) sits at . The last is , at .
  • The next free byte is — matching . ✔

L2.2 — Reverse the formula

Recall Solution

. That address is the last instruction, so it is instruction number counting from — i.e. the 16th instruction. So . Check: is the first free byte, one word past . ✔

L2.3 — Collision effort

Recall Solution
  • Why halve the bits? Collisions follow the birthday bound: among random -bit values the first collision is expected near tries (see Cryptographic Hash Functions).
  • Here , so effort images.
  • That is astronomically large, so forging a different image with the same measurement is infeasible. ✔

Level 3 — Analysis

Here you must reason about why a mechanism does or doesn't work.

L3.1 — Hash-only boot

Recall Solution

Attack: replace with a malicious and overwrite the stored hash with . On boot the recomputed hash matches the (also-replaced) stored value, so it passes. Missing property: the scheme proves integrity (image not corrupted) but not authenticity (image came from the vendor). A signature binds to the vendor's private key, which the attacker does not hold, so the forged pair fails verification. See Secure Boot & Chain of Trust.

L3.2 — Where does trust bottom out?

Recall Solution

is burned into one-time-programmable fuses (see One-Time-Programmable Fuses (eFuse)). These fuses physically transition once (a metal link is blown) and cannot be rewritten — there is no electrical path back. So the attacker cannot swap in their own public key. Trust bottoms out in an immutable physical fact, not in software that could be patched. This is the "anchor" of the chain of trust.

L3.3 — Reading the chain

Recall Solution

They never run. Each stage only hands control forward after verifying the next stage's measurement. A failure at stage halts the hand-off, so stages and are never even measured, let alone executed. The chain is only as strong as its first broken link — that is the whole point of a chain of trust.


Level 4 — Synthesis

Combine open-hardware philosophy with the concrete mechanisms.

L4.1 — Steel-man the sceptic

Recall Solution

(i) Secrecy buys little: attackers reverse-engineer chips anyway via decapsulation and electron microscopy — the circuit is already readable to a determined adversary, so hiding it mostly stops defenders from auditing. (ii) What actually secures it: the secret keys in fuses, per Kerckhoffs's Principle — security must rest on keys, not on secrecy of design. Publishing the RTL turns the whole world into reviewers, so bugs are found before they're exploited (auditability). Obscurity is a speed bump; transparency is a fire alarm.

L4.2 — Design a minimal RoT

Recall Solution
Ingredient Property it supplies
Collision-resistant hash integrity — detects any change to the image
Signature scheme (Verify with ) authenticity — proves the vendor made it
in OTP fuses immutable trust anchor — attacker can't swap the key
First-to-boot, immutable ROM code ensures this verifier runs before anything else

Remove any one and the chain breaks: no hash → can't detect edits; no signature → hash is forgeable (L3.1); no fuse → key is swappable (L3.2); no immutable first code → attacker runs their own verifier first.

L4.3 — Two open cores, one decision

Recall Solution
  1. Ecosystem & formal analysis: Ibex is small and has been formally analysed, exactly what a Root of Trust needs, and it rides the large modern RISC-V toolchain and verification community (FPGA & RTL Verification).
  2. Proven integration: Ibex is already the core of OpenTitan, a shipping open silicon RoT — you inherit its secure-boot, key-storage and crypto-accelerator surroundings rather than rebuilding them. (OpenRISC predates RISC-V and is a fine general CPU, but the RoT tooling has coalesced around Ibex/RISC-V.)

Level 5 — Mastery

One long problem that chains every idea on the page.

L5.1 — End-to-end attack analysis

Recall Solution

Move 1 — fails at the hash. The stored measurement is . The malicious image hashes to something else, so and the integrity check rejects it before any signature step.

Move 2 — fails at the signature. Now the recomputed hash matches the (also-swapped) , so integrity passes. But the signature was made over the original with the vendor's private key. Verifying the new against fails, because the attacker cannot produce a valid signature without the private key (authenticity holds — this is exactly L3.1).

Move 3 — infeasible. A collision would let the malicious image share the same measurement, so the old signature would still verify. But SHA-256 is -bit, and by the birthday bound the expected number of attempts is which is computationally impossible. So this door is closed.

Move 4 — fails at the fuses. The public key lives in one-time-programmable fuses that physically cannot be rewritten (L3.2). The attacker cannot install their own key, so their self-signed images never verify against the real anchor.

Conclusion: every path is blocked — the design has no weak layer. Integrity (hash), authenticity (signature), and an immutable anchor (fuses) together give complete coverage. That is why secure boot works, and why the design being open does not help the attacker at all — nothing here relied on secrecy of the circuit.


Recall Quick self-check

Which formula gives OpenRISC code size? ::: (fixed 32-bit instructions). Which formula gives collision effort for an -bit hash? ::: (birthday bound). What single physical fact anchors the whole chain of trust? ::: The public key burned into one-time-programmable fuses.