It's exciting times ahead for Internet of Things companies with chip giant Arm's decision to open up the instruction set for its Cortex-M cores for customers to create their own custom instructions. The overall security of these chips will depend on how these instructions are actually implemented.
As the world focuses on more connected devices, IoT makers want specially-optimized processors that can handle their specific workloads. Companies building complex devices want to reduce latency by running their own accelerated algorithms directly on the CPU. In the case of sensors and controllers, there isn't a lot of room for additional components. If they can put their own customized instructions into the chip components, they can boost device performance and efficiency while reducing energy consumption.
Until now, Arm preferred consistency over configurability—a consistent programming model that ensured all Arm chips were the same at its core. With Custom Instructions, customers can write their own custom instructions for the Cortex-M processors starting in the first half of 2020, Arm CEO Semon Segars said at the Arm TechCon conference in San Jose. The feature will start with the Cortex-M33 core, and will be available for future Cortex-M components.
“We have engineered Arm Custom Instructions to fuel closer hardware and software co-design efforts toward achieving application-specific acceleration while unlocking greater device differentiation,” said Dipti Vachani, senior vice president and general manager of Arm's automative and IoT divisions.
System on Chip designers and OEM partners license Arm's designs for its underlying architecture and semiconductor chip components so that they can build their own chips or ship their own development boards. Custom Instructions would make it possible for these partners to create motor controls that can halve the runtime of the library that handles the decisions on where the motor will go next, or speed up calculations used in cryptography applications. Modems and storage controllers would be able to perform network and data operations far more efficiently because the processors are designed to handle them better.
Imagine your program is a stack of paperwork you have to get processed at some bureaucratic office. Each instruction has a form number, and the receptionist tells you what room in the building to bring it to to get it processed," said Joe FitzPatrick, hardware security researcher and instructor at SecuringHardware.com. "This is Arm's way of letting third parties open their own suites in the office building.
This level of customization makes sense for the embedded and IoT world. Arm executives suggested Custom Instructions may some day be added to Cortex-R, but did not commit to bringing them to the Cortex-A components used in mainstream devices such as smartphones and servers.
There are smaller players already offering customizable instructions, so Arm's move into this space is an interesting one. From a security standpoint, Arm has taken some precautions to avoid a free-for-all that could jeopardize the chips.
The chips with the custom instructions still have to execute Arm's core instructions as designed. The custom instructions are additive to the core instructions, and none of the original instrutions can be removed. If a program calls a routine and there is a custom instruction there, it will execute that. Otherwise, it will run the original core instruction.
The custom instructions can perform arithmetic or logic operations on register data, but not change flow control for the register. Arm made Custom Instructions compatible with Arm TrustZone so that the instructions can be monitored.
Historically, security has come second in IoT," said Joe Lea, vice-president of product at hardware security company Armis. "In the case of the custom chips from Arm, where security is part of dialogue from day one, it's reassuring.
One thing to be clear. There is no reason to worry that custom instructions will lead to more backdoored systems. The SoC vendor already controls the code, compiler, and silicon. "They have plenty of opportunities to backdoor systems without this [custom instructions]," said FitzPatrick.
New Library Support
This level of customization requires a significant skillset and understanding of microprocessor design and Arm isn't lowering the barrier of entry. Arm will provide the data and control lines, and the customization ability, as part of the license, but the instructions and frameworks will have to come from somewhere else. Arm would encourage designers and manufacturers to use existing programming tools, but they are ultimately the SoC designers and board builders are ultimately responsible for making the libraries and tools needed to make the custom instructions.
Manufacturers typically deliver a support package that has all the tools necessary to implement the board's features correctly. Chipmakers will be encouraged to come up with libraries and APIs that access their special instructions in a standardized way. With the frameworks, developers can write firmware that calls the API routine without knowing the exact details of those custom instructions.
The challenge here is the level of attention paid to the libraries and the processors themselves, and how issues may be introduced. Arm's restrictions will help protect the core instructions, but a poorly coded library may still inadvertently expose the internal workings.
"Vendors will not do the same level of analysis as Arm does," FitzPatrick said.
A manufacturer may make a custom instruction that can return a 64-bit value of the number of clock ticks since the CPU started, but that could potentially be abused to measuring a timing sidechannel, FitzPatrick said.
It is up to that vendor to keep the libraries and APIs current, which is another maintenance challenge for the vendors. Developers would also need to make sure they are using the most up-to-date versions, which is already a big application security challenge.
"If security is not part of design consideration, it's setting up IoT for an insecure future," said Lea.
Inertia will also help on the security front. Just because there is the option to create custom instructions doesn't automatically mean SoC designers and chip makers will rush to make different variations for all workloads. Doing this level of customization is difficult and would remain the province of people well-versed in microprocessor design.
I think you’ll see companies think long and hard about it [changing the architecture]," Segars told VentureBeat. "It's a significant step to add something into the architecture, to change it.
The bigger companies may standardize around a few optimizations and focus on supporting those features, and the smaller players would focus on one specific change.
"I don’t think you’re going to suddenly see a million and one different variations," Segars said.