# Hardware Redaction via Designer-Directed Fine-Grained eFPGA Insertion – Fall 2020

Ken Mai

Electrical and Computer Engineering



# Shrinking Number of Leading-Edge IC Fabs

| 90nm                                                                                                                                                                             | 65nm                                                                                                                                            | 45/40nm                                                                                                                       | 32/28nm | 22/20nm                                                 | 16/14nm      | 10nm       |
|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------|-------------------------------------------------------------------------------------------------------------------------------|---------|---------------------------------------------------------|--------------|------------|
| (2003)                                                                                                                                                                           | (2005)                                                                                                                                          | (2007)                                                                                                                        | (2009)  | (2012)                                                  | (2015)       | (2018)     |
| Intel<br>TSMC<br>Samsung<br>Global Foundries<br>STMicro<br>UMC<br>SMIC<br>IBM<br>Toshiba<br>AMD<br>TI<br>Fujitsu<br>Panasonic<br>Renesas<br>NEC<br>Freescale<br>Infineon<br>Sony | Intel<br>TSMC<br>Samsung<br>Global Foundries<br>STMicro<br>UMC<br>SMIC<br>IBM<br>Toshiba<br>AMD<br>TI<br>Fujitsu<br>Renesas<br>NEC<br>Freescale | Intel<br>TSMC<br>Samsung<br>Global Foundries<br>STMicro<br>UMC<br>SMIC<br>IBM<br>Toshiba<br>AMD<br>TI<br>Fujitsu<br>Panasonic |         | Intel<br>TSMC<br>Samsung<br>Global Foundries<br>STMicro | anufacturing | Capability |

- Few suppliers are committed to advancing to 10nm node and beyond
- Dominance of fabless semiconductor model  $\rightarrow$  3<sup>rd</sup> parties fab



#### Security Threats from Untrusted Fab



**Reverse Engineering** 



**Trojan Insertion** 



**IP** Theft



#### Counterfeiting



Carnegie Mellon University Security and Privacy Institute

Combat untrusted fab and reverse engineering

- Designer-directed
- Fine-grained
- Redaction
- Using soft eFPGA





Combat untrusted fab and reverse engineering

- Designer-directed
  - Designer knows what IP they want to conceal
  - Not reliant on tool to choose what is redacted
- Fine-grained
- Redaction
- Using soft eFPGA





Combat untrusted fab and reverse engineering

- Designer-directed
- Fine-grained
  - Can redact from a single gate to a macro block
  - Intercalated with rest of design  $\rightarrow$  low overhead
- Redaction
- Using soft eFPGA





Combat untrusted fab and reverse engineering

- Designer-directed
- Fine-grained
- Redaction
  - Complete removal of sensitive IP
  - Recast as reconfigurable block
- Using soft eFPGA





Combat untrusted fab and reverse engineering

- Designer-directed
- Fine-grained
- Redaction
- Using soft eFPGA
  - No custom circuits or layout → ease of portability
  - Synthesized using standard cell library along with rest of the design





#### **Designer-view CAD Flow**



**Original marked RTL** 

**Redacted RTL** 

Layout



#### 4x4 Tile eFPGA Fabric Architecture



| Parameter                      | Value    |
|--------------------------------|----------|
|                                |          |
| Number of tiles                | 16 (4x4) |
| Channel width                  | 44       |
| Number of LUTs per CLB         | 8        |
| LUT size                       | 4        |
| Crossbar connectivity          | 50%      |
| Wire length                    | 4        |
| Switch block connectivity      | 3        |
| Switch block type              | Wilton   |
| Input connectivity $(Fc_{in})$ | 0.2      |
| Output connectivity (Fcout)    | 0.1      |

- Open-source island-style eFPGA architecture (Univ. Toronto)
- eFPGA RTL spawned from Chisel scripts
- Synthesized using standard cell synthesis tool flow
- eFPGA design silicon proven in 65nm, 28nm, 22nm, and 16nm



urnegie Mellon University curity and Privacy Institute

11

#### Test Circuit 1: GPS P-Code Generator

- MIT Lincoln Labs Common Evaluation Platform (CEP)
- Generates C/A code, P-code, and L-code
- P-code generator obfuscated
  - Length of the code
  - Position of the LFSR taps
  - Initialization value of the LFSR

| P-code<br>generator | C/A code<br>generator |  |
|---------------------|-----------------------|--|
| L-code ge           | AXI                   |  |

GPS core module diagram



#### GPS P-Code Generator Layout



 $(0.096 \text{mm}^2)$ 

eFPGA\_generic (0.134mm<sup>2</sup>) eFPGA\_opt (0.133mm<sup>2</sup>)



#### **GPS VLSI Metrics**





# Test Circuit 2: RISC-V CPU

• RV32I architecture

• 5-stage pipelined

• 16 KB separate I and D memory

- Control logic obfuscated
  - Low percentage of the gates, and renders the entire CPU unusable



RISC-V CPU module diagram



#### **RISC-V** Layout



eFPGA\_generic (8.80K μm<sup>2</sup>) eFPGA\_opt (8.08 μm<sup>2</sup>)



#### **RISC-V VLSI Metrics**





#### SAT Attack Results



Essentially requires attacker to generate eFPGA configuration bitstream without any information about design structure



#### Testchips



- Testchips in multiple process technology nodes
  - 28nm planar MOSFET and 22nm finFET technologies
  - Testchips functional at speed
- Soft eFPGA enables fast easy porting between processes
  - eFPGA fabric implemented using standard cells
  - No custom process-specific layout or circuit design



Carnegie Mellon University Security and Privacy Institute

#### Status and Next Steps

Status

- CAD tool flow from original RTL to redacted RTL completed
- Testchips at multiple process nodes fully functional at speed

Next steps

- Techniques for reducing eFPGA VLSI overheads  $\rightarrow$  latch-based storage
- Enhance eFPGA with block-RAMs and custom macros
- Improve attack infrastructure and conduct longer run-time experiments

