

# OpenTitan®'s Hardware Security Analysis Framework

Pascal Nasahl JAIF | October 2025



#### Introduction to OpenTitan®

The OpenTitan® partnership develops, verifies and maintains an ecosystem of high quality - **open source** - chip designs and security IP







#### World's First Commercial-Grade Open Source RoT



## OpenTitan® — Earl Grey & Darjeeling





# Secure IP Development Cycle

#### **Threat Model**

- Attacker with physical access to the chip
- Physical attacks are in scope
  - Fault Injection (FI)
  - Side-Channel Analysis (SCA)
- Design IP with this threat model in mind



## Secure IP Development Cycle

4. FPGA Analysis

OpenTitan's Security
Testing Framework
Next slides!

#### **CocoAlma: Execution-aware Masking Verification**

CocoAlma is an execution-aware tool for formal verification of masked implementations. It can verify any dataindependent masked computation that can be implemented as a Verilog hardware circuit or as software running on a hardware platform, with properly labeled secret shares and randomness.



#### 3. Formal Verification

#### SYNFI: Pre-Silicon Fault Analysis of an Open-Source Secure Element

Pascal Nasahl<sup>†1,3</sup>, Miguel Osorio<sup>1</sup>, Pirmin Vogel<sup>2</sup>, Michael Schaffner<sup>1</sup>, Timothy Trippel<sup>1</sup>, Dominic Rizzo<sup>1</sup> and Stefan Mangard<sup>3,4</sup>



- <sup>1</sup> Google, Mountain View, USA
- <sup>2</sup> lowRISC CIC, Cambridge, United Kingdom
  <sup>3</sup> Graz University of Technology, Graz, Austria
- Graz University of Technology, Graz, Austri firstname.lastname@iaik.tugraz.at
- <sup>4</sup> Lamarr Security Research, Graz, Austria



1. Secure Hardware Development



#### Secure Hardware Design Guidelines



#### Overview

Silicon designs for security devices require special guidelines to protect the designs against myriad attacks. For OpenTitan, the universe of potential attacks is described in our threat model. In order to have the most robust defensive posture, a general approach to secure hardware design should rely on the concepts of (1) defense in depth, (2) consideration of recovery methods post-breach, and (3) thinking with an attacker mindset.

2. Simulation



#### Fault-Resistant Partitioning of Secure CPUs for System Co-Verification against Faults

Simon Tollec<sup>1</sup>, Vedad Hadžić<sup>2</sup>, Pascal Nasahl<sup>2,3</sup>, Mihail Asavoae<sup>1</sup>, Roderick Bloem<sup>2</sup>, Damien Couroussé<sup>4</sup>, Karine Heydemann<sup>5,6</sup>, Mathieu Jan<sup>1</sup> and Stefan Mangard<sup>2</sup>

- <sup>1</sup> Université Paris-Saclay, CEA, List, F-91120, Palaiseau, France, firstname.lastname@cea.fr <sup>2</sup> Graz University of Technology, Graz, Austria, firstname.lastname@iaik.tugraz.at <sup>3</sup> lowRISC C.L.C., Cambridge, United Kingdom, masahlpselovrisc.org
- <sup>4</sup> Univ. Grenoble Alpes, CEA, List, F-38000, Grenoble, France, firstname.lastname@cea.fr
  <sup>5</sup> Thales DIS, Gémenos, France, firstname.lastname@thalesgroup.com

<sup>6</sup> Sorbonne Univ., CNRS, LIP6, F-75005, Paris, France

#### PROLEAD

#### A Probing-Based Hardware Leakage Detection Tool

Nicolai Müller<sup>1</sup> and Amir Moradi<sup>2</sup>

- <sup>1</sup> Ruhr University Bochum, Horst Görtz Institute for IT Security, Bochum, Germany firstname.lastname@rub.de
  - <sup>2</sup> University of Cologne, Institute for Computer Science, Cologne, Germany firstname.lastname@uni-koeln.de

## Post-Silicon Analysis

- Final step
- Covers real-world setting
  - With analog countermeasures, e.g., clock jitter
  - Whole chip instead of isolated IP
  - More noise
- Learnings influence software guidance & future chip generations
- OpenTitan's Security Testing Framework



# OpenTitan's Security Testing Framework

- Key component in secure IP development
  - Pre-silicon: FPGA
  - Post-silicon: Chip
- Collaborative platform for internal and external partners
  - OpenTitan developers
  - External labs
  - Certification body
- Open-source















#### **OT-SCA Host Framework**

- Coordinates SCA and FI evaluations
  - Configures equipment and target
  - Collects evaluation results
- Features:
  - Evaluation database
  - Fault parameter sweep
  - Batch mode for high SCA capture rates
  - Result visualization
  - Trace alignment
  - Analysis scripts (TVLA, ...)
  - 0 ...
- Communication API is standalone to allow integration into its own framework



#### **Pentest Device Framework**

- Comprehensive SCA and FI evaluation framework
- >230 tests exercise the entirety of OpenTitan

## Characterization Tests:

#### **CryptoLib Tests:**

```
// Trigger window.
pentest_set_trigger_high();
TRY(otcrypto_aes(&key, iv, mode, op, input, padding, output));
pentest_set_trigger_low();
```

#### Pentest Code Structure

```
atus t handle ibey fi register file(uisen t *ui) /
crypto fi ibex register file t uj input;
TRY(ujson deserialize ibex register file t(uj, &uj input));
pentest init(uj input);
INIT REGISTER FILE
PENTEST ASM TRIGGER HIGH
asm volatile(NOP1000);
PENTEST ASM TRIGGER LOW;
reg alerts = pentest get triggered alerts();
pentest sensor alerts t sensor alerts = pentest get sensor alerts();
ibex rf content t rf = DUMP REGISTER FILE
ibex fi faulty data t uj output = check rf content(rf);
RESP OK(ujson serialize ibex fi faulty data t, uj, &uj output);
return OK STATUS();
```

Receive test config from ot-sca

Test preparation

Trigger window

Test evaluation

Send evaluation result to ot-sca

## **Supported Testing Equipment**

- F
  - Voltage glitching: CW Husky Crowbar
  - EMFI: ChipShouter + ChipShover XYZ table
- SCA
  - ChipWhisperer Husky scope
  - Scopes with VX11 support (tested with LeCroy oscilloscopes)
- Easy to add new equipment by using driver classes





#### **Testing the Pentesting Framework**

#### It needs to work

- Contributions by different organizations
- Framework used by different internal and external OpenTitan partners
- Compare pentesting results to test vectors on silicon and FPGA
- Integrated into Continuous Integration (CI) pipeline of the OpenTitan repository

```
CW310 ROM_EXT Tests
                                                       //sw/device/tests/penetrationtests:fi crypto fpga cw340 sival rom ext (cached) PASSED in 9.3s
                                                       //sw/device/tests/penetrationtests:fi ibex fpqa cw340 sival rom ext (cached) PASSED in 8.9s
CW310 SiVal Tests
                                                       //sw/device/tests/penetrationtests:fi lc ctrl fpga cw340 sival rom ext (cached) PASSED in 5.2s
                                                       //sw/device/tests/penetrationtests:fi otbn fpga cw340 sival rom ext (cached) PASSED in 29.4s
CW310 SiVal ROM_EXT Tests
                                                       //sw/device/tests/penetrationtests:fi otp fpga cw340 sival rom ext (cached) PASSED in 5.0s
CW310 Manufacturing Tests
                                                       //sw/device/tests/penetrationtests:fi_rng_fpga_cw340_sival_rom_ext (cached) PASSED in 5.4s
                                                       //sw/device/tests/penetrationtests:fi_rom_fpga_cw340_sival_rom_ext (cached) PASSED in 5.1s

    Cache bitstreams to GCP

                                                       //sw/device/tests/penetrationtests:sca_aes_fpga_cw340_sival_rom_ext (cached) PASSED in 6.4s
                                                       //sw/device/tests/penetrationtests:sca_edn_fpga_cw340_sival_rom_ext (cached) PASSED in 8.6s
CW340 Test ROM Tests
                                                       //sw/device/tests/penetrationtests:sca hmac fpga cw340 sival rom ext (cached) PASSED in 4.1s
  CW340 ROM Tests
                                                       //sw/device/tests/penetrationtests:sca_ibex_fpga_cw340_sival_rom_ext (cached) PASSED in 13.7s
                                                       //sw/device/tests/penetrationtests:sca kmac fpga cw340 sival rom ext (cached) PASSED in 3.5s
CW340 ROM_EXT Tests
                                                       //sw/device/tests/penetrationtests:sca_otbn_fpga_cw340_sival_rom_ext (cached) PASSED in 3.9s
                                                       //sw/device/tests/penetrationtests:sca_sha3_fpga_cw340_sival_rom_ext (cached) PASSED in 6.0s
CW340 SiVal Tests
                                                 4375
CW340 SiVal ROM_EXT Tests
                                                       Executed 0 out of 25 tests: 25 tests pass.
                                                       There were tests whose specified size is too big. Use the --test_verbose_timeout_warnings command line option to see which ones these are
   FPGA test
                                                       + ./bazelisk.sh run //sw/host/opentitantool -- --rcfile= --interface=cw340 fpga reset-sam3x
```

#### **Getting Started**

- Manual available
  - o github.com/lowRISC/ot-sca
- Required Hardware
  - NewAE ChipWhisperer CW310 + Husky
  - NewAE testing equipment
  - Or own attack gear



\$ cd ot-sca

\$ pip install -r python-requirements.txt

\$ cd capture/

\$./capture\_aes.py -c configs/aes\_sca\_cw310.yaml -p aes





#### **Call for Action**

- Look into OpenTitan
- Start pentesting it
- Please follow the CVD process:
  - o <u>opentitan.org/cvd-policy</u>
- More questions?
  - info@lowrisc.org



#### Coordinated Vulnerability Disclosure (CVD) Policy

We are dedicated to maintaining the security, integrity and reliability of our hardware and software designs, and we actively encourage responsible security vulnerability reporting from the security research and user community.

This policy applies to any vulnerabilities you believe you have discovered in OpenTitan's hardware design, documentation, firmware, infrastructure, or associated materials ("Project Materials").



# Thank you!