From 0e6fbeecf12d5176f0db75ad2752692b3c3a649d Mon Sep 17 00:00:00 2001 From: jaseg Date: Tue, 1 Dec 2020 19:36:02 +0100 Subject: paper: Add initial experimental results --- doc/quick-tech-report/rotohsm_tech_report.tex | 148 +++++++++++++++++++++++--- 1 file changed, 132 insertions(+), 16 deletions(-) (limited to 'doc/quick-tech-report/rotohsm_tech_report.tex') diff --git a/doc/quick-tech-report/rotohsm_tech_report.tex b/doc/quick-tech-report/rotohsm_tech_report.tex index 76b5d8f..bf51a87 100644 --- a/doc/quick-tech-report/rotohsm_tech_report.tex +++ b/doc/quick-tech-report/rotohsm_tech_report.tex @@ -315,18 +315,6 @@ In our design with a stationary payload where only the security mesh and sensors reports and a high-frequency alarm trigger heartbeat signal have to pass from rotor to stator. For this, a simple optocoupler close to the axis of rotation is a good solution. -% FIXME note prototype implementation here - -\subsection{Hardware prototype} - -% FIXME expand & update below w/ hw proto findings - -We are currently working on a hardware prototype that demonstrates the fundamental components of our concept. The -prototype will be based on a security mesh made with a commercial printed circuit board manufacturing process. In our -prototype we intend to use two commercially available hollow-shaft brushless DC (BLDC) motors originally intended for -quadcopter-mounted camera gimbals, one for driving and one for power transfer. The prototype will have a usable internal -volume sufficient to house a small form factor PC ($\approx\SI{2}{\liter}$). - \section{Attacks} \subsection{Attacks on the mesh} @@ -382,7 +370,134 @@ If the rate of rotation is set to change on a schedule, it is trivially detectab \section{Prototype implementation} %FIXME -FIXME +To validate our theoretical design, we have implemented a prototype rotary HSM. The main engineering challenges we +solved in our prototype are: +\begin{enumerate} + \item Fundamental mechanical design suitable for rapid prototyping that can withstand a rotation of $\SI{500}{rpm}$. + \item Automatic generation of security mesh PCB layouts for quick adaption to new form factors. + \item Non-contact power transmission to rotor. + \item Non-contact bidirectional data communication between stator and rotor. +\end{enumerate} + +\subsection{Mechanical design} + +We sized our prototype to have space for one or two full-size Raspberry Pi boards. Each one of these boards is already +more powerful than an ordinary HSM, but they are small enough to simplify our prototype's design. For low-cost +prototyping we designed our prototype to use printed circuit boards as its main structural material. The interlocking +parts were designed in FreeCAD mechanical CAD as shown in Figure \ref{proto_3d_design}. The mechanical designs were +exported to KiCAD for electrical design before being sent to a commercial PCB manufacturer. Rotor and stator are built +from interlocking, soldered PCBs. The components are mounted to a $\SI{6}{\milli\meter}$ brass tube using FDM 3D printed +flanges. The rotor is driven by a small hobby quadcopter motor. + +Security is provided by a PCB security mesh enveloping the entire system and extending to within a few millimeters of +the shaft. For security it is not necessary to cover the entire circumference of the module with mesh, so we opted to +use only three narrow longitudinal struts to save weight. + +To mount the entire HSM, we chose to use ``2020'' modular aluminium profile. + +\begin{figure} + \center + \includegraphics[height=7cm]{proto_3d_design.jpg} + \caption{The 3D CAD design of the prototype.} + \label{proto_3d_design} +\end{figure} + +\subsection{PCB security mesh generation} + +To allow a quick iteration of our design while producing results with a realistic level of security, we wrote a plugin +for the KiCAD EDA suite that automatically generates parametrized security meshes. When KiCAD is used in conjunction +with FreeCAD through FreeCAD's KiCAD StepUp plugin, this ends up in an efficient toolchain from mechanical CAD design to +security mesh PCB gerber files. The mesh generation plugin can be found at its +website\footnote{\url{https://blog.jaseg.de/posts/kicad-mesh-plugin/}}. + +Our mesh generation plugin overlays a grid on the target area and then produces a randomized tree covering this grid. +The individual mesh traces are then traced along a depth-first search through this tree. A visualization of the steps is +shown in Figure \ref{mesh_gen_viz}. A sample of the production results from our prototype is shown in Figure +\ref{mesh_gen_sample}. + +\begin{figure} + \center + \includegraphics[width=9cm]{mesh_gen_viz.pdf} + \caption{Overview of the automatic security mesh generation process. 1 - the blob is the example target area. 2 - A + grid is overlayed. 3 - Grid cells outside of the target area are removed. 4 - A random tree covering the remaining + cells is generated. 5 - The mesh traces are traced along a depth-first walk of the tree. 6 - Result.} + \label{mesh_gen_viz} +\end{figure} + +\begin{figure} + \center + \includegraphics[width=6cm]{mesh_scan_crop.jpg} + \caption{A section of the security mesh PCB we produced with our toolchain for the prototype HSM.} + \label{mesh_gen_sample} +\end{figure} + +\subsection{Data transmission through rotating joint} + +As a baseline solution for data transmission, we settled on a $\SI{115}{\kilo\baud}$ UART signal sent through a simple +bidirectional infrared link. In the transmitter, the UART TX line on-off modulates a $\SI{920}{\nano\meter}$ IR LED +through a common-emitter driver transistor. In the receiver, an IR PIN photodiode reverse-biased to +$\frac{1}{2}V_\text{CC}$ is connected to a reasonably wideband transimpedance amplifier (TIA) with a +$\SI{100}{\kilo\ohm}$ transimpedance. As shown in Figure \ref{photolink_schematic}, the output of this TIA is fed +through another $G=100$ amplifier whose output is then squared up by a comparator. We used an \textsf{MCP6494} quad +CMOS op-amp. At a specified $\SI{2}{\milli\ampere}$ current consumption it is within our rotor's power budget, and its +Gain Bandwidth Product of $\SI{7.5}{\mega\hertz}$ yields a useful transimpedance in the photodiode-facing TIA stage. + +To reduce the requirements on power transmission to the rotor, we have tried to reduce power consumption of the +rotor-side receiver/transmitter pair trading off stator-side power consumption. One part of this is that we use +a wide-angle photodiode and IR LED on the stator, but use narrow-angle components on the rotor. The two rx/tx pairs are +arranged next to the motor on opposite sides. By placing the narrow-angle rotor rx/tx components on the outside as +shown in Figure \ref{ir_tx_schema}, the motor shields both IR links from crosstalk. The rotor transmitter LED is +driven at $\SI{1}{\milli\ampere}$ while the stator transmitter LED is driven at $\SI{20}{\milli\ampere}$. + +\begin{figure} + \center + \includegraphics{ir_tx_schema.pdf} + \caption{Schema of our bidirectional IR communication link between rotor and stator, view along axis of rotation. 1 + - Rotor base PCB. 2 - Stator IR link PCB. 3 - Motor. 4 - receiver PIN photodiode. 5 - transmitter IR LED.} + \label{ir_tx_schema} +\end{figure} + +\begin{figure} + \center + \includegraphics[width=9cm]{photolink_schematic.pdf} + \caption{Schematic of the IR communication link. Component values are only examples. In particular C2 depends highly + on the photodiode used and stray capacitances due to the component layout.} + \label{photolink_schematic} +\end{figure} + +\subsection{Power transmission through rotating joint} + +Since this prototype serves only demonstration purposes, we chose to use the simplest possible method of power +transmission: Solar cells. We mounted six series-connected solar cells made up from three commercially available modules +on the circular PCB at the end of our cylindrical rotor. The solar cells direclty feed the rotor's logic supply with +buffering by a large $\SI{33}{\micro\farad}$ ceramic capacitor. With six cells in series, they provide around +$\SI{3.0}{\volt}$ at several tens of $\si{\milli\ampere}$ given sufficient illumination. + +For simplicity and weight reduction, at this point we chose to forego large buffer capacitors on the rotor. This means +variations in solar cell illumination directly couple into the microcontroller's supply rail. Initially, we experimented +with regular residential LED light bulbs, but those turned out to have too much flicker and lead to our microcontroller +frequently rebooting. Trials using an incandecent light produced a stable supply, but the large amount of infrared light +emitted by the incandecent light bulb severely disturbed our near-infrared communication link. As a consequence of +this, we settled on a small LED light made for photography applications that provdided us with mostly flicker-free +light, leading to a sufficiently stable microcontroller VCC rail without any disturbance to the IR link. + +\subsection{Evaluation} + +During experiments, our prototype performed as intended. After some experimentation, we got both power and data +transmission through the rotating joint working reliably. Figure \ref{prototype_early_comms} shows our prototype +performing reliably at maximum speed for the first time. Our improvised IR link is open in both directions for about +$\SI{60}{\degree}$ of the rotation, which allows us to reliably transfer several tens of bytes in each direction during +each receiver's fly-by even at high speed of rotation. As a result of our prototype experiments, we consider a +larger-scale implementation of the inertial HSM concept practical. + +\begin{figure} + \center + \includegraphics[width=8cm]{prototype_early_comms_small.jpg} + \caption{The protoype when we first achieved reliable power transfer and bidirectional communication between stator + and rotor. In the picture, the prototype was communicating reliably up to the maximum $\approx\SI{1500}{rpm}$ that + we could get out of its hobby quadcopter parts.} + \label{prototype_early_comms} +\end{figure} \section{Future Work} @@ -416,9 +531,10 @@ or courier services after spin-up. \section{Conclusion} In this paper, we have presented inertial hardware security modules, a novel concept for the construction of highly secure hardware security modules from inexpensive, commonly available parts. We have elaborated the engineering -considerations underlying a practical implementation of this concept. We have analyzed the concept for its security -properties and highlighted its ability to significantly strengthen otherwise weak tamper detection barriers. We have -laid out some ideas for future research on the concept. +considerations underlying a practical implementation of this concept. We have implemented a prototype demonstrating +practical solutions to the significant engineering challenges of this concept. We have analyzed the concept for its +security properties and highlighted its ability to significantly strengthen otherwise weak tamper detection barriers. We +have laid out some ideas for future research on the concept. \printbibliography[heading=bibintoc] \appendix -- cgit