At the Black Hat 2022, Daniel Nemiroff presented a talk on Tunable Replica Circuits. Riscure CTO of North America, Jasper van Woudenberg had an opportunity to listen to this presentation. Here are his thoughts on it.
In this talk, Daniel explains how Tunable Replica Circuits (TRC) are used by Intel in all 12th-generation CSME cores to detect various fault conditions. This talk gives an unprecedented insight into Fault Injection (FI) countermeasures developed by a large chip manufacturer, and how they are rolled out on a scale. And to Riscure, there was a happy surprise at the end of the talk.
In the presentation, Daniel recognizes that physical attacks are cheap, and since the CSME is implementing TPM functionality, it requires physical attack protection. Intel integrated the TRC in the system agent part of the CSME, the latter being the root of trust for the main CPU. Once a fault is detected, the CSME is reset.
TRCs are circuits that are designed to have a long (tunable) propagation delay and have historically been used to detect timing violations in a circuit. Since VCC, clock, and to some extent, EM faults, use timing violations to cause faults, TRCs can be used as a detection mechanism. This also means that optical faults may bypass this countermeasure.
TRCs, like some other countermeasure types, require per-chip calibration at the manufacturing stage. This is done by providing a reference voltage during manufacturing, which allows the chip to calculate the tunable delay required to detect faults. Intel also internally validated this approach, and after some iterations, was able to detect faults with great accuracy.
The happy surprise at the end of the talk was a shout-out to Riscure. As mentioned by Intel themselves, Riscure was the external test lab that validated the TRC against the clock, voltage, and EM-FI. Using these attacks methods, we were unable to bypass the TRC.