Tamper-detection interface

Introduction

The tamper interface provides a mechanism to detect any unauthorized attempt to access the system, such as the opening of the enclosure. The tamper support included in the ConnectCore 6UL is implemented in the MCA and allows you to:

Tamper pins

The ConnectCore 6UL module supports up to two tamper interfaces (tamper0 and tamper1). Each interface has an associated IO (tamper pin) used to detect the tamper event (through a voltage transition on the IO) and, optionally, an output IO (tamper output) that can be used to enable or disable peripherals, for instance to cut the power of a peripheral. The IOs of each tamper interface can be configured independently and have the following configuration options:

The following MCA IO pins can be configured as tamper input pins: MCA_IO0, MCA_IO1, MCA_IO2/EXT_VREF, MCA_IO5. Any of the MCA IO pins can be configured as tamper output pins.

Tamper detection

The following diagram shows the sequence of events that occur during a tamper attack on the ConnectCore 6UL module. Tamper detection is triggered on the device by the voltage transition that occurs on the configured tamper input pin (IO_IN in the diagram). This tamper detection works in any operational mode of the system (normal run, suspend and power off). The system can perform different response actions depending on the presence of the main power supply.

The following actions happen immediately after detection of a tamper event:

If the system is in run state or if the tamper event wakes the system, the U-Boot and Linux firmware provide support to:

Tamper response

After a tamper event, the system logs the event in persistent memory and executes the necessary actions to respond to the system attack. Response actions are normally implemented to meet the specific needs of the device and may include one or several of the following generic responses:

The ConnectCore 6UL BSP provides the necessary firmware to easily detect tamper events and program the corresponding response actions to meet the requirements of the system.

The tamper module also allows you to program a predefined tamper action—system power off—that will automatically happen at a preconfigured timeout after the tamper event.

U-Boot

Tamper detection is enabled by default in U-Boot and can be disabled by removing build-time configuration option CONFIG_MCA_CC6UL_TAMPER.

When tamper support is enabled, the following actions take place during system initialization:

__weak void mca_tamper_take_actions(int iface)

If the predefined flow does not meet the requirements for a specific device, it can be fully customized using the bootloader code (board/digi/common/tamper.c).

Linux

The Linux BSP of the ConnectCore 6UL includes an IIO driver that detects the interrupt generated by the MCA when a tamper event is detected. The driver generates a device node (under /dev) for each tamper interface that allows you to read the tamper events from user space. The tamper interfaces can be enabled in the device tree. See Devices and interfaces for additional information about how to configure the driver and the tamper interfaces in the device tree.

The character device driver will generate standard IIO events when a tamper interrupt is detected. Therefore, it is possible to read the events using the standard API provided by the kernel for the IIO devices with event support.

As a reference, a sample application "tamper_sample" is included in the dey-examples package of meta-digi layer that demonstrates how to detect tamper events and provides the hooks to implement the required response actions and acknowledge the event.

Tamper configuration

The configuration of the tamper interface is performed with a configuration application included in the root filesystem, named tamper_cfg. This application allows you to read the current configuration of the tamper module and configure the settings. See Configure the tamper interfaces using tamper_cfg for more information.

Each tamper interface provides the following tamper registers, which are read and written by the tamper_cfg tool:

TAMPERn_CFG0

B7 B6 B5 B4 B3 B2 B1 B0
CLR_EV_EN PWROFF_EN OUT_ACT_HIGH OUT_EN - IN_ACT_HIGH RECONF_EN DET_EN

Field description

Field

Description

0 DET_EN

Enable tamper detection (1: enabled, 0: disabled)

1 RECONF_EN

Reconfigure tamper interface settings (1: allowed, 0: not allowed)

2 IN_ACT_HIGH

Set active level (tamper condition) of the tamper input (1: high, 0: low)

3 -

Reserved

4 OUT_EN

Activate the output of an IO when a tamper condition is detected (1: enabled, 0: disabled)

5 OUT_ACT_HIGH

Set output level (if enabled) when a tamper condition is detected (1: high, 0: low)

6 PWROFF_EN

Power off the device after the programmed timeout, after a tamper detection (1: enabled, 0: disabled)

7 CLR_EV_EN

Clear tamper events by writing a 0 to the tamper event register (1: enabled, 0: disabled)

TAMPERn_IO_IN

 B7 B6 B5 B4 B3 B2 B1 B0

IO index of tamper input

TAMPERn_IO_OUT

 B7 B6 B5 B4 B3 B2 B1 B0

IO index of tamper output

TAMPERn_PWROFF_DELAY

 B7 B6 B5 B4 B3 B2 B1 B0

Delay (multiplied by 100ms) power off after tamper detection

TAMPERn_EVENT

 B7

B6

B5

B4

B3

B2

B1

B0

-

-

-

-

-

-

ACKED

SIGNALED

Field description

Field

Description

0 SIGNALED

Indicates if a tamper condition has been detected (1: signaled, 0: no signaled) 

1 ACKED

Persistent flag used to acknowledge a tamper event condition (1: acknowledged, 0: no acknowledged)

Power and tamper support

The tamper detection and the response actions depend on the working mode of the system (run, suspend, power off) and the availability of power. The following table indicates the actions the system takes when a tamper event happens, under different power supply conditions and working modes.

Main Power

Battery backup

Working mode

After a tamper event...

-

-

power off

  • Register the event
  • Activate the output (that could activate a backup battery to power on the system)

or

power off

  • Register the event
  • Activate the output
  • Wake up the system and U-Boot catches the tamper event

or

suspend

  • Register the event
  • Activate the output
  • Wake up the system with an IRQ that can be processed by user space

or

running

  • Register the event
  • Activate the output IRQ that can be processed by user space