The OpenTitan Project
Security Evaluation
The work was conducted in the Fraunhofer AISEC’s Common Criteria EAL 7-certified laboratory site, which is the highest evaluation assurance level (EAL) defined in the Common Criteria (CC) standard and meets the most stringent security requirements. This ensures that the evaluation follows processes and procedures that meet the highest standards required for products aiming for formal security certification.
Fraunhofer AISEC’s Hardware Security Laboratory performs security analysis based on the latest state-of-the-art analysis methodologies with a focus on:
- High-precision side-channel analysis,
- Physical and semi-invasive attacks, including high-precision laser fault injection,
- Optical emission analysis, and
- Design and assessment of countermeasures against physical attacks.
In the laboratory, the Fraunhofer AISEC team is equipped with multiple setups for side-channel analysis, laser fault injection and electromagnetic fault injection.
These analysis techniques were applied to the OpenTitan engineering and production silicon to assess the robustness of its cryptographic engines, core components, and security-critical control logic against advanced physical attacks.
The evaluation was structured into several sub-stages, each focusing on specific OpenTitan components – such as the OpenTitan Big Number (OTBN) accelerator, memory, the Ibex core, and the cryptographic accelerators – and on their security properties. Across all sub-stages, the evaluation assumed very strong attacker capabilities with physical access to the device, including advanced side-channel and fault injection techniques. For each component, the evaluation focused on properties such as resistance against side-channel key extraction and fault-induced (control-flow) manipulation. This was complemented by optical analysis tools such as photon emission, which allowed the localization of the security critical components on the chip for the analysis.
The chip’s preparation to expose the silicon die for analysis through chemical etching and high-precision milling was also carried out in-house at the certified Fraunhofer lab facilities.
During the testing process, Fraunhofer AISEC worked with lowRISC, who provided silicon security expertise and customized pentesting firmware.
Open-Source Test and Evaluation Framework
OpenTitan is not only open-source hardware; it also comes with an open-source test catalog for side-channel analysis and fault injection enabling third parties to:
- Reproduce published measurement and analysis campaigns,
- Extend existing tests or develop new ones, and
- Adapt the infrastructure to their own targets and research needs.
The framework was developed and enhanced with the partners during the course of the collaboration.
Because the framework is developed in the open, the community can continuously refine the tools, share new analysis scripts, and enhance analysis methods over time. This toolkit formed the basis for the side-channel and fault-injection experiments in the campaign.
Impact on OpenTitan and Its Deployment
The collaboration delivered the following concrete outcomes:
- Independent assessment of core security properties
An independent security lab evaluated key OpenTitan design properties. Because OpenTitan is open-source, third parties review the design and reproduce these results, increasing confidence in using OpenTitan as the foundation of platform security.
- Improved tooling and processes for ongoing assurance
The open-source evaluation framework, together with improved debug and test hooks in OpenTitan, reduces the effort for future thorough audits, certifications, internal testing, and community review. The collaboration led to improvements in this framework.
- Use case agnostic platform security
The assessment shows that OpenTitan’s robust security model is applicable to a wide range of use cases. Its open-source design enables manufacturers to adapt and extend the architecture to meet their specific requirements.
- Enhance research collaborations
This work opens new opportunities for further research partnerships and collaborative innovation, including joint exploration of emerging technologies such as post-quantum cryptography.
This work demonstrates that the open-source root of trust – OpenTitan Earl Grey production silicon – integrated into servers and Chromebooks has been scrutinized using state-of-the-art side-channel and fault-injection techniques.
The evaluation was carried out in an environment designed for the highest levels of assurance. It shows that open hardware like OpenTitan can combine transparency, independent high-assurance evaluation, and practical deployability in real-world products.
We look forward to engaging with the OpenTitan Project more deeply in the future. Through the contributions from this joint collaboration we would like to call upon other OpenTitan or OpenTitan-based silicon manufacturers to use and continue to build on the contributions made to the open-source hardware testing infrastructure.
Authors
Nisha Jacob Kabakci
Dr.-Ing. Nisha Jacob Kabakci studied electrical engineering in Bangalore and embedded systems at Università della Svizzera italiana in Lugano, complemented by a practical year in cryptography at Nanyang Technological University in Singapore. Since joining Fraunhofer AISEC, she has conducted research on the security of embedded systems with a focus on FPGAs, within which she completed her Ph.D. at the Technical University of Munich in 2020. She is currently Head of Department »Hardware Security – Physical Analysis and Countermeasures« at Fraunhofer AISEC.
Contact: nisha.jacob@aisec.fraunhofer.de
Marc Schink
Marc Schink carries out research in the field of »Hardware Security« at Fraunhofer AISEC. In his private life as well as at the institute, he strives to detect vulnerabilities in hardware and software. He has conducted several vulnerability disclosure processes with renowned and international manufacturers.
Contact: marc.schink@aisec.fraunhofer.de
