Helios Secure Processor IP
Defend Against Physical & Cyber Attacks
Our Helios Memory Guard and Helios Processing Systems are designed to defend against physical attacks on secure data through authentication and encryption.
The Helios Memory Guard (HMG) is shimmed in between the processor and memory controller to provide just-in-time encryption, decryption, and authentication for all memory write and read requests. HMG also performs decryption and authentication of boot/load-time images that have been encrypted by the Helios Packager prior to deployment.
The Helios Processing System (HPS) integrates Helios Memory Guard (HMG) with a processor to provide a fully integrated and validated secure processor IP package.
Zero Trust enablement
Low risk, used on other Defense programs
NIST approved algorithms with proven side channel resistance
Simple to integrate, drag-and-drop design
Helios Memory Guard (HMG)
What Problem Helios Memory Guard Solves:
With physical access, instructions and data are vulnerable to inspection and modification as they get loaded from external memory and storage. Physical attacks such as bus snooping, memory interposing, side channel analysis, and cold boot; which enable these vulnerabilities have proliferated—to the point that hobbyists can now perform them using consumer-grade equipment. The authentication and encryption provided by HMG mitigates these physical attacks by ensuring that loaded instructions are authentic and that data remains confidential through its entire lifecycle.
How it Works:
Helios Memory Guard (HMG) is shimmed in between the processor and memory controller to provide just-in-time encryption, decryption, and authentication for all memory write and read requests. This is done per cache line—in hardware—using ephemeral keys that roll on every write. HMG also performs decryption and authentication of boot/load-time images that have been encrypted by the Helios Packager prior to deployment. The user maintains full ownership and management of the load-time keys.
Benefits |
Features |
Deliverables |
|
Zero Trust Enablement: Provides a cryptographically secure platform for running a device’s trusted computing base, which is integral to ZT implementations
Low Risk: Used on other Defense programs, NIST approved algorithms with proven side channel resistance
Transparent to User/Developer: Maintains compatibility with existing software design and development practices, requiring minimal modification to the compilation process
Simple to Integrate: A drag-and-drop design delivered with reference designs and test benches using common interface IP.
Set and Forget, Simple Maintenance: No annual maintenance contracts or requirements, implementation of future updates are optional
Developed and supported by a trusted U.S. DOW supplier: Our team in the Mountain Time Zone answer emails, take phone calls and can travel to make sure your integration goes smoothly |
Technology Protection: Maintains confidentiality and integrity of Intellectual Property (IP) and Critical Program Information (CPI) within the memory and storage subsystems
Tamper Resistant: Resistant to reverse engineering threats—including Differential Power Analysis (DPA)
Inline Memory Encryption: Encrypts and authenticates memory during runtime with than a 6% latency impact in typical deployments
Data-at-Rest Encryption: Encrypts and signs data for provisioning and decrypts and authenticates during load
NIST Compliant, SCA Resistant Cryptography: Uses CNSA 2.0 and FIPS 140-3 approved crypto algorithms with Side Channel Analysis (SCA) countermeasures
Compatible with Common Peripheral IP: Compatible with Xilinx LogiCORE and Synopsys DesignWare AXI Peripheral IP
|
IP_XACT Package
Software Development Kit
User Documentation
Reference Designs Technical Support |
Helios Processing System (HPS)
What Problem Helios Processing System Solves:
Modern computer processors lack the security to prevent software and hardware attacks, including:
- Memory-Corruption Class Attacks, which account for 56% of MITRE critical common vulnerabilities and 70% of all Microsoft patches over the past 12 years.
- Return-Oriented Programming (ROP), Jump-Oriented Programming (JOP), and Call-Oriented Programming (COP) Attacks, which leverage existing executable code fragments (“gadgets”) to bypass security controls - Downgrade, Key Extraction, and Unauthorized Firmware Attacks, which allow the bypass of secure boot mechanisms
- Intellectual Property (IP) Theft Attacks, which target sensitive embedded firmware, often through reverse engineering techniques such as debug interface exploitation, bus snooping, or memory interposing
- Cache Timing and Side-Channel Attacks, which allow for the extraction of critical security primitives and key material
How It Works:
A Helios Processing System (HPS) integrates Helios Memory Guard (HMG) with a processor to provide a fully integrated and validated secure processor IP package. For load-time security, instructions and data are decrypted and authenticated against the software developer’s and/or original equipment manufacturer’s keys. For runtime security, HPS decrypts and authenticates every instruction and data cache line—in hardware—using ephemeral keys that roll on every write. Additionally, HPS enforces cryptographic isolation and authentication of instructions and data, ensuring instructions cannot be authored by an adversary at runtime.
Benefits |
Features |
Deliverables |
|
Zero Trust Enablement: Provides a cryptographically secure platform for running a device’s trusted computing base, which is integral to ZT implementations
Low Risk: Used on other Defense programs, NIST approved algorithms with proven side channel resistance
Transparent to User/Developer: Maintains compatibility with existing software design and development practices, requiring minimal modification to the compilation process
Simple to Integrate: A drag-and-drop design delivered with reference designs and test benches using common interface IP.
Set and Forget, Simple Maintenance: No annual maintenance contracts or requirements, implementation of future updates are optional
Developed and supported by a trusted U.S. DOW supplier: Our team in the Mountain Time Zone answer emails, take phone calls and can travel to make sure your integration goes smoothly
Efficient, Customizable Processing: Power efficient compute configurable to your embedded or enterprise performance needs Full Lifecycle Technology Protection: Maintains confidentiality and integrity of Intellectual Property (IP) and Critical Program Information (CPI) through its full lifecycle |
Pre-Integrated RISC-V Processors: NOEL-V and RPX-105 cores available, with configurations of up to 16, 64-bit RISC-V cores (RV64GC, RV22, or RV23) with virtual memory support via integrated MMU.
Cache Line Separation and Authentication: Provides hardware-enforced cryptographic authentication and separation for CPU instruction and data caches
Inline Memory Encryption: Encrypts and authenticates instructions and data separately during runtime
Data-at-Rest Encryption: Encrypts and signs data for provisioning and decrypts and authenticates during load
Hardware-Enforced Secure Boot: Performs hardware-enforced secure boot
Software Exploitation Prevention: Prevents adversaries from using memory corruption exploits to perform arbitrary code execution
Tamper Resistant: Resistant to reverse engineering threats—including Differential Power Analysis (DPA)
Supports Common Operating Stacks: Can run VxWorks, Linux, FreeRTOS, bare metal software, and others
NIST Compliant, SCA Resistant Cryptography: Uses CNSA 2.0 and FIPS 140-3 approved crypto algorithms with Side Channel Analysis (SCA) countermeasures Binary Compatible with RISC-V ISA: Leverages standard RISC-V ISA, allowing the use of standard toolchains and software ecosystems |
IP-XACT Package (VHDL)
Hardware Development Kit
Hardware Verification Suite
Software Development Kit
Reference Designs Technical Support |
Frequently Asked Questions (FAQs)
Helios Memory Guard (HMG)
Compatibility
What FPGAs can HMG be used with?
HMG has been verified for use with Xilinx ®7-Series, Ultrascale, Ultrascale+, and Versal. HMG can be ported for use with other FPGA vendor devices.
Can HMG be used in custom ASIC designs?
Yes, HMG has been taped out in 28nm as part of a RISC-V Helios Processing System. Additional ASIC projects are underway.
Security
Who generates the keys used by Helios?
Idaho Scientific provides the Helios Packager utility, allowing the OEM or end customer to generate and manage their own cryptographic keys.
Which encryption algorithms are used by Helios?
256-bit AES-GCM for both inline memory and data-at-rest load time encryption and verification. MLDSA-87 used for key management, with RSA-3072 provided for legacy support.
Performance
What is the memory performance impact of HMG?
System designers can anticipate no memory throughput performance impacts until approaching bus saturation, at which point ~34% reduction is expected. More detailed performance data is available upon request.
How much fabric does HMG utilize?
HMG minimally utilizes ~60K LUTS and ~71k flip flops, and users can expect a ~250 MHz maximum frequency.
Helios Processing System (HPS)
Compatibility
What FPGAs can an HPS be used with?
HPSs have been verified for use with Xilinx ® 7-Series, Ultrascale, Ultrascale+, and Versal. An HPS can be ported for use with other FPGA vendor devices.
Can an HPS be used in custom ASIC designs?
Yes, a RISC-V HPS has been taped out in 28nm. Additional ASIC projects are underway.
Is an HPS built with other (not RISC-V) CPU Instruction Set Architectures (ISAs)?
Yes, the core security technology, (link to page) Helios Memory Guard, can be integrated with ARM and other CPU designs to build an HPS.
Security
Which RISC-V security extensions are included in available HPSs?
All HPS offerings can be configured with all relevant software security extensions ratified in RISC-V, including Shadow Stacks (Zicfiss), Landing Pads (Zicflap), RISC-V Cryptography Extensions (Volume I and II), Physical Memory Protections (PMP), and Virtual Memory Management (Sv32, Sv39, and Sv48).
Who generates the keys used by an HPS?
Idaho Scientific provides the software “Packager” utility, allowing the OEM or end customer to generate and manage their own cryptographic keys.
Which encryption algorithms are used by an HPS?
256-bit AES-GCM for both inline memory and data-at-rest load time encryption and verification. MLDSA-87 used for key management, with RSA-3072 provided for legacy support.
Performance
What is the performance impact of Helios security features?
System designers can anticipate <6% impact to software execution performance when running a HPS when compared to the base CPU. A detailed performance white paper is available for review.
How does HPS perform as a processor?
The NOEL-V HPS is capable of 1.33 instructions per cycle, 5+ SpecIn2K6/GHz and 7+ CoreMarks/MHz FPGA users can plan on 200 MHz core clock and ASIC users can exceed 1.5 GHz. Performance information for the RPX-105 HPS is available upon request.
Idaho Scientific, now part of General Dynamics Mission Systems, specializes in embedded security with a proven track record of solving the hardest cybersecurity, supply chain integrity and anti-tamper problems with novel and scalable solutions.
