{"id":13628656,"url":"https://github.com/hex-five/multizone-sdk","last_synced_at":"2025-04-17T04:32:11.276Z","repository":{"id":37736080,"uuid":"162747307","full_name":"hex-five/multizone-sdk","owner":"hex-five","description":"MultiZone® Security TEE is the quick and safe way to add security and separation to any RISC-V processors. The RISC-V standard ISA doesn't define TrustZone-like primitives to provide hardware separation. To shield critical functionality from untrusted third-party components, MultiZone provides hardware-enforced, software-defined separation of multi","archived":false,"fork":false,"pushed_at":"2024-01-24T23:07:40.000Z","size":9083,"stargazers_count":82,"open_issues_count":1,"forks_count":24,"subscribers_count":11,"default_branch":"master","last_synced_at":"2024-11-08T19:42:11.353Z","etag":null,"topics":["attestation","container","digilent-arty-board","firmware","fpga","freertos","hypervisor","microkernel","multizone","risc-v","root-of-trust","secure-boot","secure-element","security","sifive","tee","trusted-computing","trusted-execution-environment","trustzone","xilinx"],"latest_commit_sha":null,"homepage":"https://hex-five.com/multizone-security-tee-riscv/","language":"C","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"other","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/hex-five.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2018-12-21T18:46:59.000Z","updated_at":"2024-11-04T05:06:32.000Z","dependencies_parsed_at":"2023-02-09T13:16:19.476Z","dependency_job_id":"be57aa0a-2ac5-48ed-90d7-ee1eb26427ec","html_url":"https://github.com/hex-five/multizone-sdk","commit_stats":{"total_commits":240,"total_committers":6,"mean_commits":40.0,"dds":"0.054166666666666696","last_synced_commit":"d0ea6f9edd089ec317634ba9ea0263f2e8fc0903"},"previous_names":[],"tags_count":9,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/hex-five%2Fmultizone-sdk","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/hex-five%2Fmultizone-sdk/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/hex-five%2Fmultizone-sdk/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/hex-five%2Fmultizone-sdk/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/hex-five","download_url":"https://codeload.github.com/hex-five/multizone-sdk/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":249315973,"owners_count":21249868,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["attestation","container","digilent-arty-board","firmware","fpga","freertos","hypervisor","microkernel","multizone","risc-v","root-of-trust","secure-boot","secure-element","security","sifive","tee","trusted-computing","trusted-execution-environment","trustzone","xilinx"],"created_at":"2024-08-01T22:00:55.034Z","updated_at":"2025-04-17T04:32:09.807Z","avatar_url":"https://github.com/hex-five.png","language":"C","readme":"# multizone-sdk\nMultiZone® Security TEE for RISC-V processors\n\n**MultiZone® Security** is the quick and safe way to add security and separation to RISC-V processors. MultiZone software can retrofit existing designs. If you don’t have TrustZone-like hardware, or if you require finer granularity than one secure world, you can take advantage of high security separation without the need for hardware and software redesign, eliminating the complexity associated with managing a hybrid hardware/software security scheme. RISC-V standard ISA doesn't define TrustZone-like primitives to provide hardware separation. To shield critical functionality from untrusted third-party components, MultiZone provides hardware-enforced, software-defined separation of multiple equally secure worlds. Unlike antiquated hypervisor-like solutions, MultiZone is self-contained, presents an extremely small attack surface, and it is policy driven, meaning that no coding is required – and in fact even allowed.\n\nMultiZone works with any 32-bit or 64-bit RISC-V processors with standard Physical Memory Protection unit (PMP) and “U” mode.\n\nThis release of the MultiZone SDK supports the following development boards:\n- [Digilent Arty A7 Development Board (Xilinx Artix-7 FPGA)](https://digilent.com/shop/arty-a7-artix-7-fpga-development-board/)\n- [Andes Corvette-F1 R1.0 (Xilinx Artix-7 FPGA)](http://www.andestech.com/en/products-solutions/andeshape-platforms/corvette-f1-r1/)\n- [Microchip Icicle Kit (PolarFire SoC)](https://www.microsemi.com/existing-parts/parts/152514)\n- [SiFive HiFive1 Rev B (Freedom E310 SoC)](https://www.sifive.com/boards/hifive1-rev-b)\n- [SiFive Unleashed (Freedom U540 SoC)](https://www.sifive.com/boards/hifive-unleashed)\n\nThis repository is for the Digilent Arty A7 and the SiFive HiFive1 Rev B boards.\n\nThe Digilent Arty A7 FPGA is certified for the following bitstreams:\n- [Hex Five X300](https://github.com/hex-five/multizone-fpga) v2.0.0 RV32ACIMU – Free open source. No license required.\n- [SiFive E21](https://www.sifive.com/cores/e21) 20G1.05.00 RV32ACIMU – SiFive evaluation license required.\n- [SiFive E31](https://www.sifive.com/cores/e31) 20G1.05.00 RV32ACIMU – SiFive evaluation license required.\n- [SiFive S51](https://www.sifive.com/cores/e51) 20G1.05.00 RV64ACIMU – SiFive evaluation license required.\n\n*Note: The Digilent Arty A7 FPGA board is available in two versions: 35T and 100T. Hex Five's X300 bitstream works with both. SiFive's bitstreams work only with the larger, more expensive, 100T.*\n\nFor instructions on how to upload the bitstream to the ARTY board and how to connect the [Olimex debug head ARM-USB-TINY-H](https://www.olimex.com/Products/ARM/JTAG/ARM-USB-TINY-H/) see [Arty FPGA Dev Kit Getting Started Guide](https://sifive.cdn.prismic.io/sifive%2Fed96de35-065f-474c-a432-9f6a364af9c8_sifive-e310-arty-gettingstarted-v1.0.6.pdf) and [connecting the FPGA to a JTAG debugger](https://hex-five.com/wp-content/uploads/ARTY-JTAG.png)\n\n### Quick Start ###\n\nPrebuilt fpga bitstreams including the X300 RISC-V SoC and the MultiZone SDK firmware are provided as release assets ready to go:\n\n- [multizone-sdk-arty-35t.mcs](https://github.com/hex-five/multizone-sdk/releases/download/v2.2.8/multizone-sdk-arty-35t.mcs)\n- [multizone-sdk-arty-100t.mcs](https://github.com/hex-five/multizone-sdk/releases/download/v2.2.8/multizone-sdk-arty-100t.mcs)\n\nIf you are impatient to run the MultiZone SDK reference firmware, just upload the right bitstream to your Arty board and skip all steps below. For this you'll only need [Xilinx Vivado Lab](https://www.xilinx.com/support/download.html) an the instructions at https://github.com/hex-five/multizone-fpga#readme   \n\n\n### MultiZone SDK Installation ###\n\nThe MultiZone SDK works with any versions of Linux, Windows, and Mac capable of running Java 1.8 or greater. The directions in this readme have been carefully verified with fresh installations of Ubuntu 20.04, Ubuntu 19.10, Ubuntu 18.04.5, and Debian 10.5. Other Linux distros are similar. Windows developers may want to install a Linux emulation environment like MYSYS2/MinGW64 or, even better, Windows Subsystem for Linux. Hex Five's precompiled gnu toolchain and openOCD for Windows are available at https://hex-five.com/download/\n\n**Linux prerequisites**\n\n```\nsudo apt update\nsudo apt install make default-jre gtkterm libhidapi-dev libftdi1-2\n```\nUbuntu 18.04 LTS additional dependency\n```\nsudo add-apt-repository \"deb http://archive.ubuntu.com/ubuntu/ focal main universe\"\nsudo apt update\nsudo apt install libncurses-dev\n```\nNote: GtkTerm is optional and required only to connect to the reference application via UART. It is not required to build, debug, and load the MultiZone software. Any other serial terminal application of choice would do.\n\n**GNU RISC-V Toolchain**\n\nHex Five reference build: RISC-V GNU Toolchain Linux 64-bit June 18, 2021\n```\ncd ~\nwget https://hex-five.com/wp-content/uploads/riscv-gnu-toolchain-20210618.tar.xz\ntar -xvf riscv-gnu-toolchain-20210618.tar.xz\n```\n\n**OpenOCD on-chip debugger**\n\nHex Five reference build: RISC-V OpenOCD Linux 64-bit August 07, 2021\n```\ncd ~\nwget https://hex-five.com/wp-content/uploads/riscv-openocd-20210807.tar.gz\ntar -xvf riscv-openocd-20210807.tar.gz\n```\nNote: the SiFive HiFive1 board doesn't support OpenOCD and requires the Segger propietary package JLink_Linux_V694_x86_64.deb downloadable at [https://www.segger.com/downloads/jlink/](https://www.segger.com/downloads/jlink/). \n\n**Linux USB udev rules**\n\n```\nsudo vi /etc/udev/rules.d/99-openocd.rules\n\n# Future Technology Devices International, Ltd FT2232C Dual USB-UART/FIFO IC\nSUBSYSTEM==\"tty\", ATTRS{idVendor}==\"0403\",ATTRS{idProduct}==\"6010\", MODE=\"664\", GROUP=\"plugdev\"\nSUBSYSTEM==\"usb\", ATTR{idVendor} ==\"0403\",ATTR{idProduct} ==\"6010\", MODE=\"664\", GROUP=\"plugdev\"\n\n# Future Technology Devices International, Ltd FT232 USB-Serial (UART) IC\nSUBSYSTEM==\"tty\", ATTRS{idVendor}==\"0403\",ATTRS{idProduct}==\"6001\", MODE=\"664\", GROUP=\"plugdev\"\nSUBSYSTEM==\"usb\", ATTR{idVendor} ==\"0403\",ATTR{idProduct} ==\"6001\", MODE=\"664\", GROUP=\"plugdev\"\n\n# Olimex Ltd. ARM-USB-TINY-H JTAG interface\nSUBSYSTEM==\"tty\", ATTRS{idVendor}==\"15ba\",ATTRS{idProduct}==\"002a\", MODE=\"664\", GROUP=\"plugdev\"\nSUBSYSTEM==\"usb\", ATTR{idVendor} ==\"15ba\",ATTR{idProduct} ==\"002a\", MODE=\"664\", GROUP=\"plugdev\"\n\n# SiFive HiFive1 Rev B00 - SEGGER\nSUBSYSTEM==\"tty\", ATTRS{idVendor}==\"1366\",ATTRS{idProduct}==\"1051\", MODE=\"664\", GROUP=\"plugdev\n```\nA reboot may be necessary for these changes to take effect.\n\n**MultiZone Security SDK**\n\n```\ncd ~\ngit clone https://github.com/hex-five/multizone-sdk.git\n\n```\n\n\n### Build \u0026 load the MultiZone reference application ###\n\nConnect the target board to the development workstation as indicated in the user manual.\n\n'ls multizone-sdk/bsp' shows the list of supported targets: X300, FE310, E31, S51, PFSOC.\n\nAssign one of these values to the BOARD variable - default target is X300.\n\n```\ncd ~/multizone-sdk\nexport RISCV=~/riscv-gnu-toolchain-20210618\nexport OPENOCD=~/riscv-openocd-20210807\nexport BOARD=X300\nmake \nmake load\n```\nNote: With some older versions of the ftdi libraries, the first \"make load\" after powering the board may take a bit longer than it should. If you don't want to wait, the simple workaround is to reset the FPGA board to abort the openOCD session. If you do this, make sure to kill the openocd process on your computer. Subsequent loads will work as expected and take approximately 10 seconds.\n\nImportant: make sure that switch SW3 is positioned close to the edge of the board.\n\nImportant: open jumper JP2 (CK RST) to prevent a system reset upon UART connection.\n\n\n### Run the MultiZone reference application ###\n\nConnect the UART port (ARTY micro USB J10) as indicated in the user manual.\n\nOn your computer, start a serial terminal console (GtkTerm) and connect to /dev/ttyUSB1 at 115200-8-N-1\n\nHit the enter key a few times until the cursor 'Z1 \u003e' appears on the screen\n\nEnter 'restart' to display the splash screen\n\nHit enter again to show the list of available commands\n\n```\n=====================================================================\n                       Hex Five MultiZone® Security                    \n    Copyright© 2020 Hex Five Security, Inc. - All Rights Reserved    \n=====================================================================\nThis version of MultiZone® Security is meant for evaluation purposes \nonly. As such, use of this software is governed by the Evaluation    \nLicense. There may be other functional limitations as described in   \nthe evaluation SDK documentation. The commercial version of the      \nsoftware does not have these restrictions.                           \n=====================================================================\nMachine ISA   : 0x40101105 RV32 ACIMU \nVendor        : 0x0000057c Hex Five, Inc. \nArchitecture  : 0x00000001 X300 \nImplementation: 0x20181004 \nHart id       : 0x0 \nCPU clock     : 64 MHz \nRTC clock     : 16 KHz \n \nPLIC @0x0c000000 \nDMAC @0x10040000 \nUART @0x10013000 \nGPIO @0x10012000 \n\nZ1 \u003e Commands: yield send recv pmp load store exec stats timer restart dma\n```\n\n\n### Optional: Eclipse CDT Project ###\nThis repository includes an optional Eclipse CDT project for developers familiar with this IDE. No additional plugins are required to build and upload MultiZone to the target. The [OpenOCD debugging plug-in](https://eclipse-embed-cdt.github.io/debug/openocd) is optional and recommended.\n\n**Eclipse project Setup**\n\nFile \u003e Open Projects from File System \u003e Import source: ~/multizone-sdk\n\nProject \u003e Properties \u003e C/C++ Build \u003e Environment: set RISCV and OPENOCD variables according to your installation\n\n![alt text](https://hex-five.com/wp-content/uploads/multizone-eclipse-proj.png)\n\n\n### Optional: FreeRTOS Example ###\nNo additional software dependencies are required to run MultiZone-based applications. To ease the integration of the MultiZone TEE with legacy applications based on the popular FreeRTOS operating system, the MultiZone SDK includes an optional zone3.1 running FreeRTOS 10.4.0. Its functionality is identical to the one of the original zone3 that controls the robot, but it is implemented as a typical FreeRTOS applications with four tasks and one interrupt handler.\n\n**Installation**\n\n```\ncd ~/multizone-sdk\ngit submodule update --init --recursive\ngit apply -p1 ext/freertos.patch --directory=ext/freertos\n```\n\n**Setup**\n\nEdit multizone-sdk/Makefile and change the two references to \"zone3\" into \"zone3.1\" :\n\n```\n...\n\n.PHONY: all \nall: clean\n    $(MAKE) -C zone1\n    $(MAKE) -C zone2\n    $(MAKE) -C zone3\n    $(MAKE) -C zone3.1\n    $(MAKE) -C zone4\n    $(MAKE) -C bsp/$(BOARD)/boot\n\n    java -jar multizone.jar \\\n        --arch $(BOARD) \\\n        --config bsp/$(BOARD)/multizone.cfg \\\n        --boot bsp/$(BOARD)/boot/boot.hex \\\n        zone1/zone1.hex \\\n        zone2/zone2.hex \\\n        zone3.1/zone3.hex \\\n        zone4/zone4.hex\n\n...    \n```\nBuild and load to flash with the commands “make” and “make load”.\n\nNote: to activate MultiZone deep-sleep suspend, set configUSE_TICKLESS_IDLE 1 and configUSE_IDLE_HOOK 0 in ext/FreeRTOSConfig.h. This enables Hex Five’s optimized implementation of the FreeRTOS vPortSuppressTicksAndSleep() that takes full advantage of the RISC-V instruction wfi.\n\n\n### MultiZone TEE Technical Specs ###\n| |\n|---|\n| Up to 4 hardware threads (zones) hardware-enforced, software-defined                  |\n| Up to 8 memory mapped resources per zone – i.e. flash, ram, rom, i/o, etc.            |\n| Scheduler: preemptive, cooperative, round robin, configurable tick or tickless        |\n| Secure interzone communications based on messages – no shared memory                  |\n| Built-in support for secure shared Timer interrupt                                    |\n| Built-in support for secure shared PLIC interrupt                                     |\n| Built-in support for secure DMA transfers                                             |\n| Built-in support for CLIC, CLINT, and PLIC interrupt controllers                      |\n| Built-in trap \u0026 emulation for all privileged instructions – csrr, csrw, ecall, etc.   |\n| Support for secure user-mode interrupt handlers mapped to zones – up to 32/64 sources |\n| Support for CPU deep-sleep suspend mode for low power applications - wfi              |\n| Formally verifiable runtime ~4KB, 100% written in assembly, no 3rd-party dependencies |\n| C macro wrappers for protected mode execution – optional for high speed low-latency   |\n| Hardware requirements: RV32, RV32e, RV64 cpu with Memory Protection Unit and 'U' mode | \n| System requirements: 8KB FLASH, 4KB ITIM, 2KB DTIM - CPU overhead \u003c 0.01%             | \n| Development environment: any versions of Linux, Windows, Mac running Java 1.8 or newer|\n\n\n### Additional Resources ###\n\n- [MultiZone Reference Manual](http://github.com/hex-five/multizone-sdk/blob/master/manual.pdf)\n- [MultiZone Datasheet](https://hex-five.com/wp-content/uploads/2020/01/multizone-datasheet-20200109.pdf)\n- [MultiZone Website](https://hex-five.com/multizone-security-sdk/)\n- [Frequently Asked Questions](http://hex-five.com/faq/)\n- [Contact Hex Five http://hex-five.com/contact](http://hex-five.com/contact)\n\n\n### Legalities ###\n\nPlease remember that export/import and/or use of strong cryptography software, providing cryptography hooks, or even just communicating technical details about cryptography software is illegal in some parts of the world. So when you import this software to your country, re-distribute it from there or even just email technical suggestions or even source patches to the authors or other people you are strongly advised to pay close attention to any laws or regulations which apply to you. Hex Five Security, Inc. and the authors of the software included in this repository are not liable for any violations you make here. So be careful, it is your responsibility.\n\n_MultiZone and HEX-Five are registered trademarks of Hex Five Security, Inc._\n\n_MultiZone technology is protected by patents US 11,151,262 and PCT/US2019/038774_\n","funding_links":[],"categories":["Other TEEs","C"],"sub_categories":["Memory Protection"],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fhex-five%2Fmultizone-sdk","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fhex-five%2Fmultizone-sdk","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fhex-five%2Fmultizone-sdk/lists"}