What is Platform Firmware Resilience (PFR)?

Platform Firmware Resilience (PFR) is a security framework created to protect, detect, and recover computing platforms such as the Basic Input/Output System (BIOS) and bootloaders from attacks, unauthorized tampering, and exploitation.

PFR follows the guidelines defined in the National Institute of Standards and Technology (NIST) 800-193, which captures the best practices for protecting firmware from cyber threats.

• Protection: Mechanisms for safeguarding the integrity of platform firmware through cryptographic authentication and Hardware Root of Trust (HRoT) mechanisms.
• Detection: Mechanisms for monitoring anomalies or unauthorized changes.
• Recovery: Mechanism for ensuring the system can revert to a known-good state when compromised.

Implementations of PFR

1. HRoT
   • Creates a trusted hardware module that verifies all firmware operations.
   • Ensures that only authenticated firmware is loaded and executed.
   • Inhibits unauthorized alterations or execution of malicious code.
2. Secure Boot & Firmware Authentication
   • Uses cryptographic signatures (e.g., RSA, ECC, SHA) to validate the integrity of firmware before execution.
3. Firmware Integrity Monitoring
   • Detects and reports unauthorized modifications to firmware during runtime.
4. Recovery Mechanism
   • Keeps a copy of the most recent reliable firmware image (a.k.a. known-good state).
   • If it is discovered that the active firmware has been compromised, the FPGA instantly switches back to the reliable version.

Why is PFR Important?

Given the critical role of cloud computing and datacenters in modern digital infrastructure, PFR ensures that servers, storage devices, and networking equipment are protected from cyber threats such as persistent malware and data theft.

A firmware failure can impact businesses and users globally, leading to loss of revenue from disrupted cloud services or increased operational costs for recovery. With a recovery mechanism, PFR helps restore the firmware to a state of integrity.

PFR ensures that the platform firmware remains protected throughout its lifespan, keeping it safe against:

• Malicious firmware modifications, including trojans, backdoors, and rootkits.
• Supply chain attacks or introducing compromised firmware during production or delivery.
• Rollbacks to vulnerable firmware versions or unauthorized firmware updates.
• Exploitation brought on by unintentional firmware overwrites or power outages.

PFR is now a necessity. As cyber threats continuously rise, ensuring resiliency at the firmware level can protect systems against these threats and maintain a secure infrastructure.

Example Use Cases of Platform Firmware Resiliency (PFR) in FPGAs

FPGAs are equipped with dynamic and flexible hardware platforms to strengthen cyber resilience. The characteristics of FPGAs make them an ideal device for various industries looking for robust security solutions. Examples include:

• Cryptographic signatures are used by FPGA-based servers, industrial automation systems, and Internet of Things (IoT) devices to confirm the legitimacy of firmware before execution. PFR prevents firmware from booting in the event of failed validation and ensures that only trusted code executes. This safeguards devices from running harmful code.
• For autonomous vehicles requiring safe over-the-air updates, or datacenters needing security patches, FPGAs enforce digitally signed and encrypted updates to ensure that the platform firmware updates are secure from attackers.
• FPGAs maintain dual-image redundancy and a backup copy of the trusted firmware version for medical devices and other applications that need high dependability to restore the system to its original firmware following an attack or corruption.
• For handling sensitive workloads in cloud and edge computing, FPGA PFR prevents attackers from inserting permanent malware into the platform firmware by detecting unauthorized modifications through hash-based integrity inspections and blocking the execution of untrusted firmware and trigger alerts.

Lattice Solution and PFR

To speed up the deployment of secure systems that adhere to PFR rules, the Lattice Sentry™ solution stack offers a strong combination of development tools and reference designs based on the following FPGA products:

For information about other Lattice FPGAs, visit our Products page here.