X100 - Securing the System - RISC-V AI at the Edge 

Edge AI is the convergence of multiple technologies, including artificial intelligence, Internet of Things (IoT), edge computing, and embedded systems, each playing a crucial role in enabling intelligent processing and decision-making at the edge of the network. Edge AI involves using embedded algorithms to monitor a remote system’s activity, as well as processing the data collected by devices such as sensors and other trackers of unstructured data, including temperature, language, faces, motion, images, proximity, and other analog inputs.

These remote systems can take many forms, including sensors, smartphones, IoT devices, drones, cameras, and even vehicles and smart appliances. The data collected from these systems serves as the input for edge AI algorithms, providing valuable information about the state of the system or its surroundings, allowing edge AI systems to respond quickly to changes or anomalies and understand the environment in which they operate. These edge AI applications would be impractical or even impossible to operate in a centralized cloud or enterprise data center environment, where data needs to travel back and forth over networks, due to issues related to cost, latency, bandwidth, security, and privacy.

Edge AI deploys artificial intelligence (AI) on local devices at the network's "edge," near where data is generated, to process information and make decisions in real-time, rather than sending it to a distant cloud server. This approach reduces latency, conserves network bandwidth, enhances data privacy by keeping sensitive data local, and improves reliability by allowing devices to function even without a constant internet connection. One of the main concerns I hear from system architects is security, given the mission critical nature of the systems themselves and/or the sensitivity of the information being transmitted.

For years, SiFive has been delivering a range of security capabilities that are optimized for deployment throughout the system, tightly coupled to products from its broad portfolio of processors. Building on the prior blogs that centered on performance and effective coupling of accelerators, I wanted to focus this blog on security and its role in the growing popularity of the SiFive Intelligence X100 product family.

Protecting data and mitigating security risks requires a multi-layered approach to security. Edge systems face a range of risk that include;

• Susceptibility to malware infections, cyberattacks, and remote exploitation if not properly secured.

• Insecure network communication including unencrypted information, poor authentication and access control mechanisms

• Physical damage and tampering/vandalism

• Protecting the integrity of data processed by edge AI devices to maintain the accuracy and reliability of AI models and decision-making processes

Let’s look at what the X100 can provide in this capacity. In 2019, SiFive discussed its Shield architecture; an open, scalable platform designed to enable whole SoC security for RISC-V designs. There is a need to deliver a layered, scalable solution that provides memory region protection and support for multiple privilege modes.  The image below showcases how different hardware elements can deliver the required system functionality in a RISC-V based system.

The diagram below shows the elements that the X100 product series includes.

The physical memory protection (PMP) offers physical memory isolation between tasks, protecting up to 16 regions of memory per core. The core enforces access permissions in user space and regions also be locked after boot. This prevents further access from tasks running in M mode (the most privileged execution mode, having full access to the CPU and all memory, and is responsible for low-level hardware management and interrupt handling, until a core reset occurs. (More detailed technical information about this can be found here). Failed accesses generate a load, store, or instruction access exception.

For AI use cases, different users may wish to protect different types of data in different ways and require flexibility in the security approach . As an example,

• The ML model provider may wish to protect activations and weights

• An end user may wish to protect input data

• A content provider may wish to protect video data

WorldGuard, a standard that SiFive invented and subsequently donated to RISC-V International to enable the RISC-V ecosystem to build on consistent security implementations, creates isolated worlds and allocates system resources to each of these ‘worlds’. Unlike incumbent architectures, the system user can configure systems to have more than simply trusted and untrusted areas.

WorldGuard components ensure that the World ID (WID) is always tracked on external transactions. On products in the X100 family, the SSCI interface includes WID, allowing the accelerator to restrict which CPU contexts can access its resources. The next diagram shows an example of how we envision how this could be set up.

Hardware Cryptographic Accelerator (HCA): Shield includes a NIST SP 800-90A/B/C compliant true random number generator (TRNG) to enable cryptographic- or entropy-based secure features. The cryptographic engines are protected against SPA/DPA/EMA attacks and provide support for common use cases. The AES cryptographic engine offers block cipher and authenticated encryption support, while the secure hash crypto-engine supports SHA-2 and SHA-3 standards.

One of the strengths of the X100 product family series…indeed something that SiFive has focused on for years….is the highly configurable and customizable nature of its cores. It is not simply a pre-determined black box for inclusion into a customer design. This approach enables optimum power, performance and area to be generated by tailoring the core to meet the specific needs of a customer’s use case. This configurability extends to the options that customers can architect for their security subsystem.

Bringing AI to the Edge is an exciting, rapidly-growing use case, and RISC-V is proving to be a popular choice. SiFive can help you design your system with multiple levels of robust security and would welcome the opportunity to talk through the system challenges you are facing and work with you to define the optimum implementation.