Imagination and prpl have demo’d secure virtualization technology that lets routers running OpenWrt on MIPS Warrior CPUs stay legal under new FCC rules.
The open source prpl Foundation, which was established in 2014 by MIPS IP vendor Imagination Technologies and other companies, has proposed a way for router companies to let their U.S. customers upload Linux distributions such as OpenWrt without running afoul of a new FCC ruling that went into effect June 2. The virtualization security solution, called prplSecurity, is built around the open source L4Re hypervisor, optimized to run on Imagination’s MIPS Warrior-P processors. PrplSecurity, which will be formally announced June 9, separates and secures WiFi functions from general router functions with the help of secure OpenWrt, WiFi, and third-party VMs (see farther below).
Imagination and prpl’s prplSecurity technology demo
(click image to enlarge)
The FCC provisions prevent wireless devices such as WiFi routers that operate in the U-NII radio bands from being modified to exceed their licensed spectrum, modulation type, and power levels. The goal here is to prevent the disabling of a feature called Dynamic Frequency Selection, which could potentially interfere with devices such as Federal Aviation Administration (FAA) Doppler weather radios.
As Imagination’s Alexandru Voica writes in his announcement of prplSecurity: “In essence, the FCC wanted the manufacturers of routers and other networking equipment to provide tightly defined access paths to all wireless transmission devices. Unfortunately, the FCC proposal is likely to result in OEMs locking down the whole firmware of their routers and thus preventing consumers from installing the open source operating system or software of their choice (e.g. OpenWrt or DD-WRT.)”
In March, router vendor TP-Link proactively complied with the FCC proposal by attempting to prevent users from loading OpenWrt distributions on its routers. In late May, however, Belkin-owned Linksys announced that it had collaborated with the OpenWrt project and Marvell, which makes the ARM-based processors inside its hackable Linksys WRT routers, to offer a workaround that permits the loading of third-party software. The proprietary solution is said “isolate the RF parameter data and secure it outside of the host firmware separately,” as a Linksys rep told Ars Technica.
Considering that OpenWrt was named after the Linksys WRT line of routers, which for well over a decade have been a popular target for Linux hackers, it makes sense that Linksys spent a bit of money to fix the issue. However, it is apparently not doing so for its other routers, and most router firms will likely follow TP-Link’s lead in taking the more cost effective approach of simply locking down systems being sold in the U.S.
prplSecurity to the rescue
Now Imagination and the prpl Foundation, which is sort of a Linaro-like entity to develop open source MIPS software, have a solution for those vendors willing to build their routers around its MIPS Warrior-P processors. In addition to helping vendors comply with the FCC while keeping open source developers happy, the technology also upgrades router security in general, which on the whole is pretty dismal. Imagination claims the technology is superior to ARM TrustZone, pointing to a hackable security exploit recently discovered in certain Qualcomm Snapdragon SoCs.
The prplSecurity technology could have a major impact, as a large percentage of routers run on MIPS. According to Imagination, chipmakers use MIPS CPUs in networking and communications SoCs that together account for “hundreds of millions of chips shipping annually.” These include SoCs from prpl members such as Baikal Electronics, Broadcom, Cavium, Intel (Lantiq), and Qualcomm (Atheros and Ikanos), as well as non-members MediaTek and Realtek.
prplSecurity demo running (left) and a prplSecurity architecture diagram, showing a MIPS Warrior-P CPU running three virtual machines in three separate, trusted environments
(click images to enlarge)
The prplSecurity solution, developed by the prpl Security Working Group, taps the multi-domain, secure hardware virtualization technologies and OmniShield security technology within MIPS Warrior-P CPUs, to create multiple trusted environments where software can run in secure containers. This approach “allows only authorized entities (e.g. the operators) to make the necessary changes and updates to the critical radio settings specified by the FCC,” according to Voicu.
The prplSecurity solution is built around the open source Linux based L4Re microkernel/mikrohypervisor developed at TU Dresden, and hosted by KernKonzept. The L4Re microkernel, which also supports ARM processors, is made up of three parts: an L4 microkernel that can run trusted native applications and act as a trusted hypervisor; the L4Re Runtime Environment, a programming and execution environment for native applications; and L4Linux, a paravirtualized Linux kernel used to run untrusted applications or device drivers.
Imagination and prpl have combined L4Re with three virtual machines (VMs):
- Open VM for OpenWrt — runs OpenWrt and provides main interface to router facilities
- Isolated VM for WiFi driver — blocks direct access to the driver from other VMs, except through the virtual network connection, which is established via three ports: 85 for http, 449 for https or 29 for ssh
- Dedicated VM for third-party applications — sandbox for external apps that provide added functionality such as home automation
The video below shows a demo that runs OpenWrt on a Baikal Electronics evaluation board based Baikal’s Baikal-T1 SoC, which integrates dual MIPS Warrior P5600 cores. The board also incorporates a MIPS-based Realtek RTL8192 WiFi adapter connected via USB, as well as an Ethernet port.
Block diagrams: MIPS Warrior P5600 core (left), and Baikal’s dual-core P5600 based Baikal-T1 SoC
(click images to enlarge)
In addition, a UART serial port connects to the Linux debugging console. A console multiplexer running over the UART interface allows the prplSecurity code to access the virtual serial interfaces for all of the three VMs. In the video, the third-party VM is intentionally crashed to demonstrate how the other VMs are unaffected.
In an email, Voica noted that the Baikal-T1 SoC is one three currently available MIPS Warrior “Release 5-compatible” SoCs, along with Cavium’s OCTEON III and Broadcom’s XLP II. “Release 5 is when we’ve implemented the hardware virtualization and security by isolation concepts in the 32-bit and 64-bit MIPS architecture,” explained Voica.
Although the prplSecurity announcement mentioned only OpenWrt and the OpenWrt-based DD-Wrt, presumably the system could be modified to work with other OpenWrt-based distributions that can run on Warrior-P class processors. This might include an upcoming LEDE fork of the open source project.
Although you could, in principle, use ARM’s hardware virtualization plus TrustZone to create something akin to prplSecurity on ARM hardware, “the difference is that TrustZone has only one secure zone and one unsecure zone (it’s a binary concept),” added Voica. “Our OmniShield technology scales from 7 zones in the M-class to 31 in the I-class and 15 in the P-class. In addition, TrustZone only covers the CPU, whereas OmniShield extends to the GPU (not valid in this case, but already used in automotive) and other parts of the SoC.”
OpenWrt has become increasingly important to Imagination. We have seen an increasing number of networking devices and IoT-focused hacker boards that run OpenWrt and its derivatives, such as the Arduino-compatible Linino on MIPS-based SoCs. These include Imagination’s own open-spec Ci40 SBC.
Imagination Technologies Alexandru Voica will announce the new prplSecurity virtualization technology on Thursday, June 9 in this Imagination blog post. The open source code for the L4Re hypervisor that drives the PrplSecurity technology can be found on this KernKonzept page.