



# OpenTitan®'s Hardware Security Analysis Framework

Pascal Nasahl  
JAIF | October 2025



# Introduction to OpenTitan®

The OpenTitan® partnership develops, verifies and maintains an ecosystem of high quality - **open source** - chip designs and security IP



## Other Silicon



Proprietary

Vendor

Open



Software



# World's First Commercial-Grade Open Source RoT



# OpenTitan® – Earl Grey & Darjeeling



# Secure IP Development Cycle

# Threat Model

- Attacker with physical access to the chip
- Physical attacks are in scope
  - Fault Injection (FI)
  - Side-Channel Analysis (SCA)
- **Design IP with this threat model in mind**



# Secure IP Development Cycle

## 4. FPGA Analysis

OpenTitan's Security  
Testing Framework  
**Next slides!**



## 1. Secure Hardware Development



### Secure Hardware Design Guidelines



#### Overview

Silicon designs for security devices require special guidelines to protect the designs against myriad attacks. For OpenTitan, the universe of potential attacks is described in our threat model. In order to have the most robust defensive posture, a general approach to secure hardware design should rely on the concepts of (1) defense in depth, (2) consideration of recovery methods post-breach, and (3) thinking with an attacker mindset.

## 3. Formal Verification

### SYNFI: Pre-Silicon Fault Analysis of an Open-Source Secure Element

Pascal Nasahl<sup>1,3</sup>, Miguel Osorio<sup>1</sup>, Pirmin Vogel<sup>2</sup>, Michael Schaffner<sup>1</sup>,  
Timothy Trippel<sup>1</sup>, Dominic Rizzo<sup>1</sup> and Stefan Mangard<sup>3,4</sup>



<sup>1</sup> Google, Mountain View, USA

<sup>2</sup> lowRISC CIC, Cambridge, United Kingdom

<sup>3</sup> Graz University of Technology, Graz, Austria  
[firstname.lastname@iaik.tugraz.at](mailto:firstname.lastname@iaik.tugraz.at)

<sup>4</sup> Lamar Security Research, Graz, Austria

## 2. Simulation

### Fault-Resistant Partitioning of Secure CPUs for System Co-Verification against Faults

Simon Tollec<sup>1</sup>, Vedad Hadžić<sup>2</sup>, Pascal Nasahl<sup>2,3</sup>, Mihail Asavoei<sup>4</sup>, Roderick Bloem<sup>2</sup>, Damien Courousse<sup>4</sup>, Karine Heydemann<sup>5,6</sup>, Mathieu Jan<sup>1</sup> and Stefan Mangard<sup>2</sup>

<sup>1</sup> Université Paris-Saclay, CEA, List, F-91120, Palaiseau, France, [firstname.lastname@cea.fr](mailto:firstname.lastname@cea.fr)

<sup>2</sup> Graz University of Technology, Graz, Austria, [firstname.lastname@iaik.tugraz.at](mailto:firstname.lastname@iaik.tugraz.at)

<sup>3</sup> lowRISC C.I.C., Cambridge, United Kingdom, [nasahl@lowrisc.org](mailto:nasahl@lowrisc.org)

<sup>4</sup> Univ. Grenoble Alpes, CEA, List, F-38000, Grenoble, France, [firstname.lastname@cea.fr](mailto:firstname.lastname@cea.fr)

<sup>5</sup> Thales DIS, Gémenos, France, [firstname.lastname@thalesgroup.com](mailto:firstname.lastname@thalesgroup.com)

<sup>6</sup> Sorbonne Univ., CNRS, LIP6, F-75005, Paris, France

## PROLEAD

### A Probing-Based Hardware Leakage Detection Tool

Nicolai Müller<sup>1</sup> and Amir Moradi<sup>2</sup>

<sup>1</sup> Ruhr University Bochum, Horst Görtz Institute for IT Security, Bochum, Germany  
[firstname.lastname@rub.de](mailto:firstname.lastname@rub.de)

<sup>2</sup> University of Cologne, Institute for Computer Science, Cologne, Germany  
[firstname.lastname@uni-koeln.de](mailto:firstname.lastname@uni-koeln.de)

# Post-Silicon Analysis

- Final step
- Covers real-world setting
  - With analog countermeasures, e.g., clock jitter
  - Whole chip instead of isolated IP
  - More noise
- Learnings influence software guidance & future chip generations
- OpenTitan's Security Testing Framework



# OpenTitan's Security Testing Framework

# Security Testing Framework

- Key component in secure IP development
  - Pre-silicon: FPGA
  - Post-silicon: Chip
- Collaborative platform for internal and external partners
  - OpenTitan developers
  - External labs
  - Certification body
- **Open-source**



# Security Testing Framework



# Security Testing Framework



# Security Testing Framework



# Security Testing Framework



# Security Testing Framework



# Security Testing Framework



# OT-SCA Host Framework

- Coordinates SCA and FI evaluations
  - Configures equipment and target
  - Collects evaluation results
- Features:
  - Evaluation database
  - Fault parameter sweep
  - Batch mode for high SCA capture rates
  - Result visualization
  - Trace alignment
  - Analysis scripts (TVLA, ...)
  - ...
- Communication API is standalone to allow integration into its own framework



# Pentest Device Framework

- Comprehensive SCA and FI evaluation framework
- >230 tests exercise the entirety of OpenTitan

## Characterization Tests:

```
// FI code target.  
PENTEST_ASM_TRIGGER_HIGH  
asm volatile(NOP10 "beq x5, x6, correctbeq\n" NOP10  
           "j badbeq\n"  
           "correctbeq:\n"  
           "addi x5, x5, 0x11\n"  
           "addi x6, x6, 0x22\n"  
           "badbeq:\n");  
PENTEST_ASM_TRIGGER_LOW
```

## CryptoLib Tests:

```
// Trigger window.  
pentest_set_trigger_high();  
TRY(otcrypto_aes(&key, iv, mode, op, input, padding, output));  
pentest_set_trigger_low();
```

# Pentest Code Structure

```
status_t handle_ibex_fi_register_file(ujson_t *uj) {  
    crypto_fi_ibex_register_file_t uj_input;  
    TRY(ujson_deserialize_ibex_register_file_t(uj, &uj_input));
```

Receive test config from ot-sca

```
pentest_init(uj_input);  
INIT_REGISTER_FILE
```

Test preparation

```
PENTEST_ASM_TRIGGER_HIGH  
asm volatile(NOP1000);  
PENTEST_ASM_TRIGGER_LOW;
```

Trigger window

```
reg_alerts = pentest_get_triggered_alerts();  
pentest_sensor_alerts_t sensor_alerts = pentest_get_sensor_alerts();
```

```
ibex_rf_content_t rf = DUMP_REGISTER_FILE  
ibex_fi_faulty_data_t uj_output = check_rf_content(rf);
```

Test evaluation

```
RESP_OK(ujson_serialize_ibex_fi_faulty_data_t, uj, &uj_output);  
return OK_STATUS();
```

Send evaluation result to ot-sca

# Supported Testing Equipment

- FI
  - Voltage glitching: CW Husky Crowbar
  - EMFI: ChipShouter + ChipShover XYZ table
- SCA
  - ChipWhisperer Husky scope
  - Scopes with VX11 support (tested with LeCroy oscilloscopes)
- **Easy to add new equipment by using driver classes**



# Testing the Pentesting Framework

- It needs to work
  - Contributions by different organizations
  - Framework used by different internal and external OpenTitan partners
- Compare pentesting results to test vectors on silicon and FPGA
- Integrated into Continuous Integration (CI) pipeline of the OpenTitan repository

```
4361 //sw/device/tests/penetrationtests:fi_crypto_fpga_cw340_sival_rom_ext (cached) PASSED in 9.3s
4362 //sw/device/tests/penetrationtests:fi_ibex_fpga_cw340_sival_rom_ext (cached) PASSED in 8.9s
4363 //sw/device/tests/penetrationtests:fi_lc_ctrl_fpga_cw340_sival_rom_ext (cached) PASSED in 5.2s
4364 //sw/device/tests/penetrationtests:fi_otbn_fpga_cw340_sival_rom_ext (cached) PASSED in 29.4s
4365 //sw/device/tests/penetrationtests:fi_otp_fpga_cw340_sival_rom_ext (cached) PASSED in 5.0s
4366 //sw/device/tests/penetrationtests:fi_rng_fpga_cw340_sival_rom_ext (cached) PASSED in 5.4s
4367 //sw/device/tests/penetrationtests:fi_rom_fpga_cw340_sival_rom_ext (cached) PASSED in 5.1s
4368 //sw/device/tests/penetrationtests:sca_aes_fpga_cw340_sival_rom_ext (cached) PASSED in 6.4s
4369 //sw/device/tests/penetrationtests:sca_edn_fpga_cw340_sival_rom_ext (cached) PASSED in 8.6s
4370 //sw/device/tests/penetrationtests:sca_hmac_fpga_cw340_sival_rom_ext (cached) PASSED in 4.1s
4371 //sw/device/tests/penetrationtests:sca_ibex_fpga_cw340_sival_rom_ext (cached) PASSED in 13.7s
4372 //sw/device/tests/penetrationtests:sca_kmac_fpga_cw340_sival_rom_ext (cached) PASSED in 3.5s
4373 //sw/device/tests/penetrationtests:sca_otbn_fpga_cw340_sival_rom_ext (cached) PASSED in 3.9s
4374 //sw/device/tests/penetrationtests:sca_sha3_fpga_cw340_sival_rom_ext (cached) PASSED in 6.0s
4375
4376 Executed 0 out of 25 tests: 25 tests pass.
4377 There were tests whose specified size is too big. Use the --test_verbose_timeout_warnings command line option to see which ones these are.
4378 + ./bazelisk.sh run //sw/host/opentitantool --rcfile= --interface=cw340 fpga reset-sam3x
```

# Getting Started

- Manual available
  - [github.com/lowRISC/ot-sca](https://github.com/lowRISC/ot-sca)
- Required Hardware
  - NewAE ChipWhisperer CW310 + Husky
  - NewAE testing equipment
  - Or own attack gear

```
$ git clone git@github.com:lowRISC/ot-sca.git  
$ cd ot-sca  
  
$ pip install -r python-requirements.txt  
  
$ cd capture/  
  
$ ./capture_aes.py -c configs/aes_sca_cw310.yaml -p aes
```



# Call for Action

- Look into OpenTitan
- Start pentesting it
- Please follow the CVD process:
  - [opentitan.org/cvd-policy](https://opentitan.org/cvd-policy)
- More questions?

[info@lowrisc.org](mailto:info@lowrisc.org)



## Coordinated Vulnerability Disclosure (CVD) Policy

We are dedicated to maintaining the security, integrity and reliability of our hardware and software designs, and we actively encourage responsible security vulnerability reporting from the security research and user community.

This policy applies to any vulnerabilities you believe you have discovered in OpenTitan's hardware design, documentation, firmware, infrastructure, or associated materials ("Project Materials").



# Thank you!