All News | Boards | Chips | Devices | Software | Archive | About | Contact | Subscribe
Please whitelist in your ad blocker. Without ads from our sponsors, we cannot continue publishing this site. Thanks :-)

MIPS VM tech lets routers stay open despite new FCC rules

Jun 8, 2016 — by Eric Brown — 1,508 views

Imagination and prpl have demo’d secure virtualization technology that lets routers running OpenWrt on MIPS Warrior CPUs stay legal under new FCC rules.

The open source prpl Foundation, which was established in 2014 by MIPS IP vendor Imagination Technologies and other companies, has proposed a way for router companies to let their U.S. customers upload Linux distributions such as OpenWrt without running afoul of a new FCC ruling that went into effect June 2. The virtualization security solution, called prplSecurity, is built around the open source L4Re hypervisor, optimized to run on Imagination’s MIPS Warrior-P processors. PrplSecurity, which will be formally announced June 9, separates and secures WiFi functions from general router functions with the help of secure OpenWrt, WiFi, and third-party VMs (see farther below).

Imagination and prpl’s prplSecurity technology demo
(click image to enlarge)

The FCC provisions prevent wireless devices such as WiFi routers that operate in the U-NII radio bands from being modified to exceed their licensed spectrum, modulation type, and power levels. The goal here is to prevent the disabling of a feature called Dynamic Frequency Selection, which could potentially interfere with devices such as Federal Aviation Administration (FAA) Doppler weather radios.

As Imagination’s Alexandru Voica writes in his announcement of prplSecurity: “In essence, the FCC wanted the manufacturers of routers and other networking equipment to provide tightly defined access paths to all wireless transmission devices. Unfortunately, the FCC proposal is likely to result in OEMs locking down the whole firmware of their routers and thus preventing consumers from installing the open source operating system or software of their choice (e.g. OpenWrt or DD-WRT.)”

In March, router vendor TP-Link proactively complied with the FCC proposal by attempting to prevent users from loading OpenWrt distributions on its routers. In late May, however, Belkin-owned Linksys announced that it had collaborated with the OpenWrt project and Marvell, which makes the ARM-based processors inside its hackable Linksys WRT routers, to offer a workaround that permits the loading of third-party software. The proprietary solution is said “isolate the RF parameter data and secure it outside of the host firmware separately,” as a Linksys rep told Ars Technica.

Considering that OpenWrt was named after the Linksys WRT line of routers, which for well over a decade have been a popular target for Linux hackers, it makes sense that Linksys spent a bit of money to fix the issue. However, it is apparently not doing so for its other routers, and most router firms will likely follow TP-Link’s lead in taking the more cost effective approach of simply locking down systems being sold in the U.S.

prplSecurity to the rescue

Now Imagination and the prpl Foundation, which is sort of a Linaro-like entity to develop open source MIPS software, have a solution for those vendors willing to build their routers around its MIPS Warrior-P processors. In addition to helping vendors comply with the FCC while keeping open source developers happy, the technology also upgrades router security in general, which on the whole is pretty dismal. Imagination claims the technology is superior to ARM TrustZone, pointing to a hackable security exploit recently discovered in certain Qualcomm Snapdragon SoCs.

The prplSecurity technology could have a major impact, as a large percentage of routers run on MIPS. According to Imagination, chipmakers use MIPS CPUs in networking and communications SoCs that together account for “hundreds of millions of chips shipping annually.” These include SoCs from prpl members such as Baikal Electronics, Broadcom, Cavium, Intel (Lantiq), and Qualcomm (Atheros and Ikanos), as well as non-members MediaTek and Realtek.

prplSecurity demo running (left) and a prplSecurity architecture diagram, showing a MIPS Warrior-P CPU running three virtual machines in three separate, trusted environments
(click images to enlarge)

The prplSecurity solution, developed by the prpl Security Working Group, taps the multi-domain, secure hardware virtualization technologies and OmniShield security technology within MIPS Warrior-P CPUs, to create multiple trusted environments where software can run in secure containers. This approach “allows only authorized entities (e.g. the operators) to make the necessary changes and updates to the critical radio settings specified by the FCC,” according to Voicu.

The prplSecurity solution is built around the open source Linux based L4Re microkernel/mikrohypervisor developed at TU Dresden, and hosted by KernKonzept. The L4Re microkernel, which also supports ARM processors, is made up of three parts: an L4 microkernel that can run trusted native applications and act as a trusted hypervisor; the L4Re Runtime Environment, a programming and execution environment for native applications; and L4Linux, a paravirtualized Linux kernel used to run untrusted applications or device drivers.

Imagination and prpl have combined L4Re with three virtual machines (VMs):

  • Open VM for OpenWrt — runs OpenWrt and provides main interface to router facilities
  • Isolated VM for WiFi driver — blocks direct access to the driver from other VMs, except through the virtual network connection, which is established via three ports: 85 for http, 449 for https or 29 for ssh
  • Dedicated VM for third-party applications — sandbox for external apps that provide added functionality such as home automation

The video below shows a demo that runs OpenWrt on a Baikal Electronics evaluation board based Baikal’s Baikal-T1 SoC, which integrates dual MIPS Warrior P5600 cores. The board also incorporates a MIPS-based Realtek RTL8192 WiFi adapter connected via USB, as well as an Ethernet port.

Block diagrams: MIPS Warrior P5600 core (left), and Baikal’s dual-core P5600 based Baikal-T1 SoC
(click images to enlarge)

In addition, a UART serial port connects to the Linux debugging console. A console multiplexer running over the UART interface allows the prplSecurity code to access the virtual serial interfaces for all of the three VMs. In the video, the third-party VM is intentionally crashed to demonstrate how the other VMs are unaffected.

In an email to HackerBoards, Voica noted that the Baikal-T1 SoC is one three currently available MIPS Warrior “Release 5-compatible” SoCs, along with Cavium’s OCTEON III and Broadcom’s XLP II. “Release 5 is when we’ve implemented the hardware virtualization and security by isolation concepts in the 32-bit and 64-bit MIPS architecture,” explained Voica.

Although the prplSecurity announcement mentioned only OpenWrt and the OpenWrt-based DD-Wrt, presumably the system could be modified to work with other OpenWrt-based distributions that can run on Warrior-P class processors. This might include an upcoming LEDE fork of the open source project.

Although you could, in principle, use ARM’s hardware virtualization plus TrustZone to create something akin to prplSecurity on ARM hardware, “the difference is that TrustZone has only one secure zone and one unsecure zone (it’s a binary concept),” added Voica. “Our OmniShield technology scales from 7 zones in the M-class to 31 in the I-class and 15 in the P-class. In addition, TrustZone only covers the CPU, whereas OmniShield extends to the GPU (not valid in this case, but already used in automotive) and other parts of the SoC.”

OpenWrt has become increasingly important to Imagination. We have seen an increasing number of networking devices and IoT-focused hacker boards that run OpenWrt and its derivatives, such as the Arduino-compatible Linino on MIPS-based SoCs. These include Imagination’s own open-spec Ci40 SBC.

Further information

Imagination Technologies Alexandru Voica will announce the new prplSecurity virtualization technology on Thursday, June 9 in this Imagination blog post. The open source code for the L4Re hypervisor that drives the PrplSecurity technology can be found on this KernKonzept page.

(advertise here)


4 responses to “MIPS VM tech lets routers stay open despite new FCC rules”

  1. AC says:

    Most of these routers only have value *because* you can replace their firmware with something useful. I have a TP Link router that I bought solely because I could replace the firmware – if I can’t do that, I won’t but them.

    The FCC has long outlived its usefulness, and needs to be replaced with a competent agency, that hasn’t been captured.

  2. oiaohm says:

    Really this MIPS stuff does not address the problem. If a security fault exists in the RadioVM there is still going to be problems fixing it.

    Most of this issue is something simple and annoying.
    Notice how non uniform this is. So a router configured for japan is for sure going to be trouble in the USA.

    What makes this all so much more stupid is the fact you can take a raspberry pi put a USB wifi in it load up your own software and cause all the same radio problems the FCC is complain about being caused because someone has replaced their firmware in their router.

    What need to happen is all the radio regulators around the world get all in one place and universally decide what freq and power levels are wifi, bluetooth and so on and set the rules globally. Then the radio circuits could be done as solid circuits because there would be no need to regionally configure them and remove all cases of device being configured for the wrong region and with everyone only allow same devices by by problem.

    Only issue getting global agreement on almost anything is next to impossible so we stuck with FCC, MIPS and others coming with with ideas that never can fix the problem.

  3. Nobody of Import says:

    What’s entertaining about all of this? You can STILL misconfigure the damn consumer gear if it’s got Japan/US mode support (many of them do…fail…)

    This honestly doesn’t accomplish jack and it doesn’t prevent someone going over to Japan and buying a pinned to Japan device and bringing it over here. Yeah, there’s laws against it and if they catch you, they may fine you and confiscate the gear. Big whoopdeeffindo. IF they catch you.

    This doesn’t even get into the real fact that I can still make a router and daisy-chain things like AP’s, WiBridges, etc. off the same with a PC, a RaspberryPI, a Jetson TK1, a panoply of Linux and *BSD capable devices, including the stuff they’re doing this silly thing on.

    FCC’s fix isn’t one. Locking down the WiRouters aren’t it either. If I figure out where your JTAG is, you’re done ANYHOW. If I figure out your locks on the firmware updates, you’re done as well.

    What an effin waste of time…

  4. oiaohm says:

    –Locking down the WiRouters aren’t it either. If I figure out where your JTAG is, you’re done ANYHOW. If I figure out your locks on the firmware updates, you’re done as well.–
    Really finding the JTAG does not mean replaceable firmware. With CPU these days containing signing keys to check the firmware they are loading breaching the JTAG can be worthless.

    –The Ars guide to building a Linux router from scratch–
    If you look this up you will find that some people are building their wifi routers from collection or parts these days. Yes those parts built routers on performance are beating the pre-made.

    Something to take note if an Australian configured router is using channels 12 and 13 it will not be switching to low power mode as USA rules mandate. Its not only japan that is problem if it brought into the USA.

    USA configured wifi router in Australia, Japan and many other countries can also be illegal due to using freqs not allowed. Now remember a lot of wifi cards in phones and laptops have access point mode that is basically a wifi router. Hey we locked down desktop wifi routers but people travel all over the world and want to use there phones as a wifi router and it will need to be reconfigured at this stage and the only way to prevent that from being wrong is have a global standard.

    People have forgot modern smartphones that one of their features is a wifi router so the FCC change will not help those wanting to keep their phones on current firmware for longer.

    No matter how you look at this problem only solution is really lock all the regulators in a room and only let them out when they come to a unified define of what items like Wifi are and since we cannot do that we are going to be in the end of insecure devices due to not being able to effectively maintain the firmware due to different regulators trying stupid solutions to the problem.

    Really no point praising mips for their solution as it fixed nothing and does nothing to help people making open source routers. With open source routers we need to move past the idea of taking a reconstructed router and modifying it. Case + motherboard model of white box PC will be able to come to wifi routers. Yes this will cause places like FCC another level of head-ache but it the way the world is now.

Please comment here...