Integrating OpenTitan as a Security Controller for Cryptographic Tasks in RISC-V SoCs

RISC-V architectures are increasingly utilized in security-critical embedded systems, with OpenTitan standing out as a prominent open-source silicon Root-of-Trust. OpenTitan delivers essential functionalities, such as secure boot and execution integrity, but introduces notable area overhead. To mitigate this issue, we propose TitanSSL, a secure software stack that offloads cryptographic operations to OpenTitan. TitanSSL comprises an OpenSSL backend, a Linux driver for system communication, and a custom OpenTitan firmware. Communication between components is facilitated through a custom Application Binary Interface (ABI), ensuring the driver remains independent of the specific cryptographic operations executed by the OpenSSL engine. This design supports extensibility, enabling the integration of additional cryptographic primitives and enhancing the system flexibility. We evaluated TitanSSL on a System-on-Chip (SoC) featuring a CVA6 application core running Linux and OpenTitan, both clocked at 40 MHz on a Xilinx VCU118 FPGA. Our results reveal that, while there is communication overhead between system components, it is outweighed by substantial performance gains. Specifically, TitanSSL achieves speedups of 40x for SHA-256 and 82x for AES-256-CBC compared to a software-only implementation running on the CVA6 core. In addition, we provide design guidelines for future optimizations to improve system performance.