I'm trying to study how HSM and TPM works when storing secret data in clear text. How can they achieve physical impossibility in retrieving secret data?
I get the point in software, if you just have input and no outputs then it should be impossible through software to retrieve something.
But, I want to know the hardware (physics) part as well. How can an IC achieve physical impossibility to retrieve data? Let's assume the data is stored in an hard drive permanently.
The normal way is to keep secret data in volatile static RAM (i.e. 6 transistors per bit, like in current CPU caches, not with capacitors like in DRAM). When the power is cut, the data is gone in a matter of microseconds. The HSM contains a small battery to keep the RAM up and running for up to a few weeks. The battery also powers an array of sensors, e.g. on temperature, light, physical integrity of the covering and so on. If anything goes amiss, the system automatically shuts down the power, and the keys are gone.
So the trick, really, is not to store the data "in an hard drive, permanently".
An amusing consequence is that if an HSM is unpowered for too much time, the keys can be lost. Pro-tip: when you ship an HSM to a factory in China, label it as "a network card". Otherwise, customs will keep it around for a month, and the keys will be lost.
The above is valid for HSM and payment terminals. Smart cards, on the other hand, employ other tricks, which are undocumented (and most of them are trade secrets).
It is not physically impossible to retrieve data, merely very difficult. Physical sensors such as light sensors and mesh layers on chips can be bypassed.
Christopher Tarnovsky's work using a Focused Ion Beam (FIB) electron microscope is worth a watch. IIRC the FIB he's using cost him somewhere around \$500,000 used, over 10 years ago. Renting time on one is about \$400/hour. It takes months of work to figure out how to hack a given TPM/HSM, and destroys numerous sample devices. That's ignoring the costs of the time of a skilled semiconductor engineer to conduct the attack. It's very, very difficult, but not impossible.
One way to address this question is not to ‘store’ secrets in the sense that they can be retrieved, but to create a circuit that only computes a pseudorandom function $f_k(c)$ of a challenge $c$ with a physically randomly chosen secret key $k$, embedded in a medium that breaks down under attempts to merely read the secret key. This is called a PUF, physical unclonable function.
A typical application might be wired to an AES circuit to compute $\operatorname{AES}_{f_k(c)}(m)$. Nowhere is the key $k$ or the derived AES key $f_k(c)$ stored, per se, in a way that can reliably be read.
Of course, the devil is in the details of preventing someone from monitoring the electrical signals in the IC to recover the AES key while it is in use! There is a whole literature—and, no doubt, a private array of trade secrets—on how to physically design PUFs, and physically attack the designs, etc.
If an integrated circuit holding the data doesn't offer the interface to read it, the only way to get that data is a reverse engineering process known as chip decapping. Roughly speaking, one has to remove the IC case, then laser drill the area where the bits of interest are located, and read them out with probes or an electron microscope.
This process has a few problems when applied to modern chips:
it's destructive
it requires expensive equipment and expert knowledge
the chances of success on an individual chip are rather low. If you have a bunch of identical chips, you can be confident you'll get the data; with a single chip containing unique data it's a wild shot.
There are various non-destructive techniques commonly known as glitching which are used to bypass simple data protection mechanisms, when the interface to read the sensitive data exists, but is locked by a "protection" bit. Needless to say, HSMs which simply don't have the interface to access sensitive data are immune to such methods by design.
To give a more high-level answer, HSMs seem to work by just combining as many layers of physical security as possible. Nothing is impossible to retrieve; it's just way too difficult and expensive to do most of the time.
If you have sensors that account for pretty much every thinkable physical attack and almost instantly wipe all sensible data when triggered, you have a pretty secure system.
