You are currently viewing SemiWiki as a guest which gives you limited access to the site. To view blog comments and experience other SemiWiki features you must be a registered member. Registration is fast, simple, and absolutely free so please, join our community today!

  • How to Implement a Secure IoT system on ARMv8-M

    This weekend my old garage door opener started to fail, so it was time to shop for a new one at The Home Depot, and much to my surprise I found that Chamberlain offered a Smartphone-controlled WiFi system. Just think of that, controlling my garage door with a Smartphone, but then again the question arose, "What happens when a hacker tries to break into my home via the connected garage door opener?" I opted for a Genie system without the WiFi connection, just to feel a bit safer. Connected devices are only growing more prominent in our daily life, so I wanted to hear more about this topic from ARM and attended their recent webinar, "How to Implement a Secure IoT system on ARMv8-M."

    ARM has been designing processors for decades now, and has come to realize that security is best approached from a systems perspective and should involve both the SoC hardware and software together, thus giving birth to the moniker ARM TrustZone, where there is hardware-based security designed into their SoCs that provide secure end points and a device root of trust. This webinar focused on the Cortex-M33 and Cortex-M23 embedded cores shown below in Purple:

    ARM TrustZone

    Most IoT systems could use a single M33 core, although you can easily add two of these cores for greater flexibility and even saving power. Cores and peripheral IP communicate using the AHB5 interconnect. Security is controlled by mapping addresses with something called the Implementation Defined Attribution Units (IDAU). This system also filters incoming memory accesses at a slave level as shown in the system diagram:

    ARMv8-M system



    That diagram may look a bit complex, however ARM has bundled most of this IP together along with the mbed OS with pre-built libraries and called it the CoreLink SSE-200 subsystem which is pre-verified, saving you loads of engineering development time.

    CoreLink SSE-200 subsystem

    With TrustZone you have a system that contains both trusted and un-trusted domains, then memory addresses are sorted to verify that they are in a trusted range or not.

    TrustZone security

    Let's say that you like the security approach from ARM and then want to get started on your next IoT project, what options are available? ARM has built up a prototyping system using FPGA technology called the MPS2+ along with IoT kits that include the Cortex-M33 and Cortex-M23, plus there's a debugger called Keil. You can also use a Fixed Virtual Platform (FVP) which uses software models for simulation.

    MPS2+ Cortex-M prototyping system
    One decision that you make for your IoT device is the memory map, splitting it into secure and non-secure addresses using a Secure Attribution Unit (SAU) together with the IDAU. There are even configuration wizards available to let you quickly define the start and end address regions.

    Runtime security map

    ARM even has created an open-source platform OS called mbed OS, just for the IoT market, already with some 200,000 developers. With the addition of this OS we now have three levels of security:

    • Lifecycle security
    • Communication security
    • Device security


    Related blog - IoT devices Designers Get Help from ARMv8-M Cores

    Summary
    It's pretty evident that ARM has put a lot of effort into creating a family of processors, and when it comes to security they have assembled an impressive collection of cores, semiconductor IP, SDK, compiler, platform and debugger. What this means is that now I can more quickly create my secure IoT system with ARM technology, using fewer engineers, all at an affordable price.

    There's even detailed virtual training courses coming up in April and May for just $99 each, providing more depth than just the webinar provides.

    Watch the archived webinar online here.