A lot can be learned from studying the evolution of mobile security and considering which aspects can be applied to lower cost IoT platforms. Now that ARM TrustZone for v8-M is becoming available on microcontrollers and the trend to build in security subsystems gathers pace, it is possible to consider an IoT security architecture that has a lot of similarities to modern smartphones.
Keeping mobile devices updated and agile to evolving threats is a given today. For a large part of the IoT market having secure firmware updates pushed Over The Air will be part of their security requirements. This will in turn require a range of secure services including identity, authentication, attestation, crypto and secure communications. Security subsystems such as CryptoCell can help by providing Root of Trust management, crypto acceleration and a ‘toolbox’ of dependable security functions. Above the lower level security layers, a trust architecture will need to be established for the distribution of keys and certificates.
Transport Layer Security (TLS aka SSL) is the de-facto standard for communication security between devices, browsers and remote servers. The protocol provides protection from eavesdropping and tampering using symmetric crypto following a TLS handshake. The availability of high quality, open source and commercial TLS libraries has driven its growth in embedded products. If a security subsystem is added to a microcontroller that can accelerate crypto operations, TLS becomes a practical proposition at very low cost points.
Most mobile devices and application processors incorporate a TrustZone based Trusted Execution Environment, where TEE APIs, services and certification is standardized by Global Platform. The TEE enables Trusted Apps to be downloaded and run in isolation from the Rich OS benefitting from its security properties of integrity and isolation. A full TEE and management framework is probably too highly featured for an IoT product, particularly if it does not need to run downloaded Trusted Apps. However there is a need to provide protected regions for assets, that can be kept confidential from the rest of the code and also benefit from integrity that is rooted in hardware. For this purpose ARM is creating ARM mbed uVisor for TrustZone enabled ARMv8-M platforms. The mbed uVisor’s purpose is to create isolated security domains. This solves the problem of flat address space and little privilege separation that has previously made security on microcontrollers challenging to implement. You don’t have to wait for the v8-M based mbed uVisor as it has also been written to work with non TrustZone enabled micros, so it can be immediately adopted across existing as well as next generation product lines. You can get started with mbed OS and uVisor here.
ARM aims to provide its partners with the security hardware and low-level software building blocks necessary to implement a system-wide security solution. The availability of security sub-systems such as ARM TrustZone CryptoCell, TrustZone based uVisor and TLS on next generation microcontrollers will enable an architecture familiar to mobile chip designers but right sized to these lower cost and performance points.