As the number of connected IoT devices continues to grow, so too does the need to process the volumes of data that they generate in a way that is secure, scalable and cost-effective. We can realise a significant efficiency benefit by processing data locally at the edge, allowing us to gain insights from the data without transmitting all of it to the cloud. This pressure is driving more and more compute workloads away from the cloud and bringing them to the edge.
The successful execution of rich workloads at the edge requires two things. Firstly, we must be able to deploy them fluently at scale, which means using tools and techniques that are cloud native, treating the edge as an elastic computing resource. Secondly, we must be able to deploy them securely, with robust protection against the additional threats that challenge the edge computing environment.
A secure, cloud-native experience for the deployment of workloads at the edge is the goal of Project Cassini, which brings together a variety of open, collaborative and standards-based initiatives to deliver a cohesive development experience at the edge, allowing customers to deploy their edge workloads securely and at scale.
In this blog, we will focus on two components of the Cassini story: PSA Certified (previously known as the Platform Security Architecture/PSA) and Parsec. We will see how these two initiatives are now combining to provide a truly cloud-native developer experience with hardware-backed security.
Security begins with a Hardware Root of Trust (HRoT), which not only provides secure boot and secure firmware update for the device, but it also provides a hardware isolation boundary for the management of secrets such as signing or encryption keys, ensuring that these cannot be exfiltrated, even on a compromised device. There are different ways to achieve an HRoT. One option is to use a discrete hardware secure element, such as a Trusted Platform Module (TPM), but this can add complexity and cost into the overall design of a device.
When we are building PSA Certified platforms based on Arm Cortex-A processors, then there is an alternative option: the PSA Root of Trust (PSA-RoT). PSA-RoT makes use of TrustZone, the hardware-enforced isolation boundary that is already built into the CPU, meaning that there may not be a need for additional hardware components beyond the processor itself. In cases where an additional secure element is warranted, it can be accessed from within the isolated secure world that TrustZone provides, allowing for a flexible and layered approach to the design of the PSA-RoT.
TrustZone means that we can implement the RoT as a set of services running within the secure world of the processor, also known as a Trusted Execution Environment (TEE), supported by a secure-world operating system such as OP-TEE. The Trusted Services project (part of Trusted Firmware) provides a set of reference designs for secure storage, cryptography and attestation, which meet the PSA Certified requirements. Each of these services runs within a secure partition inside the TEE and exposes standard PSA Functional APIs that can be accessed from the normal world using a set of interfaces that are collectively known as the Firmware Framework-A (FF-A).
The architecture of Trusted Services is summarized in the figure below.
Regardless of how the RoT has been implemented, we need a way to make its facilities available to the rest of system, including applications that are running in the normal world, supported by a rich operating system such as Linux.
For a cloud-native developer experience, we want our access to these facilities to be decoupled from the low-level platform hardware details. We want our code to be portable across the variety of platforms that we find at the edge. We also want to be able to develop in high-level programming languages.
Project Cassini’s answer to this is to use Parsec.
Parsec is a public open-source project that is part of the Cloud-Native Compute Foundation (CNCF). Its aim is to provide simple and portable software interfaces for hardware security features, on any platform and in any programming language.
Integrating hardware security features into software has historically been a difficult and highly specialized activity. This would traditionally have been the province of privileged system-level components, normally coded in C, and consuming low-level cryptography management APIs such as PKCS#11 or TPM 2.0, which are notoriously hard to use.
Parsec evolves this story for the cloud-native edge by making hardware security facilities accessible to any client workload that needs them, using APIs that are easy to understand and hard to get wrong. What’s more, these APIs can be made available not just in C, but in any of the higher-level programming languages that we tend to find in popular use for cloud-native workloads, including Go, Java and Rust.
So, Trusted Services provide hardware-backed security facilities from right within the CPU, and Parsec provides a convenient and portable way to consume them into high-level applications. While both components are useful on their own, the real Cassini vision is best realized by combining them together!
Now the good news is that Parsec has already been integrated with Trusted Services via one of its pluggable back-end provider modules. This does the heavy lifting of calling the PSA Functional APIs through the FF-A layers for you, leaving you with a simplified and portable API that you can consume in any of Parsec’s supported programming languages.
And, because it’s Parsec, any client code making use of these services would also work equally well on platforms where the RoT is based on another technology such as a discrete TPM or secure element. Parsec truly decouples the workload from the platform, which is one of the reasons why Project Cassini adopts Parsec as part of the cloud-native developer experience at the edge.
The even better news is that this whole solution is being made available in Yocto recipe layers, making it straightforward to assemble custom embedded Linux distributions that bring Parsec together with the Trusted Services on PSA Certified platforms. Look out for the forthcoming solution brief where we will be providing more details about this.
[CTAToken URL = "https://www.parsec.community/" target="_blank" text="Learn more about Parsec" class ="green"]