The reported cost related to cybercrime is estimated to be 6 trillion dollars by 20211. And that is just cybersecurity. As more devices are deployed, whether they are connected or not, they are under threat from many types of attacks, be it software, physical, or communication attacks.
For this reason, Arm is committed to providing a trusted, simplified route to security across the entire spectrum of IoT devices. As a result of this commitment, Arm has taken the Cortex-M33 and the Cortex-M35P soft processors through a thorough evaluation process. On top of reviewing the development process, the security features (implemented at an RTL level) were evaluated as well:
Both processors and their security features have been certified to EAL6+ for the Common Criteria ISO 15408 standard.
This certification is unique in the world of security assurance and is a significant milestone for Arm and the entire industry. As the attack surface grows with the ever-growing functionality of devices and as the attackers’ sophistication keeps increasing, it is more important than ever to apply unbiased, third-party evaluation (in the form of a certification process) to the very foundation of the device – to the soft processor IP level. The certification of the Arm IPs was performed on Verilog Hardware Description Language, and it provides security assurance and value to many application domains, where SoC and device makers seek to certify a complete product (across the whole spectrum of devices, from those aiming at entry-level security and assurance to those targeting the highest levels of security).
Let’s dive into the details to better understand what the certification is and what this means for the industry.
The Common Criteria for Information Technology Security Evaluation (abbreviated as “Common Criteria”, or “CC”) is an international standard defining a methodology for evaluation of computer systems security. Simply put, this framework defines a standard way for implementations of computer systems to be evaluated against the relevant security requirements. It’s all about assurance – giving everyone a tool to assess and compare the security level of a product in the semiconductor space.
The CC framework defines many aspects for review, including:
The outcome of the CC evaluation is a certificate issued by a government agency that validates the compliance of a product to the claims made by the implementor and attests to a specific Evaluation Assurance Level (EAL), indicating the thoroughness of the evaluation process. There are seven evaluation assurance levels in total, from EAL1 to EAL7, EAL7 being the highest level (with only one such EAL7 certificate published under the “ICs, Smart Cards and Smart Card-Related Devices and Systems” category). For security, the chain is as strong as the weakest link. The Cortex-M33 and Cortex-M35P processors and their features provide well-designed, secure products certified to the level of EAL6+.
Thanks to its comprehensive nature, the Common Criteria evaluation is prevalent in high-security, high-assurance certifications such as identity cards, banking, and SIM cards. There are additional evaluation methodologies, such as PSA Certified, which is a framework gaining significant momentum for broader security certification in non-regulated markets, that is also mapped to key government guidance and legislation.
Nowadays, we see a significant rise in the security level needed across multiple applications and use cases, such as mobile user privacy, wired and wireless communication protocols (and more). This leads to the need for thorough, unbiased security evaluation to be applied on a variety of products, on top of the traditional ones like banking and SIM cards.
Today, these security evaluations are done on complete products (such as SoCs), which are typically composed of different IP blocks. Identical copies of these IP blocks are used in different SoCs and across different SoC designs.
For that reason, Arm has taken the Cortex-M33 and Cortex-M35P processors and their security features through a rigorous CC evaluation.
Both products were certified as a soft macro, that is, the certification was performed on High-level Description Language (HDL). For Arm to achieve this milestone, the design and implementation of the features of these processors had to be thorough and extremely comprehensive. TrustZone and the MPU on both Cortex-M33 and Cortex-M35P were proven using a formal methodology at the architecture level. The evaluation also verified the total adherence of the RTL implementation to the architecture definition. The evaluated physical security features on Cortex-M35P were proven using FPGA testing. This approach allows an Arm partner wanting to use these Arm processors in a certification of their own product to reuse the evaluation results of the Arm certification (for example around design, integration, and vulnerability assessment).
A key result of the Arm evaluation is the ability to deliver the right guidance for integration of the IP and to describe the limits of the reuse. The Arm documentation must be strictly followed, in close cooperation and communication with the evaluation laboratory and certification bodies in charge of the final SoC certification.
The evaluation of these Arm processor implementations was carried out by Brightsight, an independent lab accredited to perform CC evaluations of SoCs, as required by the CC framework. Then, we completed the full certification by having the evaluation certified by the Dutch CC certification scheme NSCIB, an approved certifier, and received the formal confirmation of the achieved security level in the form of a Common Criteria Certificate – see the Cortex-M33 certificate here and the Cortex-M35P certificate here.
This certification further validates Arm’s security efforts and provides a reputable validation of the quality of the security features of the Cortex-M33 and Cortex-M35P processors, including the TrustZone security extension and MPU, implemented in both products, and the physical security features implemented in Cortex-M35P. More importantly, this achievement has tangible benefits for Arm partners who are using these processors and looking to certify their silicon products.
Arm partners can reuse the results of these soft processor IP evaluations and achieve meaningful savings in time and cost for the SoC level certification thanks to the “composite model” used for security evaluation. This allows an evaluation process to leverage the evaluation results of building blocks used for the creation of the broader evaluation target. This approach is already used extensively at application level certification, where the overall product evaluation is leveraging the existing certification of the underlying hardware, allowing that evaluation to be done in “composition” with the hardware, focusing on the software that was added later on by the developers of the final product. So, while an Arm partner will need to add security functionality at the SoC level and full penetration testing on the final product (SoC) will still be needed, the soft IP evaluation will allow the SoC evaluation to stay focused on the physical behavior of the evaluated hardware.
Additional advantages exist when the soft IP is certified with regards to the development process evaluation of the Arm partner’s product. The Arm certification of the soft IP lifecycle and delivery processes provides assurance on the integrity of that IP, again leading to time saving during the full product (SoC) certification (thanks to results reuse). The Arm certification merits do not end there, as the processor soft IP evaluation verifies the coverage of the guidance documentation Arm provides. Having complete guidance helps the SoC developer (the Arm partner) to integrate the IP in a secure and correct manner and the SoC evaluator to quickly verify the correct implementation of the processor.
"This certification of Arm Cortex-M soft processor IP is a step towards enabling the industry to develop cost-effective security solutions that can be trusted. Semiconductor companies have now a clear path towards achieving high-assurance certification of their SoC design. Prove & Run will bring another building block of the complete solution, leveraging on ProvenCore, its secure operating system that has already received a Common Criteria EAL7 certification for Arm Cortex-A based devices and that is also available for Cortex-M processors. We are very excited with those new developments in the Arm ecosystem." Says Dominique Bolignano, President and Founder of Prove & Run, an organization that provides off-the-shelf software solutions for Cortex-M based devices.
These benefits are also available to partners seeking evaluations different than Common Criteria. For example, it will accelerate the path to achieving the future levels of assurance outlined in the PSA Certified scheme, which is rapidly being adopted by silicon partners building TrustZone enabled microcontrollers in the broader IoT space.
In parallel, Brightsight formally audited our relevant development site and NSCIB confirmed its compliance with the Minimum Site Security Requirements (MSSR). Partners who seek certification of products using our processors can leverage the achieved Arm MSSR site certification as it removes the need for them to arrange an audit of the Arm development site and can lead to cost and time saving.
Arm provides security packages that are separately licensable deliverables for these processors to our partners. These packages include:
We are delighted to be the first and only company to successfully certify soft processor IP for SoCs, helping our partners achieve high-assurance certification of their complete design. Opening new doors is always a challenge, but also a great opportunity. Today’s security challenges and the speed at which innovative, yet secure, products are introduced to the market, require this kind of approach where trust is built from the ground up, starting at the IP level. For more information about the processors and to get in touch with our team, visit the product pages below.
Arm Cortex-M33 processor Arm Cortex-M35P processor
1 - Annual Cyber Crime Report, Cyber Security Ventures 2019.
Hi bmussard, unfortunately the system is not allowing me to direct message you. Are you able to share your email address and I can share details on email?
Thanks,
Rachel
Hi bmussard, Thank you for reading this blog and for raising the incorrect use of the VHDL acronym. We have now fixed this.
I will direct message you about the evaluation methodology.
Beware of the use of the VHDL acronym as it stands for VHSIC Hardware Description Language and is much different from the Verilog language (that is certainly the original language used for the Cortex-M implementation).
Then, EAL6+ means semi-formally verified design and it would be nice to know more about the evaluation methodology.
Regards