Security is a moving target for hyper-connected IoT devices; therefore, to provide end-to-end security solutions from the edge to the cloud, chipmakers are joining hands with cloud service providers to facilitate managed security services.
Take the case of NXP Semiconductors, which has unveiled a two-pronged approach to secure IoT devices. First, it has created a security subsystem for its iMX 8ULP, iMX 8ULP-CS, and iMX 9 application processors. This secure enclave, called EdgeLock, has its own security core, internal ROM, and secure RAM, and it acts as a security headquarters within a SoC design.
Second, NXP has partnered with Microsoft to feature Azure Sphere chip-to-cloud security service in its iMX 8ULP-CS application processors. Azure Sphere takes the hardware root-of-trust built on silicon, and from hereon, everything from edge to cloud is protected using the Azure Sphere managed security service.
Let’s first take a closer look at NXP’s secure enclave, a preconfigured security subsystem that acts as a fortress within an SoC device.
Fortress in a chip
NXP’s EdgeLock subsystem represents the hardware side of this end-to-end security solution. The self-managed and autonomous on-die security subsystem features symmetric and asymmetric crypto accelerators and hashing functions.
Figure 1 The EdgeLock turnkey security capability resides on the top left corner of the iMX 8ULP processor. Source: NXP Semiconductors
Mohit Arora, senior architect for Edge Processing Product Innovation at NXP, said that the security subsystem goes far beyond basic cryptology. “EdgeLock allows a unified root-of-trust implemented across the SoC to cover multiple domains and multiple operating systems.”
The security features that EdgeLock facilitates include silicon root-of-trust, run-time attestation, trust provisioning, and secure boot. Moreover, the secure enclave stores and protects confidential assets, including crypto keys employed for protection against physical and network attacks.
While other chipmakers have released silicon solutions for hardware-based security, what’s unique about this security framework is the accompanying software-based security component. For its iMX 8ULP-CS processors, NXP has tied EdgeLock secure enclave to Microsoft’s cloud-based security service Azure Sphere.
EdgeLock plus Azure Sphere
The Azure Sphere is a security service added onto the chip as a one-time cost addition; it offers 10 years of managed service protecting everything from edge to cloud. NXP has implemented the Azure Sphere capability in its iMX 8ULP-CS processors; after the design and handshake, NXP securely transfers information to Microsoft.
At this point, Microsoft takes over and manages the device in the field for a period of 10 years. Here, it’s worth mentioning that this security service adoption doesn’t require users to subscribe to Microsoft’s Azure cloud; users can employ any cloud service while security is managed through the Azure Sphere service.
Figure 2 Design engineers can buy Azure Sphere-enabled chips and build application code on top of the Sphere OS using application examples provided by NXP. Source: Microsoft
Gowri Chindalore, head of the strategy for edge processing at NXP, explained how this arrangement works. There are three pieces in this edge-to-cloud security framework: Azure Sphere-enabled chips like iMX 8ULP-CS, Linux kernel-based Sphere OS, and application code built on top of Sphere OS. “Since Sphere OS is built on Linux kernel, some work is required to port the application, so Microsoft and NXP are working together to simplify that task,” Chindalore said.
He added that NXP tests the final product and ensures that it’s locked in for Azure Sphere services. “The combination of EdgeLock secure enclave and Azure Sphere service solves end-to-end security problems while facilitating multiple safety and security options,” Chindalore concluded.
Majeed Ahmad, Editor-in-Chief of EDN, has covered the electronics design industry for more than two decades.