Arm’s Platform Security Architecture (PSA) remains a work in progress. PSA started with goals and scenarios, but it now has concrete specifications and even a certification process. At this point, a three-level certification process can be applied to microcontroller hardware and software. It obviously targets Arm’s Cortex-M platform, but it’s applicable to almost any platform. The new standards are designed to provide a consistent level of security for the Internet of things (IoT) on both the industrial and consumer fronts.
Level 1 certification is based on the 10 security goals found in the PSA architecture. These are designed to catch common security issues through the assessment of security functions. This level of certification targets chipmakers, operating-system providers, and device makers. Certification actually starts with a questionnaire that’s followed by an interview with a test lab. A number of solution partners and software vendors announced Level 1 certification at Embedded World, including Cypress, Express Logic, Microchip, Nordic Semiconductor, Nuvoton, NXP, STMicroelectronics, and Silicon Labs.
Level 2 certification is where everyone wants to reside because it includes a 25-day lab-based evaluation. This is done against a PSA-root of trust (PSA-RoT) and targets chips that embed security features such as secure boot and secure key storage. The time-limited evaluation is designed to keep costs affordable while making it efficient to test software and lightweight hardware attacks. It doesn’t attempt to test more aggressive attacks such as physical tampering or side-channel attacks. Those are addressed in Level 3 certification that’s still under development.
ARM’s Platform Security Architecture now has an API designed to expose the security elements of a microcontroller in a standard fashion.
Complementary to the certifications is the PSA Functional API certification, which is currently a separate certification. This is a more important certification because it requires the implementation and support of a consistent security API (see figure). It allows any RTOS or bare-bones application to take advantage of the PSA-RoT hardware and firmware. This includes crypto acceleration, attestation, trusted boot, and secure storage. Nuvoton and operating-system provider ZAYA had achieved both PSA certified Level 1 and PSA Functional API certification.
Much of the new microcontroller hardware at Embedded World is designed to meet levels of certification including the Functional API support. In fact, many existing microcontrollers with security hardware can meet these goals as well. The challenge in the past was that accessing these features is different for each vendors platform. The PSA Functional API will provide a more consistent software interface, simplifying the job for both vendors and programmers.
It will be interesting to see if the API is something can be adopted across hardware platforms other than those from Arm.
