The EmSPARKTM Security Suite is a software solution that makes it easy for IoT device OEMs to develop secure and trustworthy products.


Secure IoT - By Design

IoT Failure Points Graphic

Securing IoT products starts with recognizing that security failures occur at multiple points directly affecting a company’s brand image or worse—loss of revenue and value. Typically, security lapses are noticed when devices are deployed and operational. However, problems such as IP theft and device cloning occur at the time of manufacturing. Further, devices are also at risk of compromise when undergoing firmware updates or connecting to IoT cloud infrastructure. Therefore, ensuring security requires considering the entire device lifecycle. The IoT Security Suite implements measures to ensure device integrity from design to decommissioning.

Secure IoT - By Design

The SAMA5D2 series is a high-performance, ultra-low-power Arm Cortex-A5 processor-based MPU. It includes several advanced security features including tamper detection, secure fuses, secure RAM and Arm® TrustZone® based hardware isolation (secure enclave). The SAMA5D2 powers a number of products where power consumption and security are paramount including payment terminals, biometric readers, industrial gateways and building control systems.

Trusted ID:

EmSPARKTM Security Suite gives your device a unique ID tied to the hardware root of trust. This ID cannot be spoofed and therefore facilitates a number of secure processes such as authentication.

Encrypted Boot Chain:

Extends secure boot capabilities of the hardware platform. It secures the boot process from initial ROM boot to deploying a trusted, authenticated Linux OS and your firmware. This process ensures the fidelity of your firmware, preventing theft or compromise by malware.

Key and Certificate Management:

From mutual authentication to securely connecting to IoT cloud, public-private key combinations offer a proven mechanism to execute a variety of functions securely. The Suite include robust key and certificates management in a TrustZone-isolated keystore.

Firmware Authentication & Secure Firmware Update:

Complementing the trusted boot architecture, the secure firmware update provides assurance for device’s lifecycle.

IoT Security Suite Secure Enclave Description Diagram


Hardened Security. Simplified.

The IoT Security Suite for the Microchip SAMA5D2 enables device OEMs to implement critical security aspects that are foundational to trustworthy IoT devices. These include implementing hardware-based isolation, access to hardware cryptography, implementing a hardware root-of-trust, and essential key and certificate management tools. It simplifies the task of implementing these capabilities because the suite:

  • Is pre-configured to support available hardware security components and isolation
  • Provides simple APIs that reduce learning curve for implementing security
  • Software abstraction shields developers from underlying complexity of hardware security
  • Enables faster time to market at a lower cost

IoT Security Suite Capabilities

Trusted Boot, Firmware Protection, Trusted Device ID, Secure Storage, Secure Communications, Secure Firmware Update

Suite Components

IoT Security Suite Components Graphic

The Suite includes a number of components that help streamline deployment and enable secure functions. Components include:



Sequitur’s Trusted Execution Environment (Secure OS) which is required to utilize ARM® TrustZone® and TrustZone secured resources.


Hardware Crypto Engines

TrustZone integrated crypto engine and OpenSSL plugin are accessible in Linux.


Easy to Use APIs

Easily implements security functions. Allows developers to focus on their application and not on the intricacies of hardware or TrustZone security.


Packaging Tool

Step by step tool that simplifies firmware development and IP protection, abstracting the complexity of secure boot and TrustZone.


In-system Provisioning Procedure and Toolset

Includes anti-replay measures and IP protection.

How It Works


Initial Setup:

EmSPARKTM Security Suite makes it easy to implement a basic security framework on your target board. This could be an evaluation board such as the Microchip Xplained Rev C board or your production board. The process for both is largely the same with a few exceptions (see Device Provisioning below). It provides a systematic process for creating a firmware package that can be flashed to the board. The Packaging tool includes scripts and applets so all you have to do is run the script to:

  • Initiate the encrypted boot process
  • Establish the secure enclave and initialize CoreTEE (Trusted Execution Environment)
  • Decrypt and install an authenticated version of Linux

Application Development:

The Suite implements APIs for developers to access a variety of secure services. APIs are included for:

  • Certificate management
  • Secure storage
  • Secure firmware update
  • Secure payload verification

The APIs allow developers to focus on developing their application without having to learn the intricacies of hardware security.


Device Provisioning:

EmSPARKTM Security Suite enables secure manufacturing via a secure device provisioning process. The process prevents the unauthorized manufacturing of devices by contract manufacturers and thereby protects OEM revenues and intellectual property. Device provisioning refers to the initial injection of keys and certificates during time of manufacture that essentially assert the claim of the manufacturer over the device. The keys are a source of authentication of the device throughout its lifecycle so it is important to understand how the Suite handles this process. Note that the Suite, as part of the Packaging tool, supplies the method to inject keys as part of building the firmware package. It supports in-system or high volume production provisioning. The choice belongs to the OEM.

Getting Started With the Right Kit

Sequitur provides two types of software kits to help customers learn about and quickly implement EmSPARKTM Security Suite in their products.

Capabilities of the Microchip SAMA5D2 MPU

Hardware security features of the Microchip SAMA5D2 MPU not currently supported by the Suite can be implemented on the custom basis by Sequitur Professional Services.


  • HW acceleration for 3DES/AES
  • SW library for RSA Elliptic Curves (ASCL)
  • High quality random TRNG
  • Hashing up to SHA512
  • Protection against side channels

Physical Protection Attack

  • Battery backed-up secure area
  • Tamper pins dynamic and static
  • Voltage, frequency and temperature monitors
  • Die shield
  • Jtag monitoring
  • Secure packaging

Code Protection

  • TrustZone and MMU
  • On-the-fly DDR/QSPI encryption - AES128
  • Scrambling of internal and external memories
  • Integrity check monitor on internal and external memories with independent SHA256
  • Secure debug modes
  • Secure boot loader (public and private key)

Secure Key Storage

  • Battery backed-up secure SRAM with erasure upon security event
  • Battery backed-up secure register for master key
  • 544 fuses for customer usage
  • TrustZone protected storage


Download the FREE EmSPARKTM Security Suite Software Evaluation Kit to get started on implementing advanced security for your IoT device. Download the kit by registering.


Download a PDF of the EmSPARKTM Security Suite Brochure.


Visit the EmSPARKTM Security Suite Frequently Asked Questions.


Injecting Trust in IoT and Embedded Systems

CoreTEE allows device makers to create trustworthy devices by addressing key aspects of security such as:

Secure Boot Safe Icon

Secure Boot Processes:

Critical boot processes can be secured and initiated from within CoreTEE to detect and prevent boot tampering.

Crypto and Key Management Icon

Cryptography and Key Management:

CoreTEE supports SoC specific cryptographic technologies and provides robust key management processes for root key implantation and subsequent management.

Secure Peripherals Icon

Secure Peripherals:

Secure peripheral driver framework which includes drivers for display, I2C, PIO and PMC.

Trusted Applications Icon

Trusted Firmware-based Applications:

Encrypted, signed and part of the base firmware.

Secure Update Firmware Icon

Trusted and Validated Rich OS-based Applications:

Encrypted and stored in the rich OS file system, these applications are validated and executed at runtime by CoreTEE. Applications can also be dynamically installed via secure Over-The-Air (OTA) processes.

Trusted User Interface Icon

Secure Displays and Trusted Input:

CoreTEE supports applications requiring a Trusted User Interface for secure input of information such as PIN capture.

All of the above capabilities are delivered in a standards compliant manner ensuring interoperability.


Supported Platforms

Microchip logo

A5D2 Series

A5D4 Series

NXP Logo

QorIQ LayerScape: LS1043

i.MX6 and i.MX7


Pre-configured for Advanced Hardware Security from Microchip

The IoT Security Suite currently supports advanced hardware security components and capabilities available in the Microchip SAMA5D2 MPU. The Suite is pre-configured to support the following advanced hardware security capabilities of the SAMA5D2 MPU:

  • ARM® TrustZone®
  • Secure RAM
  • Fuses
  • Hardware crypto
  • TRNG

The SAMA5D2 series is a high-performance, ultra-low-power ARM Cortex-A5 processor-based MPU. The Cortex A5 processor runs up to 500MHz and features the ARM NEON SIMD engine, a 128kB L2 cache and a floating point unit. It supports multiple memories including latest-generation technologies, such as DDR3, LPDDR3, and QSPI Flash. It integrates powerful peripherals for connectivity (EMAC, USB, dual CAN, up to 10 UARTs, etc.) and user interface applications (TFT LCD controller, touch controller, class D amplifier, audio PLL, CMOS sensor interface, etc.). The devices offer advanced security functions to protect customer code and secure external data transfers. These include ARM TrustZone, tamper detection, secure data storage, hardware encryption engines including private keys, on-the-fly decryption of code stored in external DDR or QSPI memory and a secure boot loader.



Smart Meter

Trusted IoT:

CoreTEE enables the development of trusted IoT devices such as home and industrial gateways where data protection and security are important requirements.

High Security:

Devices with high security requirements such as payment terminals and medical devices that have compliance and certification requirements can better comply with such regulations.

Secure Continuous Execution:

Devices in the industrial automation space require critical processes to keep running even if the rich OS fails so as not to cause catastrophic events. CoreTEE enables the uninterrupted execution of critical applications in the TEE even if the rich OS hangs or reboots.

CoreTEE’s implementation depends upon the microprocessor architecture and involves a high level of customization. Sequitur provides services for product integration, working with chip makers and assessing needs for specific features.


EmSPARK™ Security Suite: Security Through the Device Lifecycle

IoT Security Suite: Key Features - Security Through the Device Lifecycle
Tap to enlarge in mobile view.