Loading...

FAQ Topics

Click on a topic to view questions and answers about Sequitur Labs' IoT Security Suite (ISS) for the Microchip SAMA5D2 microprocessor.

IoT Security Suite Info

What is IoT Security Suite for Microchip’s SAMA5D2?

Sequitur Labs' IoT Security Suite for Microchip's SAMA5D2 is state-of-the-art security software that simplifies the use of advanced hardware security and reduces time to market for building more trustworthy products using Microchip’s SAMA5D2. The Suite simplifies implementation of the most common tasks related to securing an IoT or embedded device including:

  • Trusted boot – Root of trust verified initial startup code, Linux® and other embedded firmware
  • IP protection – Encryption of embedded firmware and execution of authenticated firmware
  • Trusted device ID – Unique device certificate tied to root of trust for strong identity authentication
  • Secure storage – Unique and encrypted storage of code and data in in-system storage
  • Secure communications – Authenticate and ensure the privacy of communications to cloud devices and servers
  • Secure firmware update – Remotely upgrade MPU firmware safely and securely. The Suite greatly simplifies using SAMA5D2 security features such as ARM® TrustZone®, hardware cryptography and other features

What are the primary benefits of the IoT Security Suite? Why should I use it?

Devices secured by the IoT Security Suite help customers reduce the risk and liability associated with IoT deployments. The Suite covers security requirements relevant at various stages of a product’s lifecycle.

We believe that a product must be secured from the time it is manufactured to the time it is decommissioned. This ensures that a company’s intellectual property (IP) is not stolen, the device operates without compromise at any point in its life, and that customer data is protected at all times. Additionally, it ensures that connections with remote systems, such as IoT cloud servers, are secure and tamper-proof.

For example, the IoT Security Suite enables implementing a root of trust, which supports a variety of secure processes such as trusted boot. It creates a dual operating environment because the SAMA5D2 processor can switch between secure and non-secure states. This allows isolating and separating critical material and data in a hardware secured area, dramatically improving device security. Developers can easily build applications that use secure resources without having to become experts in cryptography and complex hardware security technologies.

What are the advantages of using the IoT Security Suite?

The Suite delivers a host of capabilities, including the integration of OpenSSL with functions secured by TrustZone and preconfigured to use cryptographic functions available in the SAMA5D2. The IoT Security Suite also includes key management functions that form the basis of several secure processes such as trusted boot, storage and authentication with IoT clouds.

This allows you as the developer to focus on building the application and the device rather than spend time reading through data sheets to configure various hardware components. Result – get your products to market faster.

What are the principal components of the IoT Security Suite?

The IoT Security Suite comprises the following components:

  1. CoreTEETMSequitur’s Trusted Execution Environment (TEE) for ARM® Cortex®-A based processors
  2. Pre-built Trusted Applications (TAs) – TAs are applications running in the secure domain (TEE). They implement critical security functions, have access to HW resources, and are used by APIs in the non-secure domain (Linux) to fulfill secure IoT use cases. The TAs included with the Suite enable access to a variety of secured resources such as the OpenSSL engine and hardware cryptography functions.
  3. Programming Assets in the Non-secure Domain (Linux) – Libraries and APIs enabling access to secured resources.
  4. Packaging Tool – A command line based utility streamlining the process of aggregating all necessary assets (bootloader, Linux components, CoreTEE, firmware, certificates and keys) needed for flashing (secure provisioning) the target device. The packaging tool ensures the proper implementation of the secure boot and root of trust enabling features such as IP protection and secure firmware upgrade.

What is ARM® TrustZone®? What is a Secure Enclave?

TrustZone® is a robust, proven hardware solution for security. It is an on-chip security enclave providing hardware isolation and protection for sensitive material such as cryptographic keys, intellectual property and data. TrustZone-enabled SoCs are found in over a billion devices such as payment terminals, set-top boxes and mobile phones. TrustZone is fast becoming a standard way for IoT device makers to implement security. With TrustZone, security is designed into the product and secure functions propagated throughout the product. This results in a more secure device. It is important to note, that not all SoCs implement TrustZone the same way. This can impact your design.

For more details on the TrustZone®, please visit ARM’s website at http://www.arm.com/products/processors/technologies/trustzone.

What is a Trusted Execution Environment (TEE)?

TEE stands for Trusted Execution Environment. On top of the hardware foundation of the ARM® TrustZone® technology, the TEE adds a functional runtime environment with standards compliant APIs, strong application separation through the security focused microkernel, and strong protection of sensitive assets through access control and cryptography.

While TrustZone establishes “Normal” (non-secure) and Secure worlds, the TEE facilitates communications across these domains. Applications and functions in the Normal domain can invoke secure functions resident in the TEE through the Secure Monitor, which manages the state change from Non-secure to Secure.

The Trustzone/TEE combination enables handling sensitive data without the risking exposure. In addition, due to the integrity in the boot process, the functions provided by the TEE are less likely to be compromised by malicious code.

The TEE is also used to secure access to peripherals by implementing peripheral drivers in the TEE. This protects access to peripherals such as persistent storage, memory and displays.

What are Trusted Applications and can I write my own?

Trusted Applications (TAs) are code and functions that execute only when the device is in secure state. The suite includes pre-built TAs as described above but does not allow writing custom TAs. To write custom TAs, you must obtain a license to use Sequitur’s Trusted Execution Environment—CoreTEE. A full license to CoreTEE enables greater flexibility than allowed by the security suite. To discuss this option, please email Sequitur Labs at this Email address.

Is there a performance impact resulting from switching between states?

There is a negligible performance impact when switching between secure and non-secure states. Switching overhead is similar to or less than
that which results from a thread context switch in an operating system such as Linux.

Can I connect to Amazon Web Service (AWS) IoT Cloud?

Yes! The Suite includes procedures to load keys and certificates that enable your device to be authenticated by AWS IoT Cloud. The Evaluation Kit includes a step-by-step guide and example application to establish a TLS connection with AWS IoT (to be used with the MQTT protocol). The Suite facilitates the creation of a unique device certificate to be used for TLS mutual authentication. The Suite is cloud provider agnostic. We do not recommend any particular cloud service provider.

HIDDEN What are the primary benefits of the IoT Security Suite? Why should I use it?

Devices secured by the IoT Security Suite help customers reduce the risk and liability associated with IoT deployments. The suite covers security requirements relevant at various stages of a product’s lifecycle.

We believe that a product must be secured from the time it is manufactured to the time it is decommissioned. This ensures that a company’s intellectual property (IP) is not stolen, the device operates without compromise at any point in its life, and that customer data is protected at all times. Additionally, it ensures that connections with remote systems, such as IoT cloud servers, are secure and tamper-proof.

Design & Develop Deploy & Operate
  • Trusted boot
  • Root of Trust/Unique device ID
  • Key and certificate injection
  • Device integrity and firmware protection
  • Protect data at rest and in transit
  • Secure firmware update
  • Device pairing and mutual authentication
  • Secure device-to-device and device-to-cloud communication
  • Streamlined device provisioning for IoT cloud authentication

For example, the IoT Security Suite enables implementing a root of trust, which supports a variety of secure processes such as trusted boot. It creates a dual operating environment because the SAMA5D2 processor can switch between secure and non-secure states. This allows isolating and separating critical material and data in a hardware secured area, dramatically improving device security. Developers can easily build applications that use secure resources without having to become experts in cryptography and complex hardware security technologies.

The Suite delivers a host of capabilities, including the integration of OpenSSL with functions secured by TrustZone and preconfigured to use cryptographic functions available in the SAMA5D2. The IoT Security Suite also includes key management functions that form the basis of several secure processes such as trusted boot, storage and authentication with IoT clouds.

This allows you, as the developer, to focus on building the application and the device, rather than spend time reading through data sheets to configure various hardware components. You don’t have to worry about pin muxing, selecting crypto algorithms because we do that for you. The result? You get your products to market faster.

HIDDEN What other platforms besides the SAMA5D2 are supported?

The Microchip SMART|SAMA5D2 is the only microprocessor currently supported by the IoT Security Suite. However, we will be announcing support for other platforms in the near future. If you would like to be notified when these are available or if you have a specific platform in mind, send us an email at info@sequiturlabs.com.

Getting Started

How can I get access to Sequitur's IoT Security Suite?

We provide three different options for you to license the IoT Security Suite. They are outlined in the table below:

SW Evaluation Kit Development Kit Production Kit
Description Evaluation (non-secure) version of IoT Security Suite. Write trial applications for:

  • Secure storage
  • Secure communications
  • Verification of payload
  • Use OpenSSL with key store protected by the TEE
Develop firmware using the IoT Security Suite.

  • Use any Linux environment including peripheral drivers
  • Build firmware on SAMA5D2B-XULT board
Final production-ready, fully functional software kit with all the features of the IoT Security Suite.
What You Get Zip file containing all the required files to flash the development boards.
Documentation, examples in source code, and software in a downloadable package.

  • Preloaded keys and certificates provided to support application examples
Same as Evaluation Kit PLUS:

  • Components required for the customer to use their own board design and Linux
  • Packaging tool to prepare firmware for flashing to SAMA5D2B-XULT
Same as Development Kit PLUS:

  • Tools to enable customers to use their production certificates and keys and to package firmware to flash to target hardware
  • Randomized, secure HWRoT
What You Need
  • SAMA5D2B-XULT dev board
  • Special Secure SAM-BA or Secure Provisioning System required to program boards
  • NDA with Microchip for Secure SAMBA
Same as Development Kit
Price FREE $5,000 $15,000
Licensing Click-through agreement Fully functional, development ONLY enterprise license Development Kit can be converted into a Production license.

Production license applies to ONE commercial project with UNLIMITED volumes.

Support Pre-sales support and consultation Email support included, telephone hotline support available for purchase. Email support included, telephone hotline support available for purchase.
Where To Get It www.sequiturlabs.com/iot-security-suite/iss-registration Call your Microchip sales person or FAE or contact Sequitur Labs at this Email Call your Microchip sales person or FAE, or contact Sequitur Labs at this Email

I already have the SAMA5D2-XULT board. Can I use the Evaluation Kit?

You can only deploy the Evaluation Kit on the SAMA5D2-XULT RevB board. RevA boards are not supported.

Is there any limit as to how many boards I can deploy the IoT Security Suite on during development?

You can deploy the suite on as many boards are you need during the development phase.

Are there special procedures that must be followed at the time of manufacturing to inject key and certificates in order to establish the root of trust?

Yes. You will need to a secure way to inject keys into the device to establish a root of trust. Your manufacturing partner should be able to help you with that.

Still have questions?

Contact us and we will get back to you as soon as possible