Secure Edge Gateway Platform with Microchip SAMA5D2
Home / Secure Edge Gateway Platform with Microchip SAMA5D2
Assured Security at the Edge
Demonstration of Secure Azure IoT Edge Gateway with Microchip SAMA5D2
Sequitur Labs' solution combines hardware security components with software to deliver a strong security foundation for devices deploying Docker containers and microservices. The solution simplifies the process of establishing a hardware-based secure domain to isolate security critical functions, resources and peripherals. Sequitur’s EmSPARKTM Security Suite software supports hardware isolation technology from Arm that is critical to building a secure edge gateway.
The demonstration illustrates how Azure IoT Edge-based Gateways running microservices and Docker containers can be easily secured using available hardware security. The demo shows:
Secure container provisioning to a SAMA5D2 based gateway
Edge node attestation
Container integrity checking and remediation
HW crypto operations
Certificate and key management in secured key store
The demonstration comprises a temperature sensor that connects to an IoT gateway running Azure IoT Edge and Sequitur’s EmSPARKTM Security Suite. The Suite handles establishing the secure domain and implementing Sequitur’s trusted execution environment CoreTEETM. CoreTEE provides a programmable, isolated environment for executing security critical functions and storing sensitive material such as keys and certificates. The solution also includes Sequitur’s CoreLockrTM—a software “middleware” layer comprising easy to use APIs for developers to access services and peripherals isolated by CoreTEE. The components include:
Microchip SAMA5D2 microprocessor
Sequitur Labs’ EmSPARKTM Security Suite for SAMA5D2 and CoreLockr APIs
Temperature sensor unit with Microchip SAME54 microcontroller
Monitoring Docker Containers for Malware
The demonstration uses SAMA5D2’s Integrity Check Monitor (ICM) to monitor the integrity of the OS hosting the Docker container by responding to and remediating a malicious code injection into the kernel. In this scenario, the malicious code injection invokes the ICM, causing an interrupt in the secure enclave that is detected by Sequitur’s CoreTEE. CoreTEE solves the security breach by rolling the kernel back to a known and trusted image. A second scenario demonstrates using hardware security to authenticate the leaf node using TrustZone based secure enclave on the SAMA5D2 and the hardware crypto engine on the SAM E54.
Secure Connectivity to Azure Cloud and Leaf Node Authentication
A critical requirement for any IoT device is to have secure connectivity to IoT clouds such as Azure. For gateways in particular, an equally important function involves authentication of sensor (a.k.a. Leaf) nodes. In the first case, the gateway connects to Azure IoT cloud securely via TLS using cryptography assets and key material implemented in the secure domain. This effectively makes the connection tamper-proof. The secure domain is also instrumental in securely exchanging key material between the leaf node and the gateway delivering a high assurance authentication mechanism.