Three Features Every Secure Microcontroller Needs

For years, embedded developers have had the luxury of ignoring security. Embedded systems were disconnected, independent systems that only had to worry about physical tampering. The Internet of Things (IoT) has forever removed this luxury. Security is now at the forefront of concern for nearly every connected device. To secure their devices properly, developers must look for three key microcontroller unit (MCU) features - hardware-based isolation, memory protection units (MPUs), and cryptographic accelerators. Let’s explore these three critical features.

Secure MCU feature #1: A secure processing environment

One key concept to securing an embedded system is to design it using isolation. Isolation provides a boundary or fence around memory, components, and functions that operate together to achieve a common goal. If an adversary can exploit one region of the system, the isolation barrier protects the second region so that the adversary is not able to immediately access it.

An embedded system is often isolated into two primary regions: a non-secure processing environment (NSPE) and a secure processing environment (SPE). The best way to achieve these two execution environments is to use hardware-based isolation. There are two methods for doing this - using a multicore MCU or a single-core MCU with Arm’s TrustZone.

In the multicore solution, one processor is dedicated to the SPE, while the other is dedicated as a feature-rich processor in the NSPE. The two cores are physically isolated from each other and only communicate through shared RAM and interprocess communication (IPC). If the NSPE is hacked, any isolated data, memory, and functions in the security core will still be isolated and protected. The adversary would have to find a way to hack the security core. An example MCU that uses the multicore approach is Infineon Technologies’ PSoC 64.

The PSoC 64 has an Arm Cortex-M4 processor for the application-rich NSPE and an Arm Cortex-M0+ security core for the SPE. The two cores can communicate through an IPC. An interesting development board to get started experimenting with the multicore security solution is the CY8CKIT-064S0S2-4343W Wi-Fi and Bluetooth-enabled PSoC 64 Pioneer Kit (Figure 1).

Figure 1: The CY8CKIT-064S0S2-4343W Pioneer Kit provides a secure development platform for developers to work with multicore security solutions. (Image source: Infineon Technologies)

The TrustZone solution is different from the multicore isolation model in that it uses a single processing core, but the processing is still broken up into an NSPE and an SPE. When a secure function needs to be executed, the processor switches from the NSPE to the SPE in a deterministic manner that is typically three clock cycles or less. An example TrustZone capable MCU is the STM32L562CET6 from STMicroelectronics.

Hardware-based isolation is the first feature developers need to look for in their secure MCUs. The next feature is MPUs.

Secure MCU feature #2: MPUs

An MPU is a hardware peripheral designed to protect memory. Embedded developers need an MPU because it allows them to further create regions of hardware-based isolation within their application code. For example, while a developer might leverage an SPE, that SPE can be further broken up into isolated regions using an MPU. If an adversary finds their way into the SPE, they still need to find a way into each of the isolated memory regions protected by the MPU.

The MPU can be thought of as a slimmed-down memory management unit (MMU) that provides developers a method for breaking their software up into isolated processes. The MPU can be used on any memory location including flash, RAM, and peripherals. The MPU is used to set execution and access permissions. Again, if an adversary can access one process, they will be limited by what they can access based on the MPU settings. If they try to access a memory region outside the MPU settings, the MPU will throw a fault. The system can then try to recover or reset. This makes them a critical feature developers need to protect their systems.

Secure MCU Feature #3: Cryptographic accelerators

The third feature developers need to look for in a secure MCU is a cryptographic accelerator. A cryptographic accelerator is used to accelerate complex calculations that would otherwise take the CPU a relatively long time to process. The CPU can offload the work to the accelerator, which allows it to work on another problem in parallel. The result is that cryptographic operations take less time, save CPU cycles, and even potentially energy usage in battery-operated devices.

There are several operations for which developers can use the cryptographic accelerator. First, they can use it to encrypt communications or data. A common encryption scheme to use is AES-256, but others may be supported depending on the MCU. Another application is to calculate the hash of a dataset. This can be useful when verifying the integrity of application code or a piece of data.

Cryptographic accelerators are easy to overlook, but any good secure MCU will have one. The trick for developers is to review what it supports and make sure that it has the capabilities needed for the application’s expected lifecycle.

Conclusion

Security is not something that developers can just add to their system at the end of the development cycle. Care must be taken early on to understand the threats to the system, and to select an MCU that contains all the hardware capabilities necessary to secure it.