At the Embedded World show in Nuremberg last week ARM announced a security certification system for PSA with security testing lab partners Brightsight, CAICT, Riscure, Underwriters Laboratory and security consultants Prove&Run as the entities that will perform the testing. These six companies have developed PSA Certified jointly.
The PSA was announced in 2017 and has now been fleshed out as a three-level framework that shows IoT designers how to create a secure connected device. It provides a methodology for security but goes beyond instructions and principles, and includes threat models and security analysis documentation, hardware and firmware architecture specifications, downloadable trusted-source firmware and API test kits.
An example of the three-level system is the security around a temperature sensor. In a field it may require different level of security robustness (level 1) compared to a sensor in a home environment (level 2) or in an industrial plant (level 3). Following the testing, all PSA Certified devices have electronically signed report cards (attestation tokens) for the level of security that has been achieved, allowing system developers and service providers to make risk-based decisions.
The first PSA certified products are now becoming available in the form for particular microcontrollers and SoCs from the likes of Cypress, Microchip, Nordic, Silicon Labs, STMicroelectronics. Not surprisingly these are all based on ARM processor cores.
However, at the show John Ronco, vice president and general manager of embedded and automotive business for ARM, pointed out to eeNews Europe, that PSA is open to other processor architectures. "The PSA does not mandate particular IP blocks or technology or crypto IP cores and so on. It doesn't have to be ARM. It is not ISA-specific," Ronco said.
Next: Administration, copyright and trademark issues