SecEdge's EmSPARK^TM Security Suite is state-of-the-art security software that simplifies the use of advanced hardware security and reduces time to market for building more trustworthy products using our partners' processors. EmSPARK^TM simplifies implementation of the most common tasks related to securing an IoT or embedded device including:

• Trusted boot – Root of trust verified initial startup code, Linux^® and other embedded firmware
• IP protection – Encryption of embedded firmware and execution of authenticated firmware
• Trusted device ID – Unique device certificate tied to root of trust for strong identity authentication
• Secure storage – Unique and encrypted storage of code and data in in-system storage
• Secure communications – Authenticate and ensure the privacy of communications to cloud devices and servers
• Secure firmware update – Remotely upgrade MPU firmware safely and securely. The Suite greatly simplifies using security features such as Arm^® TrustZone^®, hardware cryptography and other features

Devices secured by the EmSPARK^TM Security Suite help customers reduce the risk and liability associated with IoT deployments. The Suite covers security requirements relevant at various stages of a product’s lifecycle.

We believe that a product must be secured from the time it is manufactured to the time it is decommissioned. This ensures that a company’s intellectual property (IP) is not stolen, the device operates without compromise at any point in its life, and that customer data is protected at all times. Additionally, it ensures that connections with remote systems, such as IoT cloud servers, are secure and tamper-proof.

For example, the EmSPARK^TM Security Suite enables implementing a root of trust, which supports a variety of secure processes such as trusted boot. It creates a dual operating environment because our partner’s processors can switch between secure and non-secure states. This allows isolating and separating critical material and data in a hardware secured area, dramatically improving device security. Developers can easily build applications that use secure resources without having to become experts in cryptography and complex hardware security technologies.

The Suite delivers a host of capabilities, including the integration of OpenSSL with functions secured by TrustZone and preconfigured to use cryptographic functions available in our partner’s processors. The EmSPARK^TM Security Suite also includes key management functions that form the basis of several secure processes such as trusted boot, storage and authentication with IoT clouds.

This allows you as the developer to focus on building the application and the device rather than spend time reading through data sheets to configure various hardware components. Result—get your products to market faster.

The EmSPARK^TM Security Suite comprises the following components:

1. CoreTEE^TM – SecEdge's Trusted Execution Environment (TEE) for Arm^® Cortex^®-A based processors
2. Pre-built Trusted Applications (TAs) – TAs are applications running in the secure domain (TEE). They implement critical security functions, have access to HW resources, and are used by APIs in the non-secure domain (Linux) to fulfill secure IoT use cases. The TAs included with the Suite enable access to a variety of secured resources such as the OpenSSL engine and hardware cryptography functions.
3. Programming Assets in the Non-secure Domain (Linux) – Libraries and APIs enabling access to secured resources.
4. Packaging Tool – A command line based utility streamlining the process of aggregating all necessary assets (bootloader, Linux components, CoreTEE, firmware, certificates and keys) needed for flashing (secure provisioning) the target device. The packaging tool ensures the proper implementation of the secure boot and root of trust enabling features such as IP protection and secure firmware upgrade.

TrustZone^® is a robust, proven hardware solution for security. It is an on-chip security enclave providing hardware isolation and protection for sensitive material such as cryptographic keys, intellectual property and data. TrustZone-enabled SoCs are found in over a billion devices such as payment terminals, set-top boxes and mobile phones. TrustZone is fast becoming a standard way for IoT device makers to implement security. With TrustZone, security is designed into the product and secure functions propagated throughout the product. This results in a more secure device. It is important to note, that not all SoCs implement TrustZone the same way. This can impact your design.

For more details on the TrustZone^®, please visit Arm’s website at http://www.arm.com/products/processors/technologies/trustzone.

TEE stands for Trusted Execution Environment. On top of the hardware foundation of the Arm^® TrustZone^® technology, the TEE adds a functional runtime environment with standards compliant APIs, strong application separation through the security focused microkernel, and strong protection of sensitive assets through access control and cryptography.

While TrustZone establishes “Normal” (non-secure) and Secure worlds, the TEE facilitates communications across these domains. Applications and functions in the Normal domain can invoke secure functions resident in the TEE through the Secure Monitor, which manages the state change from Non-secure to Secure.

The Trustzone/TEE combination enables handling sensitive data without the risking exposure. In addition, due to the integrity in the boot process, the functions provided by the TEE are less likely to be compromised by malicious code.

The TEE is also used to secure access to peripherals by implementing peripheral drivers in the TEE. This protects access to peripherals such as persistent storage, memory and displays.

Trusted Applications (TAs) are code and functions that execute only when the device is in secure state. The suite includes pre-built TAs as described above but does not allow writing custom TAs. To write custom TAs, you must obtain a license to use SecEdge's Trusted Execution Environment—CoreTEE. A full license to CoreTEE enables greater flexibility than allowed by the security suite. To discuss this option, please Email SecEdge.

There is a negligible performance impact when switching between secure and non-secure states. Switching overhead is similar to or less than that which results from a thread context switch in an operating system such as Linux.

Yes! The Suite includes procedures to load keys and certificates that enable your device to be authenticated by AWS IoT Cloud. The Evaluation Kit includes a step-by-step guide and example application to establish a TLS connection with AWS IoT (to be used with the MQTT protocol). The Suite facilitates the creation of a unique device certificate to be used for TLS mutual authentication. The Suite is cloud provider agnostic. We do not recommend any particular cloud service provider.

EmPOWER™ is a SaaS solution that provides the lifecycle management platform needed to secure, provision and update intelligent edge devices.

Together with the EmSPARK™ Security suite, EmPOWER™ enables OEM’s to actively protect their devices, business, and customers.

With EmPOWER^TM, you can register devices with mutual authentication (chip and cloud), update devices securely, Gain insights into device behavior, and detect and respond to threats.

EmPOWER^TM can provide registration and update services for devices that provide secure credentials like smart MCU’s, MCUs with secure elements or trusted platform modules, and smart flash.  Contact us for more information.

We provide three different options for you to license the EmSPARK^TM Security Suite. They are outlined in the table below: