PSA Certified

Last updated
PSA Certified
PSA Certified.jpeg
Effective regionWorldwide
Effective since2017
Type of standardSecurity certification scheme
Website psacertified.org

Platform Security Architecture (PSA) Certified is a security certification scheme for Internet of Things (IoT) hardware, software and devices. It was created by Arm Holdings, Brightsight, CAICT, Prove & Run, Riscure, TrustCB and UL as part of a global partnership.

Contents

Arm Holdings first brought forward the PSA specifications in 2017 to outline common standards for IoT security, [1] with PSA Certified assurance scheme launching two years later in 2019.

History

In 2017, Arm Holdings introduced the Platform Security Architecture (PSA), a framework designed to enhance the security of Internet of Things (IoT) devices and services. PSA emerged as a comprehensive standard, incorporating various elements such as threat models, security analyses, and architectural specifications for hardware and firmware. It also included an open-source firmware reference implementation. The primary objective of PSA was to establish a baseline for security in the IoT sector, catering to the needs of both software and device manufacturers.

Over time, PSA evolved into PSA Certified, a more structured four-stage framework. This development aimed to provide IoT designers with a systematic approach to ensure security. The framework categorized security into different levels, each offering varying degrees of assessment and assurance.

The initial PSA documents and IoT threat models were released in 2018, marking a significant step in standardizing IoT security.

The formal certification process of PSA Certified was launched at Embedded World in 2019. This event saw the introduction of Level 1 Certification, primarily targeting chip vendors. Concurrently, a draft outlining Level 2 protection was also presented.

PSA Certified was further strengthened by the collaboration of seven founding stakeholders, including Arm Holdings, Brightsight, CAICT, Prove & Run, Riscure, UL, and TrustCB. TrustCB joined as an independent Certification Body for the scheme, while the other stakeholders, four of which are security test laboratories, contributed to the creation of the PSA Certified specifications under the PSA Joint Stakeholders Agreement.

The ecosystem of PSA Certified expanded in 2021 with the addition of Applus+ and ECSEC, two notable security test labs.

Noteworthy milestones in the journey of PSA Certified include the issuance of the first Level 2 certificates to chip vendors in February 2020 and the awarding of the first Level 3 certificate in March 2021.

In November 2022, PSA Certified introduced Level 2 + Secure Element. This new category allows for the integration of a secure element to enhance the physical protection at Level 2, bridging the gap before advancing to the more robust Level 3 protection.

The evolution of PSA and the introduction of PSA Certified represent significant strides in standardizing and enhancing IoT security, reflecting the industry's ongoing commitment to safeguarding interconnected devices in an increasingly digital world.

Certification

The PSA Joint Stakeholders Agreement is an initiative focused on establishing a global standard for Internet of Things (IoT) security. This agreement aims to simplify the security protocols within the electronics industry by providing a coherent and comprehensive security scheme. The security certification scheme, as outlined in the agreement, advocates a security-by-design approach applicable to a broad spectrum of IoT products. This process begins with a thorough security assessment of the chip, specifically its Root of Trust (RoT), and progressively extends to system software and device application code. Notably, the PSA Certified specifications are designed to be neutral regarding implementation and architecture, making them applicable across various chips, software, and devices.

The PSA Certified program seeks to address and reduce fragmentation in the IoT product manufacturing and development sectors. It supports the creation of system-on-chips (SoCs) that incorporate a PSA Root of Trust (PSA-RoT), a security component accessible to software platforms and original equipment manufacturers (OEMs).

Functional API Certification

PSA-RoT offers a set of high-level APIs, facilitating the abstraction of trusted hardware and firmware across different chip vendors. These APIs include the PSA Cryptography API, PSA Attestation API, PSA Storage API, and PSA Firmware Update API. Compliance with these APIs is verified through open source API test suites, and an open-source implementation of the PSA Root of Trust APIs is available through the TrustedFirmware.org project.

Certification Levels

Level 1 Certification

Level 1 targets chip vendors, software platforms, and device manufacturers. It involves a questionnaire, document review, and an interview conducted by a certification lab. The process ensures alignment with key IoT standards and laws, like NISTIR 8259, ETSI 303 645, and SB-327.

Level 2 Certification [2]

This mid-level certification focuses on software attacks and includes a month-long review of the PSA-RoT source code by a security lab. It emphasizes specific attack methods and evaluation methodologies, with a requirement for hardware support of PSA-RoT functions, primarily aimed at chip vendors.

Level 2 + Secure Element

This level enhances Level 2 by adding physical protection for certain security functions. It typically involves a Level 2 Certified SoC combined with a secure element, focusing on secure cryptographic operations and key storage.

Level 3 Certification

The highest level, Level 3, expands upon Level 2 to include safeguards against various physical and side-channel attacks. This level encompasses physical protection for all security functions, differentiating it from Level 2 + Secure Element.

This structured approach under the PSA Joint Stakeholders Agreement and the subsequent certification levels play a critical role in unifying and strengthening IoT security standards, catering to the diverse needs of the industry and promoting a safer IoT environment.

Industry adoption

Since the launch of the standard, it has been adopted by a number of chip manufacturers and system software providers.

CompanyCertification LevelSectorReferences
Aitos.ioLevel 1Blockchain [3]
Azure RTOS Level 1Software platform [4]
Crypto QuantiqueLevel 2OEM [5]
Cypress Semiconductor Level 2Chip manufacturer [6]
Embedded PlanetLevel 2OEM [7]
Espressif Systems Level 1Chip manufacturer [8]
Eurotech Level 1OEM [9]
Express Logic Level 1Software platform [10]
FreeRTOS Level 1Software platform [11]
Infineon Level 2Chip manufacturer [12]
InGeekLevel 1OEM [13]
Macronix Level 1OEM [14]
Microchip Technology Level 1Chip manufacturer [15]
Nordic Semiconductor Level 2Chip manufacturer [16]
Nuvoton Level 1Chip manufacturer [17]
NXM LabsLevel 1Software platform [18]
NXP Semiconductor Level 3Chip manufacturer [19]
OneOSLevel 1Software platform [20]
Renesas Electronics Level 2Chip manufacturer [21]
RT-Thread Level 1Software platform [22]
Sequitur LabsLevel 1Software platform [23]
Silicon Labs Level 3Chip manufacturer [24]
Shenzhen GoodixLevel 1Chip manufacturer [25]
STMicroelectronics Level 3Chip manufacturer [26]
Unisoc Level 1Chip manufacturer [27]
VeridifyLevel 1Software platform [28]
Winbond Level 2Chip manufacturer [29] [30]
Zephyr OS Level 1Software platform [31]

Related Research Articles

<span class="mw-page-title-main">Microcontroller</span> Small computer on a single integrated circuit

A microcontroller or microcontroller unit (MCU) is a small computer on a single integrated circuit. A microcontroller contains one or more CPUs along with memory and programmable input/output peripherals. Program memory in the form of NOR flash, OTP ROM or ferroelectric RAM is also often included on chip, as well as a small amount of RAM. Microcontrollers are designed for embedded applications, in contrast to the microprocessors used in personal computers or other general purpose applications consisting of various discrete chips.

ARM is a family of RISC instruction set architectures (ISAs) for computer processors. Arm Ltd. develops the ISAs and licenses them to other companies, who build the physical devices that use the instruction set. It also designs and licenses cores that implement these ISAs.

Nucleus RTOS is a real-time operating system (RTOS) produced by the Embedded Software Division of Mentor Graphics, a Siemens Business, supporting 32- and 64-bit embedded system platforms. The operating system (OS) is designed for real-time embedded systems for medical, industrial, consumer, aerospace, and Internet of things (IoT) uses. Nucleus was released first in 1993. The latest version is 3.x, and includes features such as power management, process model, 64-bit support, safety certification, and support for heterogeneous computing multi-core system on a chip (SOCs) processors.

<span class="mw-page-title-main">Z-Wave</span> Wireless standard for intelligent building networks

Z-Wave is a wireless communications protocol used primarily for residential and commercial building automation. It is a mesh network using low-energy radio waves to communicate from device to device, allowing for wireless control of smart home devices, such as smart lights, security systems, thermostats, sensors, smart door locks, and garage door openers. The Z-Wave brand and technology are owned by Silicon Labs. Over 300 companies involved in this technology are gathered within the Z-Wave Alliance.

<span class="mw-page-title-main">Trusted Platform Module</span> Standard for secure cryptoprocessors

Trusted Platform Module (TPM) is an international standard for a secure cryptoprocessor, a dedicated microcontroller designed to secure hardware through integrated cryptographic keys. The term can also refer to a chip conforming to the standard ISO/IEC 11889.

<span class="mw-page-title-main">PikeOS</span> Real-time operating system

PikeOS is a commercial hard real-time operating system (RTOS) which features a separation kernel-based hypervisor. This hypervisor supports multiple logical partition types for various operating systems (OS) and applications, each referred to as a GuestOS. PikeOS is designed to facilitate the development of certifiable smart devices for the Internet of Things (IoT) by adhering to standards of quality, safety, and security across different industries. In instances where memory management units (MMU) are not present but memory protection units (MPU) are available on controller-based systems, PikeOS for MPU is designed for critical real-time applications and provides up-to-standard safety and security.

Lynx Software Technologies, Inc. is a San Jose, California software company founded in 1988. Lynx specializes in secure virtualization and open, reliable, certifiable real-time operating systems (RTOSes). Originally known as Lynx Real-Time Systems, the company changed its name to LynuxWorks in 2000 after acquiring, and merging with, ISDCorp, an embedded systems company with a strong Linux background. In May 2014, the company changed its name to Lynx Software Technologies.

<span class="mw-page-title-main">Silicon Labs</span> Global technology company

Silicon Laboratories, Inc. is a fabless global technology company that designs and manufactures semiconductors, other silicon devices and software, which it sells to electronics design engineers and manufacturers in Internet of Things (IoT) infrastructure worldwide.

<span class="mw-page-title-main">Linaro</span> Engineering organization for open source software

Linaro is an engineering organization that works on free and open-source software such as the Linux kernel, the GNU Compiler Collection (GCC), QEMU, power management, graphics and multimedia interfaces for the ARM family of instruction sets and implementations thereof as well as for the Heterogeneous System Architecture (HSA). The company provides a collaborative engineering forum for companies to share engineering resources and funding to solve common problems on ARM software. In addition to Linaro's collaborative engineering forum, Linaro also works with companies on a one-to-one basis through its Services division.

A trusted execution environment (TEE) is a secure area of a main processor. It helps code and data loaded inside it to be protected with respect to confidentiality and integrity. Data confidentiality prevents unauthorized entities from outside the TEE from reading data, while code integrity prevents code in the TEE from being replaced or modified by unauthorized entities, which may also be the computer owner itself as in certain DRM schemes described in SGX. This is done by implementing unique, immutable, and confidential architectural security such as Intel Software Guard Extensions which offers hardware-based memory encryption that isolates specific application code and data in memory. Intel SGX allows user-level code to allocate private regions of memory, called enclaves, which are designed to be protected from processes running at higher privilege levels. A TEE as an isolated execution environment provides security features such as isolated execution, integrity of applications executing with the TEE, along with confidentiality of their assets. In general terms, the TEE offers an execution space that provides a higher level of security for trusted applications running on the device than a rich operating system (OS) and more functionality than a 'secure element' (SE).

<span class="mw-page-title-main">NodeMCU</span> Open-source IoT platform

NodeMCU is a low-cost open source IoT platform. It initially included firmware which runs on the ESP8266 Wi-Fi SoC from Espressif Systems, and hardware which was based on the ESP-12 module. Later, support for the ESP32 32-bit MCU was added.

<span class="mw-page-title-main">ESP8266</span> System-on-a-chip microcontroller model with Wi-Fi

The ESP8266 is a low-cost Wi-Fi microchip, with built-in TCP/IP networking software, and microcontroller capability, produced by Espressif Systems in Shanghai, China.

WebUSB is a JavaScript application programming interface (API) specification for securely providing access to USB devices from web applications.

<span class="mw-page-title-main">ESP32</span> Low-cost, low-power SoC microcontrollers with Bluetooth and Wi-Fi

ESP32 is a series of low-cost, low-power system on a chip microcontrollers with integrated Wi-Fi and dual-mode Bluetooth. The ESP32 series employs either a Tensilica Xtensa LX6 microprocessor in both dual-core and single-core variations, Xtensa LX7 dual-core microprocessor or a single-core RISC-V microprocessor and includes built-in antenna switches, RF balun, power amplifier, low-noise receive amplifier, filters, and power-management modules. ESP32 is created and developed by Espressif Systems, a Chinese company based in Shanghai, and is manufactured by TSMC using their 40 nm process. It is a successor to the ESP8266 microcontroller.

Mongoose OS is an Internet of Things (IoT) Firmware Development Framework available under Apache License Version 2.0. It supports low power, connected microcontrollers such as: ESP32, ESP8266, TI CC3200, TI CC3220, STM32. Its purpose is to be a complete environment for prototyping, development and managing connected devices.

<span class="mw-page-title-main">FatFs</span> Software library for microcontrollers

FatFs is a lightweight software library for microcontrollers and embedded systems that implements FAT/exFAT file system support. Written on pure ANSI C, FatFs is platform-independent and easy to port on many hardware platforms such as 8051, PIC, AVR, ARM, Z80. FatFs is designed as thread-safe and is built into ChibiOS, RT-Thread, ErlendOS, and Zephyr real-time operating systems.

A secure element (SE) is a secure operating system (OS) in a tamper-resistant processor chip or secure component. It can protect assets (root of trust, sensitive data, keys, certificates, applications) against high-level software and hardware attacks. Applications that process this sensitive data on an SE are isolated and so operate within a controlled environment not affected by software (including possible malware) found elsewhere on the OS.

<span class="mw-page-title-main">OpenHarmony</span> Family of open-source operating systems based on OpenHarmony

OpenAtom OpenHarmony, or abbreviated as OpenHarmony (OHOS), is a family of open-source operating systems based on HarmonyOS derived from LiteOS, donated the L0-L2 branch source code by Huawei to the OpenAtom Foundation. Similar to HarmonyOS, the open-source distributed operating system is designed with a layered architecture, which consists of four layers from the bottom to the top, i.e., the kernel layer, system service layer, framework layer, and application layer.

PX5 RTOS is a real-time operating system (RTOS) designed for embedded systems. It is implemented using the ANSI C programming language.

References

  1. Dent, Steve (October 23, 2017). "Google and others back Internet of Things security push". Engadget.
  2. "ESP32-S3 Series (ESP32-S3, ESP32-S3FN8, ESP32-S3R2, ESP32-S3R8, ESP32-S3R8V, ESP32-S3FH4R2) | PSA Certified". www.psacertified.org. 2022-07-06. Retrieved 2023-12-12.
  3. "aitos.io launches the world's first PSA Certified BoAT blockchain application framework". Medium. 12 May 2021.
  4. "Azure RTOS | PSA Certified". www.psacertified.org. 2021-10-27. Retrieved 2022-12-15.
  5. "Securing the IoT ecosystem". New Electronics. September 30, 2021.
  6. "Cypress Processing Solution with Built-in System Layer Security Fortifies IoT Application Design" (Press release). 26 February 2019.
  7. "Arrow Electronics Accelerates Development of IoT Devices on PSA Certified Trusted Methodology". EE Times.
  8. "ESP32-S3 Series (ESP32-S3, ESP32-S3FN8, ESP32-S3R2, ESP32-S3R8, ESP32-S3R8V, ESP32-S3FH4R2) | PSA Certified". www.psacertified.org. 2022-07-06. Retrieved 2023-12-12.
  9. "Eurotech achieves IoT security certification". Eurotech. July 7, 2021.
  10. "Express Logic's X-Ware IoT Platform is now Arm PSA Certified". Embedded Computing.
  11. "FreeRTOS | PSA Certified". 2020-03-16. Retrieved 2021-04-09.
  12. "PSoC 64 Standard Secure MCU family achieves PSA Level 2 certification". New Electronics. September 21, 2021.
  13. "InGeek Embedded World PSA Certified". InGeek.
  14. "Macronix ArmorFlash NOR Flash achieves PSA Certified Level 1 status". New Electronics. August 31, 2021.
  15. "SAM L10 and SAM L11 Microcontroller Family". Microchip Technology.
  16. "Nordic Semiconductor nRF9160 SiP and nRF5340 SoC achieve PSA Certified Level 2 for enhanced IoT security assurance". Nordic Semiconductor.
  17. "Nuvoton Debuts PSA Certified Level 1 and PSA Functional API Certified Arm Cortex-M23 Based MCU for Global Market Targeting IoT Security". Nuvoton.
  18. "NXM Achieves PSA Level One Certification from UL for its Autonomous Security Software". UL. October 8, 2019.
  19. "The LPC553x/S3x MCU family further expands the world's first general purpose Cortex-M33-based MCU series". Arm Limited.
  20. "OneOS certification". PSA Certified. 3 February 2021.
  21. "Renesas Electronics Unveils RA Family of 32-Bit Arm Cortex-M Microcontrollers with Superior Performance and Advanced Security for Intelligent IoT Applications". Renesas.
  22. Cohen, Perry. "RT-Thread IoT OS Achieves PSA Security Certification". Embedded Computing Design.
  23. "Sequitur Labs' EmSPARK 2.0 Security Suite achieves PSA Certified status". New Electronics.
  24. Dahad, Nitin (March 17, 2021). "Silicon Labs First to Achieve PSA Certified Level 3 Status for Wireless SoC". EE Times.
  25. "Goodix receives PSA Certification" (in Chinese). EE Times China.
  26. "Dev kits and software for STM32U5 – and chips now available". Electronics Weekly. October 1, 2021.
  27. "Unisoc Launches All-New AIOT Solution V5663". Unisoc. March 2, 2020. Archived from the original on June 16, 2020. Retrieved August 4, 2020.
  28. "Veridify Security's DOME Client Library Achieves PSA Certified Level 1 Accreditation". Embedded Computing (magazine).
  29. "Winbond TrustME Secure Flash Memory achieves PSA Certified Level 2". Winbond. February 26, 2020.
  30. Winning, Ally (3 March 2020). "Winbond TrustME secure flash gets PSA Certified Level 2 Ready". EE News.
  31. "Linaro contributes to the Zephyr Project becoming PSA certified". Linaro.
This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.