NXP processors with integrated secure enclave provide silicon root of trust and robust security architecture to help protect edge devices against physical and network attacks
NXP has announced the EdgeLock™ secure enclave, a preconfigured, self-managed and autonomous on-die security subsystem that offers intelligent protection for Internet of Things (IoT) edge devices against attacks and threats. Fully integrated as a built-in security subsystem across NXP’s upcoming i.MX 8ULP, i.MX 8ULP-CS and i.MX 9 applications processors, it eases the complexity of implementing robust, system-wide security intelligence for IoT applications.
This secure enclave enables developers to more easily achieve their security goals, freeing them to focus on new ways to differentiate their edge applications. By integrating secure enclave into many upcoming EdgeVerse™ processor families, NXP will provide developers with a wide range of scalable options to more easily deploy state-of-the-art security in thousands of edge applications including smart home devices, wearables, portable healthcare devices, smart appliances, embedded controls and industrial IoT systems.
“Billions of IoT products deployed at the edge have become attractive targets for attacks. Providing a security framework based on strong isolation enables device makers to focus on the functionality and rely on the tested and proven security from NXP,” said Wolfgang Steinbauer, Vice President and Head of Crypto and Security, NXP. “Building on NXP’s strong history of providing end-to-end security solutions, we’ve engineered the EdgeLock secure enclave to simplify the deployment of robust security mechanisms and meet the ever-increasing demand for scalable, easy-to-implement IoT security. Embedded developers can now focus on their applications and time-to-market challenges, and let the EdgeLock secure enclave technology handle the underlying complexities of securing the IoT.”
“Security HQ,” a Fortress in a Chip
The self-contained, on-die hardware security subsystem has its own dedicated security core, internal ROM, secure RAM, and supports state-of-the art side channel attack resilient symmetric and asymmetric crypto accelerators and hashing functions, providing an array of security services to the other user-programmable cores within the SoC. In essence, the secure enclave functions like a security headquarters or fortress inside the system-on-chip (SoC), storing and protecting key assets, including RoT and crypto keys to protect the system against physical and network attacks.
This subsystem is isolated from the other processor cores that handle applications and real-time processing functions. This physically-siloed architecture supports a well-defined security perimeter within the SoC, simplifies development of secure IoT products, and enhances SoC and application security by isolating secure key store management, cryptography and other important security features.
The secure enclave provides flexible policies and controls that extend security practices beyond mainstream cryptography. It enables autonomous management of critical security functions including silicon root of trust, run-time attestation, trust provisioning, SoC secure boot enforcement, fine-grained key management augmented by extensive crypto services for advanced attack resistance, while also simplifying the path to security certifications.
Advanced Tamper Detection
Advanced tamper detection and response techniques protect the entire root of trust, ensuring functional integrity during operation of the secured processor. When an attack is detected, the secure enclave system is designed to block it.
Intelligent Power Management
The EdgeLock secure enclave is designed to intelligently track power transitions when end user applications are running on the processors. This unique “power-aware” capability enhances resistance and prevents new attack surfaces from emerging by enforcing security policies when the application processor’s heterogeneous cores enter different power modes.
It uses managed agents to extend security across the SoC domains outside of the security HQ. These autonomous agents establish and maintain system-wide security capabilities, manage keys and enforce policies across domains. The agents operate independently through private buses within the SoC to ensure that other system domains, for example those running Linux or an RTOS, are always protected, especially during power mode transitions.
Ready to Go
Preconfigured security policies help developers reduce the complexity of security implementations and avoid costly integration errors for faster time to market. The EdgeLock secure enclave supports provisioning services outside of the enclave, offering a simpler path to security certifications. This on-die security technology also supports the latest IoT use cases such as secure connection to public/private clouds, device-to-device authentication and sensor data protection.
The EdgeLock secure enclave will be fully integrated as a standard security feature across i.MX 8ULP, i.MX 8ULP-CS and i.MX 9 applications processor families and more upcoming EdgeVerse products. For more information, please visit nxp.com/secureenclave or contact NXP Sales worldwide.