Abstract
More and more microcontrollers embed security features. While conveniently available to the designers, the level of resistance of these security mechanisms against attacks may vary within a family of microcontrollers and from vendor to vendor. They may or may not be sufficient to reach the security goals of the application. While microcontrollers with integrated security features offer conveniently available protection, purpose-built hardware components called secure elements, also known as hardware root of trust or secure authenticators, provide a dedicated and optimized security for sensitive data and operations. This application note explores the key advantages of secure elements, including isolated cryptographic processing, enhanced resistance to physical and software attacks, compliance with industry standards, and ease of integration into a system. By leveraging the unique capabilities of secure elements, developers can achieve robust protection with minimal design effort.
Introduction
Secure elements are dedicated ICs that perform cryptographic functions and provide tamperresistant secure storage for keys and credentials. They are frequently used in embedded applications and in most cases are connected to a host microcontroller through a serial bus such as I2C or SPI.
Secure elements historically were designed to enable the upgrade of a system with minimal design effort. The immediate advantage of secure elements is that one can add security to a system without changing the processor nor the architecture, thus saving the effort that a comprehensive redesign would require.
Are Secure Elements Still Necessary?
With the increased needs for security, the natural path taken by most microcontrollers vendors has been to integrate it in microcontrollers, embedding cryptographic and security functions such as:
- Digital signature computation and verification
- Encryption
- Secure storage
- Random number generation
Based on these integrated security building blocks is a secure element redundant vs. the security features of a general-purpose microcontroller? We will see in this document that there is no simple answer to this question. Let us review the commonalities and differences.
Isolation
In general, it is desirable to have security-critical firmware isolated from the rest of the software, which provides the following advantages:
- Isolation allows implementation of small, security-focused firmware separated from a complex, feature-rich, operating system that would otherwise expose a large attack surface.
- Simple software reduces the chance to carry bugs that could be further exploited by attackers to get access to sensitive assets or bypass security mechanisms.
- Providing higher assurance, code review is feasible for a reasonably small piece of software, while it would probably be very challenging to achieve a code review for the whole firmware.
In microcontrollers, various mechanisms support isolation. Arm TrustZone is one that is widely used; MMUs and MPUs are also popular. While these mechanisms are valuable, their implementation determines whether they could be defeated using attack techniques such as glitch attacks [1]. Also, to be effective, hardware isolation must be exploited by proper configuration and software implementation. For example, memory boundaries for the secure and nonsecure areas must be carefully defined. An improper configuration would result in exploitable faults.
The benefit of using a secure element is that the isolation is physical and cannot be broken. There is no possibility for the firmware running on the microcontroller to interfere with the firmware running in the secure element. The isolation provided by the dual-chip architecture is more robust than the one supported by mechanisms internal to a microcontroller.
It is also possible to combine the internal isolation mechanisms of the microcontroller with the usage of a secure element. For example, the security-critical software calling to the secure element runs in the Trusted Execution Environment (TEE) created by Arm TrustZone, and the overall level of security is reenforced.
