The Latest Developments in IoT Device Security

Asim: Right now, we don't have provision to support your own crypto algorithms. The SoC's secure enclave has a multitude of different crypto algorithms that are widely-used, but right now, all the support will have to come through NXP-signed firmware. If there are specific algorithms that you think are not covered in the superset of cryptographic features that we have, we'd like to know, so that we could review that for the future. But right now, we don't allow custom algorithms to be implemented.

Asim: You can use the EdgeLock secure enclave to do encryption of your SoC assets, whether that be your machine learning models, whether that be your IP. We can use it for doing specific secure updates. We can use the EdgeLock enclave if we're doing manufacturing protection. So, there are a multitude of security functions that the secure enclave lends itself to.

Asim: Inherently, the EdgeLock enclave has APIs that any of the OP-TEEs, and especially OP-TEE itself, or the trusted environment that Android supports, such as Trusty, can interface with. So, again, we have full support for Android, and will work seamlessly with our secure enclave as well.

Maciej: Yes. Today, we do offer a plug-in for Buildroot, so you can generate an SBOM using Vigiles out of any Buildroot.

Maciej: Vigiles itself is offered as a subscription. So, there are no attachments to a specific SBOM. You can run as many scans as you see fit. You can scan as many products as you'd like. The licensing is based on number of users who would want to use that solution.

Bob: That’s a good question. And I think Asim touched on that. There are different standards and regulations for each industry, that are not only in place but are evolving. So, we are also, on our SOMs, we're looking at the low level, the SESIP certifications and things like that. And then, we really provide the building blocks for each customer, to identify the particular things that they need.

Bob: That's a good question. If customers will not allow it, then you can still create firmware updates that you can upload directly to the machines, without cloud support. We also have cellular devices, in the Digi XBee® cellular line, that can do out-of-band updates to our devices as well. But you can certainly create your firmware updates and then allow customers to load those directly to their machines.

Bob: These are all in-process, and I would expect, in the next 18 to 24 months, we'll see more legislation in some of these states. You know, it varies by priority, but it’s a rapidly-changing situation. It's something you have to monitor throughout an embedded product development, because it will be different at the certification point and launch point than it was when you started.

Asim: If I understand the question correctly, we’re talking about configurable hardware hardening. So, basically, we do have a level of hardening that our products go through. Obviously, we have different product lines that have different security requirements and security targets. So, as we proceed with our i.MX 9 Series, we will have newer i.MX 9 Series products in the future that will have more advanced features and hardenings than our current generation. But, off the bat, we do have sensors, and we have other types of features that can be configured by the customer to enable more protection, depending on their use case. But those are some of the primary features. Hope that answers the question. If not, I can definitely provide some more guidance offline.

Asim: Yes, we do have an API document, and we're also in the process of creating a user guide, but basically, the API document gives information on how to interface with the messaging units that will be the in and out for the secure enclave. And that will have specific functions to set up keys, to set up functions, to do a host of features that are abstracted away from the user. So, to simplify, the API does exist, and we'll provide some of that information. And that is available as part of our enablement documentation.

Asim: Yes, for i.MX 93, we are targeting FIPS 140-3. We are currently in the process of the certification. As some of you may know, this is a pretty lengthy certification process, so we are definitely targeting this. Unfortunately, due to the timeline, and sort of the backlogs in the NIST certification process, this does drag along. But right now, we are targeting both FIPS, as well as SESIP PSA Level 2, on the SoC side. So, from a SoC perspective, we are targeting that. And then, I think we do have solutions from TimeSys that are PSA-compliant as well. And I'll leave it to Bob to see if there are any plans there as well.

Bob: Yes, I think it's the same thing. We have some things in process. We're looking at PSA certifications, and we have done FIPS 140-2 certification with specific customers and leveraged different things for our SOMs. We have looked at FIPS 140-3 as well. So, it's something that we'll see in the future.