A Root of Trust for the World Rob Coombs PSA Certified Members Agenda 2 Introduction to PSA Certified Why PSA Certified and SESIP Using the PSA Certified SESIP Profiles 3 PSA Certified Addresses the IoT Challenge ID: 1012377
Download Presentation The PPT/PDF document "PSA Certified & SESIP:" is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.
1. PSA Certified & SESIP:A Root of Trust for the WorldRob CoombsPSA Certified Members
2. Agenda2Introduction to PSA CertifiedWhy PSA Certified and SESIP?Using the PSA Certified SESIP Profiles
3. 3PSA Certified Addresses the IoT ChallengeAlmost no security evaluation or threat models10,000’s of OEMs many without security expertiseDozens of software platforms100’s of chips with own approach to chip-based security & RoT
4. 4Secure storage InteractionCryptographic/trusted servicesAnti-rollbackSecure updateSecure bootAttestationUnique identificationSecurity lifecycleIsolationPSA Certified 10 Security GoalsDownload the security goals PDF for more informationIoT Threat ModelsPSA Security Model 10 Goals & Microsoft 7 Properties
5. 5PSA Certified Has Two PartsSecurity by Design Questionnaire + Chip Root of TrustSecurity by Design (PSA Certified Level 1)Device & Software platform focusPSA Security Model 10 Goals +NIST 8259A +EN 303 645 device requirements<40 Questions in 2 composite sectionsChip RoT (PSA Certified Level 1, 2 & 3)PSA JSA defines the PSA-RoT Profile / PPPSA Certified for PSA-RoT (aligned with SESIP EM at L2 & L3)Trustedfirmware.org open source code
6. 6PSA Certified & Industry alignmentPSA Certified is aligned with major regulations and standards including: NISTIR 8259AEN 303 645SB-327Matter (CHIP)IEC 62443 4-2 CSA-3112www.ul.com/news/ul-recognizes-psa-certified-fast-track-uls-secure-iot-component-qualification3 https://www.ioxtalliance.org/news-events-blog/ioxt-alliance-psa-certified-align-to-improve-iot-device-security“UL will recognize PSA Certified as a fast-track for achieving UL’s Secure IoT Component Qualification”2 “ioXt has selected PSA Certified as a foundational Root of Trust scheme and will recognize it in its product evaluations”3AVSAmazonPSA Certified added to the list of options for cybersecurity certification that manufacturers can choose. 1.16. Device SHALL use a chipset that relies on hardware-based security capabilities and meets PSA certified Level 1 or similar.(European standard - Cyber Security for Consumer IoT)(NIST - IoT Device Cybersecurity Capability Core Baseline)(California Law - Security of Connected Devices)(In Level 1 v2.2)(RoT part - Security for industrial automation and control systems)PSA Certified is available with a choice of evaluation methodology: CSPN-style and GlobalPlatform SESIP
7. PSA Certified7A comprehensive security offering – openly published. Independently tested.Independently testedAnalyzeArchitectImplementCertifyHardware & firmware architect specificationsFirmwaresource codeIndependentlytestedThreat models & security analysesMethodically developedOpen architectureOpen Source implementationEnabling trust
8. 8Products PSA CertifiedSoftware Platforms PSA Certified23129Chips PSA Certified80Devices PSA Certified26PSA Certified is being adopted by the rapidly growing ecosystem of silicon vendors, software providers and device manufacturers. Majority of top 10 silicon providers are PSA Certifiedhttps://www.psacertified.org/certified-products/Result – A Growing Ecosystem
9. Agenda9Introduction to PSA CertifiedWhy PSA Certified and SESIP?Using the PSA Certified SESIP Profiles
10. Why SESIP Evaluation Methodology?10The first PSA-RoT PP used Common Criteria but we found it was not fit for the IoT world:Difficult for engineers to interpret the SFRsLong & costly evaluation processLacked meaning for OEMsPSA members looked for alternatives to CC in 2019 and published the first version of PSA Certified Level 2 using…An ANSSI CSPN style PP with a commercial Certification BodyEasy to read and understand Protection ProfileFixed time in the lab (25 days) led to good balance of assurance and costLevel 2 demonstrates protection from basic software attacksResult was good – but it was a non-standardized approach
11. Why SESIP Evaluation Methodology? (2)11Arm supported the donation by NXP of SESIP to GlobalPlatform in the hope that it could become the standardized evaluation scheme that the electronics industry needs: SESIP Profiles (PPs) for products that engineers can read and understand Enables meaningful assurance levels Allows fixed time evaluations Available via high quality labs Available via a responsive Certification BodyPSA Certified now makes all of its Protection Profiles available as SESIP Profiles and recommends this route to its Chip vendor partnersPSA Certified is the biggest user of SESIP Evaluation Methodology
12. PSA Certified & SESIP Timeline122019 - Aligned Assurance Levels with PSA Certified & SESIPTrustCB selected as CB for PSA Certified2020 - PSA Certified PSA-RoT Level 2 SESIP Profile2021 – PSA Certified PSA-RoT Level 3 SESIP Profile 2022 – PSA Certified RoT Component, SESIP Device ProfilesUpdates to enable Level 2 + Secure Element (L2+SE)
13. Agenda13Introduction to PSA CertifiedWhy PSA Certified and SESIP?The PSA Certified SESIP Profiles
14. Easy to Understand Scheme14PSA Certified provides three progressive levels of security assurance/robustnessPSA Certified API compliance enables the ecosystem through a consistent high-level interface to the PSA-RoTDepth of testingPSA Certified Levels (PSA-RoT)SecurityPrinciplesSoftwareAttacksHardwareAttacksRobustness/Threats
15. PSA-RoT Scope15PSA-RoT is a combination of trusted hardware and firmware providing trusted functions such as: secure initialization,cryptographic operation, secure storage, attestation, secure debugging
16. PSA Certified Level 2 & Level 3 Overview Accredited security labSecurity TargetUL, Riscure, CAICT, BRS, ECSEC, Applus, SermaTest labs evaluate the implementation and documentation Labs submits the evaluation test reports to the certification body TrustCBcertification bodyTrustCBvalidates the test resultsCertification body issues certificate upon validating the test reportsST &EvidenceTest reportsPSA-RoT(ToE)SESIP Profile with RoT Security Functional RequirementsEvaluation Methodology (SESIP or CSPN Style)Attack Methods: L2 =SW attacks, AP=16, L3 – HW & SW attacks, AP=21
17. White box evaluation against the PSA-RoT SESIP ProfileFor chip vendors25 Day Time-limited evaluationAssurance against scalable remote software attacksFirst Level 2 Certifications announced in 202017PSA Certified Level 2Lab-based evaluation of the PSA Root of Trust (PSA-RoT)PSA Certified APIsPSA-RoTCryptoAttestationSecure BootSecureStorageFirmwareUpdate
18. PSA Certified Level 2 + Secure Element18New for 202220 system software requirementsThe SE becomes part of thePSA-RoTThe SE is integrated via a protected channelAddresses the problem of a poorly integrated Secure Element (SE)PSA Certified Level 2+SE combines the on-chip RoT with a Trusted Subsystem such as an on-chip or off-chip pre-certified Secure Element with physical attack resistancePSA Certified Level 2 documentation (SESIP) has been improved and extended to include this integrationAvailable now
19. PSA-RoT with Secure Element19Typical use cases:Pre-provisioned keys/certsAuthenticationAttestationKey StoreEnhanced SOC Trusted BootPre-certified SE can be off-chip (with a protected channel) or on-chipCPUMemoryPeripheralsPSA Functional APIsCryptoAttestationSecureStorageFirmwareUpdateSecure BootSecure Element(Pre-certified >=Level 3)PSA-RoT
20. PSA Certified Level 320Adds physical attacker threatHigher attack potential (21 vs. 16 for Level 2)35-day evaluation to allow for physical attacks including glitching and side-channel attacksTwo equivalent Evaluation Methodologies (EM)CSPN style GlobalPlatform SESIP
21. PSA Certified Level 3 RoT Component21Certification of a trusted subsystem with a subset of PSA Certified Level 3 SFRsCan be used in composition for efficient certification at PSA Certified Level 3 or Level 2+SEUseful for certification of trusted subsystem such as a Secure Element that can be used with a SoC to achieve Level 2 + Secure ElementSESIP Profile
22. SESIP Device Level Profiles22PSA Certified has created example Device level SESIP profiles for smart camera and smart speakerProvided with a permissive Creative Commons licence to encourage OEMs to adapt them to their own needsAppendix has a mapping to a chip’s PSA-RoT SFRshttps://www.psacertified.org/development-resources/building-in-security/threat-models/
23. PSA Certified & SESIP – A RoT for the World23
24. Thank YouThe PSA Certified name, PSA Certified logos, PSA Functional API Certified logo and any other Arm trademarks featured inthis document are registered trademarks or trademarks of Arm Limited (or its subsidiaries) in the US and/or elsewhere. All rights reserved. Other brands and names mentioned in this document may be the trademarks of their respective owners.
25. 25FIND OUT MORE: www.psacertified.org ACCESS TRAINING MATERIAL, RESOURCES AND WEBINARS PSACertified.org/resourcesLATEST RESEARCH: report.psacertified.orgJOIN US ON TWITTER & LINKEDIN: @PSACertifiedContact Rob for more detailsRob.Coombs@arm.Com