Online training: Designing secure microcontroller systems
Introduction to developing secure microcontroller systems with the Mbed-TLS cryptographic library.
The course starts with the Arm Platform Security Architecture (PSA) and cryptographic primitives from the freely available mbedTLS library. MbedTLS is a cryptographic library developed by Arm as part of Mbed OS.
Public and private keys, digital signatures and certificates are also handled using the example of mbedTLS with MQTT. Another focus of the training is the Arm Trusted Firmware and the Arm TrustZone, which includes Secure Boot as part of the Root of Trust.
You will also learn how the functions of the Cortex-M processor can be used to implement a secure system in the best possible way.
The seminar is designed as a hands-on course using the Microcontroller Development Kit (MDK) that is provided.
Next date will be in spring 2022.
With a precourse for the software setup approx. one week prior to the training.
Please note, that this course is held in English.
Day 1: Platform Security Architecture and Cryptography
The course will begin with an overview of the Arm Platform Security Architecture to describe its specifications, methodologies firmware and software tools. We will then provide an introduction to essential cryptographic primitives using the open source mbedTLS library. The features covered will include
- Symmetrical Ciphers
- Hashing Algorithms
- Message Authentication Codes
- Random Number Generation
Day 2: Secure communications
In this section we will extend our use of the mbedTLS library to include public key cryptography. We will also develop an understanding of the Public Key Infrastructure and how to establish secure communications using the Transport Layer Security Protocol. The topics covered today will be:
- Public Key Cryptography: RSA,DH, Elliptic Curve Cryptography, Digital Signatures
- Public Key Infrastructure: Man in the middle attack, X.509 Certificates, Transport Layer Security
- IoT message protocols: MQTT, JSON, CBOR
Homework: AWS-IoT tutorial
Amazon web services is one of the leading cloud platforms. This self paced workbook is designed to introduce you to connecting your device to a cloud platform. Once connected we will take a tour of the extensive services provided by AWS-IoT. Throughout this tutorial we use the AWS free tier.
- Connecting IoT Things to AWS-IoT
- Placing IoT data into a time series database
- AWS Analytics
- AWS Lambada
- Device services
- Device Defender, Device Shadow, Device Jobs
Day 3: Trust Zone and security Architecture
Historically ‘Software attacks on small embedded devices have been very rare. However, as we begin to deploy millions of IoT devices it is a threat we must take seriously. We will begin the second half of this course will begin by considering how an IoT device is vulnerable to a software attack which will allow an attacker can gain control of our devices and system. We will then look at using Threat modelling to discover possible attack exploits that may be used by an adversary and how these can be countered by adopting the PSA security Model
A key feature of the PSA security model is system partitioning to separate application and secure functions and data. We will take a detailed look at how this is achieved with Arm Trust Zone for Cortex-M. We will also introduce the CMSIS Zone Utility which can be used to configure complex memory maps.
We will also see how Trust Zone has been implemented in a typical Cortex-M33 microcontroller along with vendor hardware extensions to create a trusted execution environment.
- Software attacks
- PSA security Model
- ARMv8-M Trust Zone and Memory Protection Unit
- NXP LPC56S69 Trusted Execution Environment
Day 4: PSA Trusted Firmware
The Arm Trusted Firmware provides an open source free to use reference platform for the secure partition software. Today we will examine the architecture of the TF-M software and how to use the security services, crypto, secure storage, event logging and attestation that it provides. In any IoY system it must be possible to update the firmware of any deployed device. The TF-M firmware includes a modified version of the open source mcuBoot bootloader. In this final section we will look at the operation of mcuBoot and how to prepare and sign update images. We will also see how mcuBoot is ported to a specific microcontroller.
- Trusted Firmware Secure Processing Environment
- Trusted Firmware Security Services
- Secure Boot and “Updatable Root of Trust”
- Two monitors: one for your own work and a second that shows the training contents in parallel.
- Installation and licensing of the MDK-Arm in the run-up to the seminar via internet
- Basic knowledge of programming embedded systems under C
What you get additionally
- MDK-Arm-Professional (30 days full license)
- All seminar documents and examples for self training/deepening
- Evaluation Board LPC55S69-EVK with Cortex M33
- WiFi Daughter Board MIKROE-2542
1.590 € excl. TAX
Please note our early booking conditions! You save 200,- €
You have individual wishes? Or do you need in-house training? Then contact us for further details.