Staying on top of governmental regulations can be a challenging task for any business, particularly for organizations that build and deploy connected devices. In this webinar, learn how to stay ahead of the regulations with secure embedded devices.
The new built-in security subsystem included in the latest NXP i.MX processors, including the i.MX 93 in Digi ConnectCore® 93, can help OEMs stay secure with any build. Furthermore, ConnectCore® Security Services can help keep products secure throughout their entire lifecycle.
Connect with Digi
Want to learn more about how Digi can help you? Here are some next steps:
Follow-up Webinar Q&A
Thank you again for attending our session with with NXP and TimeSys on security in embedded devices. If you have additional questions, be sure to reach out.
Moderator: Mitch Sinon, Senior Marketing Manager, Digi International
Presenters:
- Bob Blumenscheid, Senior Product Marketing Manager, Digi International
- Asim Zaidi, Technical Director, Secure Connected Edge, NXP Semiconductors
- Maciej Halasz, VP of Technology, TimeSys Corporation
Asim, relating to your section of the presentation, can I use my own crypto algorithm?
Asim: Right now, we don't have provision to support your own crypto algorithms. The SoC's secure enclave has a multitude of different crypto algorithms that are widely-used, but right now, all the support will have to come through NXP-signed firmware. If there are specific algorithms that you think are not covered in the superset of cryptographic features that we have, we'd like to know, so that we could review that for the future. But right now, we don't allow custom algorithms to be implemented.
Regarding EdgeLock secure enclave, do you have any suggestions for how to apply secure enclave features of the SoC in practice?
Asim: You can use the EdgeLock secure enclave to do encryption of your SoC assets, whether that be your machine learning models, whether that be your IP. We can use it for doing specific secure updates. We can use the EdgeLock enclave if we're doing manufacturing protection. So, there are a multitude of security functions that the secure enclave lends itself to.
Asim, what about Android support?
Asim: Inherently, the EdgeLock enclave has APIs that any of the OP-TEEs, and especially OP-TEE itself, or the trusted environment that Android supports, such as Trusty, can interface with. So, again, we have full support for Android, and will work seamlessly with our secure enclave as well.
Maciej, will SBOM be supported for Buildroot systems?
Maciej: Yes. Today, we do offer a plug-in for Buildroot, so you can generate an SBOM using Vigiles out of any Buildroot.
Maciej, how is TimeSys licensed? Per device, or per device user?
Maciej: Vigiles itself is offered as a subscription. So, there are no attachments to a specific SBOM. You can run as many scans as you see fit. You can scan as many products as you'd like. The licensing is based on number of users who would want to use that solution.
Bob, you mentioned that every industry has different security challenges that need to be addressed. What is your process for determining what those challenges are, and mitigating them?
Bob: That’s a good question. And I think Asim touched on that. There are different standards and regulations for each industry, that are not only in place but are evolving. So, we are also, on our SOMs, we're looking at the low level, the SESIP certifications and things like that. And then, we really provide the building blocks for each customer, to identify the particular things that they need.
Bob, how far can we manage security lifecycle without cloud support? We have customers not allowing cloud access.
Bob: That's a good question. If customers will not allow it, then you can still create firmware updates that you can upload directly to the machines, without cloud support. We also have cellular devices, in the Digi XBee® cellular line, that can do out-of-band updates to our devices as well. But you can certainly create your firmware updates and then allow customers to load those directly to their machines.
Bob, from your presentation, there was a graphic showing legislation in process for some states on the East Coast. What does the timeline look like for those? When do you believe those laws may be in place by?
Bob: These are all in-process, and I would expect, in the next 18 to 24 months, we'll see more legislation in some of these states. You know, it varies by priority, but it’s a rapidly-changing situation. It's something you have to monitor throughout an embedded product development, because it will be different at the certification point and launch point than it was when you started.
Asim, Do you support configurable hardware hardening in secure enclave?
Asim: If I understand the question correctly, we’re talking about configurable hardware hardening. So, basically, we do have a level of hardening that our products go through. Obviously, we have different product lines that have different security requirements and security targets. So, as we proceed with our i.MX 9 Series, we will have newer i.MX 9 Series products in the future that will have more advanced features and hardenings than our current generation. But, off the bat, we do have sensors, and we have other types of features that can be configured by the customer to enable more protection, depending on their use case. But those are some of the primary features. Hope that answers the question. If not, I can definitely provide some more guidance offline.
Asim, is there documentations for secure enclave to test and understand these features?
Asim: Yes, we do have an API document, and we're also in the process of creating a user guide, but basically, the API document gives information on how to interface with the messaging units that will be the in and out for the secure enclave. And that will have specific functions to set up keys, to set up functions, to do a host of features that are abstracted away from the user. So, to simplify, the API does exist, and we'll provide some of that information. And that is available as part of our enablement documentation.
Are there any plans to support FIPS 140-3?
Asim: Yes, for i.MX 93, we are targeting FIPS 140-3. We are currently in the process of the certification. As some of you may know, this is a pretty lengthy certification process, so we are definitely targeting this. Unfortunately, due to the timeline, and sort of the backlogs in the NIST certification process, this does drag along. But right now, we are targeting both FIPS, as well as SESIP PSA Level 2, on the SoC side. So, from a SoC perspective, we are targeting that. And then, I think we do have solutions from TimeSys that are PSA-compliant as well. And I'll leave it to Bob to see if there are any plans there as well.
Bob: Yes, I think it's the same thing. We have some things in process. We're looking at PSA certifications, and we have done FIPS 140-2 certification with specific customers and leveraged different things for our SOMs. We have looked at FIPS 140-3 as well. So, it's something that we'll see in the future.