---

1. Secure Element  

The drastic increase of connected devices within Consumer, Industrial and Medical applications was closely followed by exponential increase of attacks on embedded systems. 20 years ago, Security was handled through obscure crypto algorithm and key management (Unique Identity) was embed in software, which was more than enough at that time.

Within the increase of attacks and reinforcement of Data Privacy regulation to protect end users, companies need to transition to open / proven crypto algorithm as well as Hardware Secure Key storage (including but not limited to Unique Identity)

Implementing a Secure Element (SE) on an embedded system require knowledge to configure the SE and upfront investment cost for provisioning (secure programming) Keys in SE within a Secure Environment (Secure HSM, Secure Flow implementation, Employee training, Yearly Audits…), not breaking the overall Security Root of Trust.

With the Trust Platform for CryptoAuthentication™ family, Microchip unveil a unique secure flow for customers to easily and immediately onboard with hardware security through our Secure Elements (ATECC608A / ATSHA204A / next generation devices) family and get fully provisioned devices with no upfront investment cost. This platform includes Hardware tools, software tools, Use Case tools and Secure provisioning services (uniquely programmed) starting 10 units MOQ.

Downloads

ATECC608A-TFLXTLS      ATECC608A-TNGTLS

Downloads

CryptoAuth Trust Platform Development Kit

Watch Videos now by clicking on the titles below

           

           

---

2. MCU with onboard security 

With the rapid expansion of connectivity, all embedded applications - whether it is automotive, industrial, home appliances or healthcare, are now increasingly being required to secure communication. As an application developer, it is sometimes difficult to gauge the level of security and effort required for this. Microchip, with its security expertise, can not only collaborate to help address the security needs for your application but also provide scalable security solutions that fit your application needs and security expertise.

Microchip has a 32-bit security ecosystem which is scalable and comprehensive. The 32-bit security hardware portfolio comprises microcontrollers with integrated hardware security features that will enable security functions like secure boot, attestation, encryption, secure update and many more. We support options for hardening security to add secure elements like ECC608A. The ecosystem also offers tools and firmware that are already configured to work seamlessly with the hardware. Training, Demos and Reference designs are an integral part of the ecosystem that can help customers ramp on developing secure applications.

Create Secured IoT Endpoints with the First 32-bit MCU to Feature Robust, Chip-level Security and Arm TrustZone Technology

SAM L11 is the industry’s lowest power microcontroller in the same class with integrated hardware security. It offers robust security features including secure boot, Trustzone®, Tamper resistance and secure Debug. The SAM L11-KPH family is integrated with a Trusted Execution Environment (TEE) called Kinibi-m that can accelerate secure application development. External provisioning of SAM L11 is also available at Arrow’s programming centers.

SAM D5x and E5X provide powerful performance and enhanced security features

The SAM D5x and E5x high performance micro-controller series is targeted for general purpose applications using the 32-bit ARM® Cortex®-M4 processor with Floating Point Unit (FPU), running up to 120 MHz ,up to 1 MB Dual Panel Flash with ECC, CAN-FD and up to 256 KB of SRAM with ECC. It features several connectivity options, an integrated crypto hardware acceleration and an anti-tampering mechanism.

Both the SAM D5x and E5x families contain comprehensive cryptographic hardware and software support, enabling developers to incorporate security measures at a design’s inception. Hardware-based security features include a Public Key Cryptographic Controller (PUKCC) supporting Elliptic Curve Cryptography (ECC) and RSA schemes as well as an Advanced Encryption Standard (AES) cipher and Secure Hash Algorithms (SHA).

Protect Against Rootkit and Bootkit Malware in Systems that Boot from External SPI Flash Memory

A new cryptography-enabled microcontroller (MCU), the CEC1712 MCU with Soteria-G2 custom firmware – designed to stop malicious malware such as rootkit and bootkit for systems that boot from external Serial Peripheral Interface (SPI) flash memory.

Microchip’s Soteria-G2 custom firmware on its full-featured CEC1712 Arm® Cortex®-M4-based microcontroller provides secure boot with hardware root of trust protection in a pre-boot mode for those operating systems booting from external SPI flash memory. In addition, the CEC1712 provides key revocation and code rollback protection during operating life enabling in-field security updates. Complying with NIST 800-193 guidelines, the CEC1712 protects, detects and recovers from corruption for total system platform firmware resiliency. The secure boot with hardware root of trust is critical in protecting the system against threats before they can load into the system and only allows the system to boot using software trusted by the manufacturer.

To get more information on Microchip’s Security Solutions, Please sign up for our security seminar on September 23rd.

Downloads

SAM L10/L11 Family      Arrow Secure Provisioning Microchip SAML11 Flyer

Arrow Secure Provisioning Service

Products

CEC1712       SAML11       SAML11 DevKit       ATSAME53

ATSAME54-XPRO        DM320210       DM990013       DM990013-BNDL

Watch Videos now by clicking on the titles below 

           

---

3. MPU with onboard security

32-bit Microprocessors Security Solutions

With an increasing number of connected objects, security is not an option anymore, but a necessity. In order to be able to trust your data and to ensure a reliable system operation it is critical to implement security for data protection and to prevent anti-tampering.

Microchip’s microprocessors (MPUs) provide a wide range of embedded security options to protect your design and can be complemented with a pre-provisioned secure element (ATECC608) to ease connectivity to the cloud. They make finding and implementing the right security measures easy, in order to create systems that enable secure communication, protect data, are resistant against bugs, are securely field upgradable and are self-curing in the event of a memory content alteration and more.

Designers have the power to implement the advanced security features in SAMA5D2 MPUs, like powerful cryptographic accelerators, tamper detection, Secure Boot, Root of Trust, secure access to memories and ARM® TrustZone® extension, allowing the creation of a secure enclave. These security features have been tested by an independent lab to sustain the stringent requirements of the Payment Card Industry (PCI). Our partner, Sequitur Labs , provides a solution based o n a Trusted Execution Environment (TEE). Their EmSPARKTM Security Suite enables out-of-the-box security capabilities for Linux systems, allowing you to concentrate on your end application development rather than low-level security code.

   • Secure storage – Arm® TrustZone® secure cryptography, storage of keys, certificates and in-system data
   • Secure communications – Authenticated device pairing and IoT cloud communications (OpenSSL, TLS, MQTT)
   • Secure firmware update – Remotely upgrade MPU firmware safely and securely
   • Trusted boot – Root of trust verified initial startup code, Linux and other embedded software
   • Firmware protection – Encryption of embedded firmware and execution of authenticated firmware
   • Trusted device ID – Unique device certificate tied to root of trust for strong identity authentication

Ease MPU Designs with SiP and SOM

The hardware design complexity of an industrial-grade microprocessor (MPU)-based system has a high cost and significant time to market. Time and expertise are required to guarantee signal integrity for the high-speed interfaces while complying with Electromagnetic Compatibility (EMC) standards. Microchip MPUs, System in Package (SiP) or System on Module (SOM), are the solution.

The integration of SDRAM, DDR2 or LPDDR2 memory with our MPU in a SiP removes the high-speed memory interface constraints from the PCB , reduces its size and eases your hardware design. Our SOM, designed and manufactured in house, are certified industrial and are ready-to-use. They integrate in a SiP the power management, an Ethernet PHY, a nonvolatile boot memory, an optional wireless module and a secure element, all on a small PCB. It has a single supply and comes in a standard surface mount manufacturing technology like a QFP package. The SOM design files are provided for free to help you build your own board. We offer design review services with “MPUcheck” in order to reduce your development cycle.

All security features are offered on the SiP and SOM. Certain SAMA5D2 SiP options offer the PCI (Payment Card Industry) security certification.

Downloads

SAMA5D2 Series Datasheet        SAM9x60 Series Datasheet         The Shield96 Development Boards

Benefits of SAMA5D2 SIP and SOM

Product

SAMA9X60        SAMA5D2

Watch Videos now by clicking on the titles below 

           

---

4. FPGA in built security

Microchip FPGA takes Cyber security as a #1 concern for connected devices on the edge. Many designs today need more than meeting functional requirements, these requirements also must be met in a secure way. The security process starts during silicon and has to continue to be addressed through system deployment and operations. Microchip FPGAs have features that prevent overbuilding and cloning, have tamper detection and responses, while making sure the hardware stays secure with a Root of trust, it is all these different security features that make Microchip Polar Fire® FPGA one of the most advanced secure programmable FPGA.

 

Click here for more information about Microchip FPGA Solutions

Watch Videos now by clicking on the titles below 

     

---

5. Ethernet with security

Whatever your Ethernet security needs Microchip has the complete system solution. Common network security functionality can be implemented using our secure element devices or fully integrated into our smart switches with embedded processors. Smart switch hardware can inspect, in real time, every packet, providing a comprehensive intrusion detection and protect mechanism for robust and secure network connectivity. PHY level MACsec integration offers traffic packet encryption across end-to-end WAN connectivity.

Common Network Security    • Secure Boot    • Secure Updates    • Authentication    • Key management    • H/W Crypto acceleration    • Encryption / Decryption    • Secure Element support

Ethernet packet processing    • VLANs    • Deep Packet Inspection    • Access Control    • Ingres / Egress policing    • Time stamping    • Seamless redundancy    • MACsec

Downloads

Secure and Cost effective In vehicle Networking

Watch Videos now by clicking on the titles below 

---

6. Cloud & Software Frameworks

Microchip offer a combination of devices for Cloud-based applications, including in-house secure key provisioning service, turnkey code examples and the associated toolsets. Microchip’s devices are essentially composed of FIPS certified hardware cryptographic accelerators, offloading the crypto-operations off of the main controller and so reducing execution time and power budgets, a key element for battery powered embedded design. In addition, the devices include a secure key storage area, a high quality random generator in addition to other features. The secure key storage is tested against the Join Interpretation Library (JIL) from the Common Criteria specification.

- The CryptoAuthLib library contains all the necessary API calls for the host controller (either Linux microprocessor or microcontroller) to talk via a serial communication bus to the secure element. CryptoAuthlib makes Microchip’s devices completely agnostic of the main controller chosen by the designer and support various frameworks such as mBedTLS, WolfSSL, PKCS#11 with P11tool, AWS Greengrass, FreeRTOS and much more.

- The Trust Platform is a combination where customers leverage directly Microchip in-house provisioning service with our secure element. You have the choice between three tiers : a completely pre-configured and pre-provisioned Trust&GO device (MoQ with provisioning 10 units) for TLS networks with the ATECC608A-TNGTLS or for LoRa networks with the ATECC608A-TNGLORA with The Things Industries or ATECC608A-TNGACT with Actility. Trust&GO for TLS supports any core and any cloud providers like AWS IoT, Microsoft Azure IoT Hub, Google IoT core as well as on-premise server as long as they support TLS. The second tier is the pre-configured TrustFLEX (MoQ with provisioning 2,000 units) which offers similar perks as Trust&GO but allows you to implement your own PKI and leverage many more use cases such as disposable counterfeit protection, accessory ecosystem control, key attestation etc… The third tier is TrustCUSTOM propose a fully customizable secure element (MoQ with provisioning 4,000 units)

FreeRTOS from Amazon
FreeRTOS, based on the popular FreeRTOS kernel, is a microcontroller OS that makes small, low powered edge devices easy to program, deploy, secure, connect, and maintain.

Harmony v3

MPLAB Harmony v3 provides a unified platform with flexible choices spanning architectures, performance and application focus, enabling developers to learn and maintain a single environment on their computer. To support varying software development models from basic device configuration to Real Time Operating System (RTOS)-based applications, MPLAB Harmony version 3.0 relieves designers from having to download the entire software suite when they only need to use small elements or components of it. For example, developers can now simply download device drivers or a TCP/IP stack as their application demands, saving time and hard disk space. To further streamline development, the software features simplified drivers and optimized peripheral libraries. This alleviates developers from spending time and effort on lower level drivers, allowing them to focus on differentiating applications.

WolfSSL 

To reduce embedded security design cycles for customers, Microchip has partnered with wolfSSL to implement elements of the company’s security suite software in MPLAB Harmony v3. The multi-year agreement with wolfSSL provides developers ready-to-use, royalty-free software-based security solutions that emphasize speed, size, portability and standards compliance. Customers can go into production with a free commercial license anytime during the agreement and will have access to the following elements of wolfSSL’s suite: wolfSSL TLS Library, wolfMQTT Client Library and wolfSSH SSH Library.

wolfSSL Libraries included in Harmony v3!

• MPLAB Harmony contains wolfSSL Embedded TLS Library for development and evaluation.
   • 10-year FREE commercial license to customers
• Following wolfSSL modules are supported in Harmony v3:
   • wolfSSL TLS
   • wolfSSL SSH & wolfSSL MQTT

• The wolfSSL embedded TLS library
a lightweight TLS library targeted for embedded, RTOS, and resource-constrained environments - because of its small size, speed, and feature set
   • supports industry standards up to the current TLS 1.3 and DTLS 1.2 levels
   • up to 20 times smaller than OpenSSL
   • offers progressive ciphers such as ChaCha20, Curve25519, NTRU, and Blake2b

Soteria-G2

The Soteria-G2 firmware is designed to be used in conjunction with the CEC1712 to allow designers to speed adoption and implementation of a secure boot, by simplifying the code development and reducing risk. Soteria-G2 uses the CEC1712 immutable secure bootloader, implemented in Read-Only Memory (ROM), as the system root of trust

A particularly insidious form of malware is a rootkit, because it loads before an operating system boots and can hide from ordinary anti-malware software and is notoriously difficult to detect. One way to defend against root kits is with secure boot. The CEC1712 and Soteria-G2 firmware is designed to protect against threats before they can be loaded.. Soteria is highly configurable custom firmware that runs on CEC17x2 devices to provide a complete platform to establish a chain of trust for platform firmware resiliency. Soteria-G1 runs on the CEC1702Q-S1 and Soteria-G2 runs on the CEC1712Q-S2. The Soteria solution is designed to work with virtually any application processor that meets two criteria:

1. The application processor can be held in reset, and
2. The application processor loads its first code from SPI-Flash

The Soteria secure boot firmware provides a platform firmware resiliency solution that meets the NIST SP 800-193 guidelines. It uses the immutable secure bootloader implemented in CEC1702/CEC1712 ROM as the system Root of Trust (RoT). The secure bootloader loads, decrypts and authenticates the firmware from the external SPI Flash. The validated CEC1702/CEC1712 code is designed to authenticate the application processor firmware in the same SPI Flash. Up to three additional SPI Flash components can be supported.

Downloads

Trust Platform Design Suite       MPLAB® Harmony v3 software framework

Watch Videos now by clicking on the titles below 

           

---

7. Programming & Lifecycle Services

End Customers developing and marketing embedded applications starts to consider the need for strong security as a must, meaning implementing hardware Secure Element. Starting with Root of Trust (Trustable Identity) up to security use case(s) custom to their application. With such implementations, they are only half way through the journey – indeed, a Secure Element can only be reliable if Keys, Secrets, certificates, and immutable data are correctly and securely programmed: this is a named “Provisioning”.

Provisioning (or Secure Provisioning) consists in of establishing trust between the customer and his fleet of end devices. Provisioning should be done through a safe environment based on highly Secure programming tools (HSM – Hardware Security Module), strong software implementation (key ceremony, secure programming flow…) and within specific environmental conditions (secure manufacturing zone, constantly trained operators, regular audits…). Provisioning cost per device of such implementation is higher than the cost of the Secure Element itself.

Microchip leverage 10+ years’ experience in delivering provisioned Secure Elements. The service offers scalability from very small minimum orderable quantities (10 units Trust&GO: off-the-shelves devices with unique Keys / certificates for Cloud authentication) all the way up to large volume production High-Volume flow (for fully custom configuration / secrets), as well as Low MOQ flow for custom keys / data / PKI starting 2000 units (TrustFlex & TrustCustom solution). This service helps to remove complexity and risk of exposing keys inside contract manufacturers but also lower the manufacturing cost and keep independence from contract manufacturers and any middle-man attack.

Downloads

ATECC608A-TFLXTLS      Arrow Secure Provisioning Microchip SAML11 Flyer        Arrow Secure Provisioning Service

Products

CEC1712       SAML11

Contact your local Arrow Security FAE for more information