The Zephyr Project is an open-source collaborative effort hosted by the Linux Foundation and created to bring industry leaders together to build a best-in-breed small, scalable, real-time operating system (RTOS) optimized for IoT devices across multiple architectures. Zephyr has achieved PSA Certified Level 1 and PSA Certified API Certification to help with the development of secure IoT devices. Instrumental to that certification has been Linaro, a Zephyr Project Member, which brings together industry and the open-source engineering community to collaboratively develop software on Arm.
“PSA Certified means that companies using Zephyr can start developing products with a high level of assurance that the product is going to meet minimum security standards right out of the box,” says Kevin Townsend, Senior Embedded Engineer with Linaro, an open-source collaborative engineering organization and member of the Zephyr Project. “PSA Certified gives the IoT community specialized, up-to-date knowledge and out-of-the-box functionality upon which to build their own systems.”
With PSA Certified, I know that out of the box, I have a very solid foot in the door to making a reasonably secure device, platform, or ecosystem if I’m basing it off something that is PSA Certified Level 1 or has the PSA Certified API Certification.
Secure and Non-secure Integration
As a key security element, Zephyr has integrated Trusted Firmware-M (TF-M), an open-source implementation of PSA Certified, that runs on the secure side of the device, while Zephyr remains on the non-secure side. All fundamental security operations, including cryptography and secure boot, run on TF-M.
“Features like cryptography are hard to implement today simply because there are so many options for different algorithms and different libraries,” Townsend explains. “It’s important to choose cryptographic algorithms that are up to date with vulnerabilities that are out there today, and not everybody has this knowledge. With Zephyr and TF-M, those specific technical decisions have already been dealt with by experts.” While the certification process was different for PSA Certified API Certification and PSA Certified Level 1, Townsend found it to be smooth and transparent—especially PSA Certified API Certification which involved running a sample application with a set of API test suites.
“It is nice to have a set of tests that you can easily run to assure that your non-secure firmware is playing well with the secure side,” Townsend said. The tests also provide feedback if something isn’t working: “I know when a test fails, so I know where to look to solve the problem.”
A Solid Security Foundation
For the Zephyr Project, PSA Certified is a way of assuring manufacturers of remotely deployed devices that they are getting security features that have been developed and tested by experts. It also can reduce time-to-market with fewer development cycles, helping to ensure data comes from trusted sources and remains secure.
“It’s difficult to find the engineering resources to implement remote systems securely,” Townsend says. “With PSA Certified, I know that out of the box, I have a very solid foot in the door to making a reasonably secure device, platform, or ecosystem if I’m basing it off something that is PSA Certified Level 1 or has the PSA Certified API Certification.”