

## ADVANCE YOUR IoT SECURITY LEVERAGING HARDWARE PROTECTED KEYS

DONNIE GARCIA NXP IoT SECURITY SOLUTIONS MAY 2019





SECURE CONNECTIONS FOR A SMARTER WORLD

## Hardware Protected Keys Webinar Series

This webinar meets 3 times.

Tue, Apr 16, 2019 10:00 AM - 11:00 AM CDT Tue, May 21, 2019 10:00 AM - 11:00 AM CDT Tue, Jun 18, 2019 10:00 AM - 11:00 AM CDT

Part 1: Utilizing hardware protected keys on broad market Microcontrollers

#### <u>Recording</u>

For the IoT Edge device, the cryptographic keys used to perform the services such as encrypted boot, onboarding, and over the air updates are critical components that must be protected. Chip level hardware protected keys are the standard for achieving strong security protection for embedded designs. This session will define what a hardware protected key is and show several examples of how these keys are realized on NXP processors. The i.MX RT 1050 family of devices will be used as a real world example of how Intrinsic ID Broadkey® SRAM based PUF can advance your IoT Security.

Part 2: Using hardware protected keys on state of the art Microcontrollers

For the latest microcontrollers addressing IoT applications, hardware protected keys address critical security functions to protect application integrity, software confidentiality and encrypt data at rest. This session will explore the ability of the recently launched NXP IoT microcontroller, LPC5500 series. This family of devices will work as the main processing unit for a broad range of IoT applications and integrates breakthrough capabilities with regards to security. Along with Arm TrustZone technology the SRAM PUF based key management makes security easy to use and easy to deploy.

Part 3: Advanced IoT application key management based on hardware protected keys

The recently launched NXP IoT microcontroller, LPC5500 series, works as the main processing unit for a broad range of IoT applications. Along with Arm TrustZone® technology the chip supports SRAM PUF based key management. The product includes a software development kit (MCUXpresso SDK) that contains prebuilt applications to demonstrate edge to cloud connections out of the box. With the integrated security technology and software enablement, the LPC5500 makes security easy to use and easy to deploy. Join this session for a quick run through the demo applications available to kickstart your next IoT designs.Less





## Agenda

- Quick recap and highlights
- LPC5500 Series Overview
- Security Model & Security Technology
- LPC55S6xx Security Technology
  - -Security Subsystem
  - -Arm Trustzone
  - -Secure Debug
- LPC5500 PUF based Key Management
- Conclusions



# QUICK RECAP & HIGHLIGHTS



## System Level Security Goals Depend on Cryptography



- Cryptography is a fundamental capability needed to address edge device security
  - Basis for protecting data at rest and in transit
  - Provides robust identity for the end device by cryptographic authentication
- The key material used for cryptographic operations must be protected by hardware
  - Attacks against Confidentiality/Integrity/Authenticity are aimed at attaining the Cryptographic Key





## **Protected over the lifecycle\* of the Cryptographic keys**

- Key Lifecycle
  - Generation
    - Who/what creates the key material
  - Establishment
    - How the key material is shared or signed between entities
  - Storage
    - Where the key material is placed for future access
  - Use

PUBLIC

- How the key is utilized during the cryptographic processing
- Decommission
  - Revocation and destruction of key material



## **Exploring Protected Key Options**



## **SRAM PUF Overview**

Leverages the intrinsic entropy of the silicon manufacturing process

Device unique, unclonable fingerprint derived on every activation of the PUF

PUF master key is used to protect other secrets 1

**Process Variation** 

Naturally occurring **variations** in the attributes of transistors when chips are fabricated (length, width, thickness)



<sup>3</sup>Silicon Fingerprint .....

The start-up values create a **random** and repeatable pattern that is unique to each chip



#### **SRAM Start-up Values**

Each time an **SRAM block** powers on the cells come up as either a 1 or a 0

SRAM PUF Key

The silicon fingerprint is turned into a **secret key** that builds the foundation of a security subsystem



## HW Protected Keys Example: Hardware PUF

## Recently launched LPC5500 family also makes use of PUF technology on the microcontroller in addition to other security capabilities

#### **Unique Security Enhancements**

A cornerstone to establishing device trustworthiness is NXP's ROM-based secure boot process that utilizes device-unique keys to create an immutable hardware 'root-of-trust'. The keys can now be locally generated ondemand by an SRAM-based Physically Unclonable Function (PUF) that uses natural variations intrinsic to the SRAM bitcells. This permits closed loop transactions between the end-user and the original equipment manufacturer (OEM), thus allowing the elimination of third-party key handling in potentially insecure environments. Optionally, keys can be injected through a traditional fuse-based methodology.

Furthermore, NXP's SEE improves the symmetric and asymmetric cryptography for edge-to-edge, and cloud-toedge communication by generating device-unique secret keys through innovative usage of the SRAM PUF. The security for public key infrastructure (PKI) or asymmetric encryption is enhanced through the Device Identity Composition Engine (DICE) security standard as defined by the Trusted Computing Group (TCG). SRAM PUF ensures confidentiality of the Unique Device Secret (UDS) as required by DICE. The newly announced solutions support acceleration for asymmetric cryptography (RSA 1024 to 4096-bit lengths, ECC), plus up to 256-bit symmetric encryption and hashing (AES-256 and SHA2-256) with MbedTLS optimized library.

"Maintaining the explosive growth of connected devices requires increased user trust in those devices," said John Ronco, vice president and general manager, Embedded & Automotive Line of Business, Arm. "NXP's commitment to securing connected devices is evident in its new Cortex-M33 based products built on the proven secure foundation of TrustZone technology, while incorporating design principles from Arm's Platform Security Architecture (PSA) and pushing the boundaries of Cortex-M performance efficiency."





#### LPC MICROCONTROLLERS

 $\boxtimes <$ 

IoT MCUs Based on Arm<sup>®</sup> Technology

#### LPC Cortex-M MCUs

- LPC5500 Cortex-M33
- LPC54000 Cortex-M4
- LPC1100 Cortex-M0+/M0
- LPC800 Series Cortex-M0+ MCUs
- LPC1200 Cortex-M0
- LPC1300 Cortex-M3
- LPC1500 Cortex-M3
- LPC1700 Cortex-M3
- LPC1800 Cortex-M3
- LPC4000 Cortex-M4
- LPC4300 Cortex-M4/M0
- LPC2000 Arm7 MCUs
- LPC3000 Arm9 MPUs

## LPC5500 SERIES OVERVIEW



## NXP LPC5500 MCU SERIES

#### **Subject to Change**



10Ku S/R is budgetary range; will vary for specific package/memory variants

## LPC55S6x Product Overview



#### Core Platform

- Up to 100MHz Cortex-M33
  - TrustZone, MPU, FPU, SIMD
- Up to 100MHz Cortex-M33
- Coprocessors
  - DSP Accelerator
  - Crypto Engine
- Multilayer Bus Matrix

#### Memory

- Up to 640KB FLASH (includes PFR)
- Up to 320KB RAM
- 128KB ROM

#### Timers

- 5 x 32b Timers
- SCTimer/PWM
- Multi-Rate Timer
- OS Timer
- Windowed Watchdog Timer
- RTC
- Micro Timer

#### Interfaces

- USB High-speed (H/D) w/ on-chip HS PHY
- USB Full-speed (H/D), Crystal-less
- SDIO, Support 2 cards
- 1 x High-Speed SPI up to 50MHz
- 8 x Flexcomms support up to 8x SPI, 8x I2C, 8x UART, 4x I<sup>2</sup>S channels (total 8 instances)

#### **Advanced Security Subsystem**

- Protected Flash Region (PFR)
- AES-256 HW Encryption/Decryption Engine
- SHA-2
- SRAM PUF for Key Generation support
- PRINCE On-The-Fly Encrypt/Decrypt for flash data
- Secure debug authentication
- RNG

#### Analog

- 16b ADC, 16ch, 1MSPS
- Analog Comparator
- Temperature Sensor

#### Packages

- LQFP100
- VFBGA98
- LQFP64 or QFN64

#### Other

- Programmable Logic Unit
- Buck DC-DC
- Operating voltage: 1.8 to 3.6V
- Temperature range: -40 to 105 °C



## NXP's LPC5500 Product Spotlight Bringing Intelligence & Efficiency to the Edge

## Single & Dual-core Cortex-M33 MCU Series

- 755 CoreMarks<sup>1</sup> and 32uA/MHz<sup>2</sup> for leading performance efficiency
- 10x improvement for signal processing & cryptography
- TrustZone + Secure Execution Environment (SEE)
- Rich integration to connect and control
- MCUXpresso Ecosystem with HW & SW scalability



12 PUBLIC 1: 2xCM33 @ 100MHz, 2: 1xCM33 @ 100MHz

## NXP LPC5500 MCU SERIES MCUXPRESSO SOFTWARE & TOOLS ECOSYSTEM

#### **Complimentary with Extensive Support**

SDK





MCUXpresso Config Tools

#### Hardware Platform for Ease of Development

- On-board debug circuit
- PCB Layout, Schematic and Board Files Available











IDE

CFG

## Simplify secure embedded development; Reduce time to market. LPC5500 MCU Series

## LPC5500 Series Security Resources (as of 4/2019)

Element14 Secure your Sensor with LPC5500 series

#### Embedded World: LPC5500 Security white paper

**LPC55S69 Security Solutions for IoT** 

**Arm+NXP Webinar on LPC5500** 

LPC55S6x Secure GPIO and Usage



LPC55Sxx Secure Boot



## SECURITY MODEL & SECURITY TECHNOLOGY



## **Security Model**

#### **Policies**

The rules in place that identify the data that should be protected

#### For example

The management of firmware, secret keys, user and application data Passwords, personal information, network credentials

#### Threat landscape

The definition of the attacks and attackers that the end device will face and protect against. Considers the access to the device, and cost of the attack

#### For example

Expert attackers who will use off the shelf tools to gain access and insert malware

#### Methods

The means by which the policies for the device are enforced. Involves the application of security technology to achieve product goals

#### For example

Disabling debug access to restrict the availability of secret data on a processor



## NXP Solutions for Edge Computing





17

## NXP Security Technology





## LPC55S6x Product Overview



#### **Core Platform**

- Up to 100MHz Cortex-M33
  - TrustZone, MPU, FPU, SIMD
- Up to 100MHz Cortex-M33
- Coprocessors
  - DSP Accelerator
  - Crypto Engine
- Multilayer Bus Matrix

#### Memory

- Up to 640KB FLASH (includes PFR)
- Up to 320KB RAM
- 128KB ROM

#### Timers

- 5 x 32b Timers
- SCTimer/PWM
- Multi-Rate Timer
- OS Timer
- Windowed Watchdog Timer
- RTC
- Micro Timer

#### Interfaces

- USB High-speed (H/D) w/ on-chip HS PHY
- USB Full-speed (H/D), Crystal-less
- SDIO, Support 2 cards
- 1 x High-Speed SPI up to 50MHz
- 8 x Flexcomms support up to 8x SPI, 8x I2C, 8x UART, 4x I<sup>2</sup>S channels (total 8 instances)

#### Advanced Security Subsystem

- Protected Flash Region (PFR)
- AES-256 HW Encryption/Decryption Engine
- SHA-2
- SRAM PUF for Key Generation support
- PRINCE On-The-Fly Encrypt/Decrypt for flash data
- Secure debug authentication
- RNG

#### Analog

- 16b ADC, 16ch, 1MSPS
- Analog Comparator
- Temperature Sensor

#### Packages

- LQFP100
- VFBGA98
- LQFP64 or QFN64

#### Other

- Programmable Logic Unit
- Buck DC-DC
- Operating voltage: 1.8 to 3.6V
- Temperature range: -40 to 105 °C



## LPC55S6XX SECURITY TECHNOLOGY



## NXP LPC5500 MCU SERIES SECURITY SUBSYSTEM OVERVIEW

- ROM supporting
  - Secure Boot, Debug Authentication & DICE Engine
- TrustZone for Cortex-M33
  - Arm's Security Attribution Unit (SAU)
  - Arm's Memory Protection Unit (MPU): Secure & Non-Secure
  - NXP's (implementation) Defined Attribution Unit (using IDAU interface)
  - NXP's Secure Bus, Secure GPIO & Secure DMA Controllers
- Cryptography Accelerators
  - Symmetric (AES-256) & Hashing (SHA2) engine
  - On-the-fly flash encryption/decryption engine (PRINCE)
  - Asymmetric engine for RSA and ECC (CASPER)
  - Random Number Generator (RNG)
- Secure Storage
  - Physically Unclonable Function (PUF)
    - Device unique root key (256 bit strength), 64-4096 bit key size
  - Protected Flash Region
    - RFC4122 compliant 128-bit UUID per device
    - Customer Manufacturing Programable Area (Boot Configuration, RoT key table hash, Debug configuration, Prince configuration)
      - PUF Key Store (Activation code, Prince region key codes, FW update key encryption key, Unique Device Secret)
    - Customer Field Programable Area (Monotonic counter, Prince IV codes)



21 PUBLIC

Protect from Software & Remote Attacks

## Challenges

- Protect from software attacks
  - Buffer overflow
  - Interrupt/Starvation
  - Malware Injection
- Meet minimum latency requirements of real time systems while crossing boundaries

## LPC55S69 solution

- Based on Cortex-M33 with ARM's Trustzone technology
- NXP's Light weight device attribution unit to simplify setup process
- Two factor isolation protection built in AHB secure bus control with
  - Peripheral Protection Checkers
  - Memory Protection Checkers
- GPIO Masking/isolation
- Interrupt Masking/isolation
- Master Security Wrapper for other masters
- Secure configuration locking



#### Secure AHB bus matrix

- Has Security side band signals • - HPRIV, HNONSEC
  - Pole and anti-pole version of signals used for tamper detection
- PPC per AHB slave port •

  - Default security level checking
    Provision to check both security & privilege levels
- MPCs for memories and bridge ports •
  - Default security level checking
  - Provision to check both security & privilege levels
- Each master has separate security • wrapper (MSW)



Memory attribution

- NXP's Light weight device attribution unit
  - Address range 0x0000\_0000 to 0x1FFF\_FFF is Non-Secure
  - Address range 0x2000\_0000 to 0xFFFF\_FFF
    - If Address Bit\_28 = 0 Non-Secure
    - If Address Bit\_28 = 1 Secure
- All peripherals and memories are aliased at two locations
- LPC55S69 supports 8 SAU regions

#### Lightweight Device Arbitration Unit



**ROM Configuration of Trustzone** 

- During boot process Trustzone preset data can be provisioned by the zero stage boot (ROM)
  - This ensures that before any software runs on the device, TrustZone settings are preloaded
  - This extends the TrustZone protections from the very start

#### TrustZone preset data

LPC55Sxx ROM provides support for TrustZone data configuration during boot p The TrustZone preset data includes:

- VTOR, VTOR\_NS, NVIC\_ITNS0, NVIC\_ITNS1 (CPU0) registers
- VTOR (CPU1) register
- Secure MPU
- Non-secure MPU
- SAU
- Secure AHB Controller

If the TrustZone preset is enabled, the ROM, after image validation, configures al TrustZone related registers by data, provided at the end of the image. If any regis whole peripheral has lock feature and corresponding bit is set, the register is also so any further register modification is not possible until next reset.

This feature increases robustness of the user application since the user applicatio into pre-configured TrustZone environment and it doesn't need to contain any Tru configuration code.



## Virtualization/Hardware Firewalls Secure GPIO

- GPIO Read path is always available on a standard microcontroller
  - Secret data could be accessible from this read path
- With Secure GPIO peripheral, when SEC\_GPIO\_MASK is cleared, the read path from pins is blocked





Debug protection mechanism

### Challenges

- Only authorized external entity allowed to debug
- Permit access only to allowed assets
- Support Return Material Analysis (RMA) flow without compromising security

### LPC55S69 Solution

- Supports RSA-2048/RSA-4096 signed certificate based challenge response authentication to open debug access
- Provides individual debug access control over partitioned assets
- Provides flexible security policing
  - Enforce UUID check
  - Certificate revocations
  - OEM customizable attribution check (model number, department ID etc)
- Security policy fixed at manufacturing





Debug protection mechanism

## Debug Credential (DC) Certificate



### PKI for Secure boot and Debug

- Same Root of Trust Private keys are used to create the DC signature
- Options for HW and SW constraints
  - Device Unique ID bound
  - Level of Debug access
  - -Mass erase enable



Fig 190. Debug Credential certificate fields

### Secure Debug LPC55Sxx Debug Domains – SoC Credential Constraints

#### **DC HW Credential Constraints**

NIDEN - Non-secure non-invasive debug. DBGEN - Non-secure invasive debug SPNIDEN - Secure non-invasive debug SPIDEN - Secure invasive debug TAPEN - TAP (Test Access Point) controller uDBGEN - Micro-CM33 invasive debug uNIDEN - Micro-CM33 non-invasive debug

#### DC SW Credential Constraints

ISPEN - ISP boot command

FAEN - Field Return Analysis mode command

MEEN- Flash mass erase command



## **Configuration Control**

- Fields in Customer Programed Protect Flash Region provide control of the sub-domains
  - Disabled permanently
  - Enabled after debug authentication
  - Enabled permanently
- Other controls
  - Enforce UUID checking
  - Revoke debug keys



Debug authentication for RMA use case

OEM generates RoT key pairs and programs the device before shipping.

- SHA256 hash of RoT public key hashes

- Field Technician generates his own key pair and provides public key to OEM for authorization. 2
- OEM attests the Field Technician's public key. In the debug credential certificate he assigns the 3 access rights.
- End customer having issues with a locked product • takes it to Field technician.
- Field technician uses his credentials to authenticate with device and un-locks the product for debugging.



5

## PUF BASED KEY MANAGEMENT



## **Using PUF Technology**



## **PUF based Key Management on LPC5500 Series**

#### Protected Flash Area



## **PUF based Key Management on LPC5500 Series**



Protected Flash Area

CFPA Customer Field Programmable Area CMPA Customer Manufacturing floor Programmable Area

NP

35 PUBLIC

## **Command line or GUI options for PUF provisioning**

| 🖉 elftosb-gui                                                                                                                                                                                                                                                                                              |                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            | 122 |  |
|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-----|--|
| File About                                                                                                                                                                                                                                                                                                 |                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            |     |  |
| Select target device:                                                                                                                                                                                                                                                                                      |                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            |     |  |
| LPC55xx                                                                                                                                                                                                                                                                                                    |                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            |     |  |
| Select target device:<br>LPCS5xx<br>Image Device<br>Device configuration<br>Connection<br>© UART O USB<br>*Port: COM32<br>*Baud rate: 57600<br>BusPal<br>BusPal<br>BusPal<br>BusPal<br>Key Store Security<br>Key Store Security<br>Key Store<br>SRAM PUF Enroll<br>Enroll<br>Keys<br>SBKEK<br>*SBKEK file: | Process output<br>✓ Yerboxe<br>2018-11-16 13:55:23) >> bihostiwin/bihost.exe -V -p COM32,57600 key-provisioning enrol<br>Framing protocol version = 0x50010300, options = 0x0<br>Inject command 'key-provisioning'<br>Successful generic response to command 'key-provisioning'<br>- took 0.009 seconds<br>Response status = 0 (0x0) Success.<br>2018-11-16 13:55:23) >> bihostiwin/bihost.exe -V -p COM32,57600 key-provisioning set_us<br>bkek.bin<br>Ping responded in 1 attempt(s)<br>Frame of a status = 0 (0x0) Success.<br>2018 PUF Activation<br>ode<br>success<br>Secure boot KEK Code<br>PUF Activation<br>ode<br>PUF Activation<br>Success.<br>PRINCE KEK Code<br>PRINCE KEY Code<br>PRI |     |  |

Scalable methods for instantiating device unique keys which are protected by PUF technology

"Using A1 silicon we are working on enabling support for Untrusted-CM manufacturing. When that happens device unique key store( PUF activation code, Prince keys and device key with NXP certificate) is preprogrammed in PFR. "



## **Challenge: Asset Protection**

- On-chip non-volatile storage is used for storing important assets
  - Secret keys
  - Proprietary SW from OEM and Silicon Manufacturer
  - Application code
  - Other sensitive information
- Prone to attacks with malicious intent
  - Reading the code for cloning
  - Tampering for
    - Illegally gaining trust
    - Changing execution sequence
    - Changing programming value
  - Stealing keys
- Solution:
  - Encrypt the code stored in Flash
    - System performance cannot be compromised



## **PRINCE** for encrypted execution

- Is a cryptographic algorithm developed by NXP + 2 Universities
  - https://eprint.iacr.org/eprint-bin/getfile.pl?entry=2012/529&version=20140612:115014&file=529.pdf
- A light-weight symmetric block cryptography algorithm
  - 64b block cipher, with 128b crypto key
  - Same HW block supports encrypt and decrypt
- Real-time
  - Low latency decryption, no additional cycles added to read path (compared to 10-14 cycles in AES)
  - No initialization time
  - Combinatorial logic
- Efficient
  - Low cost (Si area)
  - Power efficient
  - No RAM buffers needed



## LPC55Sxx Encrypted Flash Regions



- Data stored in Flash is encrypted version
- Supports 3 regions in 640KB Flash
  - Each region is be at 256KB Address boundary
  - Allows multiple code images from independent source to co-exist
  - Secret-Key and IV Pair per region
- Register programmable crypto-enable bit per sub-region
  - One register per region
  - Each sub-region has 8kB granularity
  - Settings can be stored in PFR and be applied by ROM
- Cached data in FMC (cache) is obscured further using XOR mask with random number



## **Hardware Protected Keys Webinar Series**

This webinar meets 3 times.

Tue, Apr 16, 2019 10:00 AM - 11:00 AM CDT Tue, May 21, 2019 10:00 AM - 11:00 AM CDT Tue, Jun 18, 2019 10:00 AM - 11:00 AM CDT

Part 1: Utilizing hardware protected keys on broad market Microcontrollers

#### Recording

For the IoT Edge device, the cryptographic keys used to perform the services such as encrypted boot, onboarding, and over the air updates are critical components that must be protected. Chip level hardware protected keys are the standard for achieving strong security protection for embedded designs. This session will define what a hardware protected key is and show several examples of how these keys are realized on NXP processors. The i.MX RT 1050 family of devices will be used as a real world example of how Intrinsic ID Broadkey® SRAM based PUF can advance your IoT Security.

Part 2: Using hardware protected keys on state of the art Microcontrollers

For the latest microcontrollers addressing IoT applications, hardware protected keys address critical security functions to protect application integrity, software confidentiality and encrypt data at rest. This session will explore the ability of the recently launched NXP IoT microcontroller, LPC5500 series. This family of devices will work as the main processing unit for a broad range of IoT applications and integrates breakthrough capabilities with regards to security. Along with Arm TrustZone technology the SRAM PUF based key management makes security easy to use and easy to deploy.

Part 3: Advanced IoT application key management based on hardware protected keys

The recently launched NXP IoT microcontroller, LPC5500 series, works as the main processing unit for a broad range of IoT applications. Along with Arm TrustZone® technology the chip supports SRAM PUF based key management. The product includes a software development kit (MCUXpresso SDK) that contains prebuilt applications to demonstrate edge to cloud connections out of the box. With the integrated security technology and software enablement, the LPC5500 makes security easy to use and easy to deploy. Join this session for a quick run through the demo applications available to kickstart your next IoT designs.Less



## CONCLUSION



## Summary

- LPC55S69 provides rich peripheral interfaces and security features needed for todays IoT applications.
  - PUF based key protection
  - ROM enabled key management
- Arm Trustzone for cortex-M enhances protection from scalable remote attacks
  - Enforced for the CPU and the SoC microarchitecture (i.e. Secure GPIO)
- Secure Debug capabilities address the usability of security enabled systems
  - Enabled by ROM
  - Using the same PKI as Secure Boot

## Thanks!



## Summary

- LPC55S69 provides rich peripheral interfaces and security features needed for todays IoT applications.
  - PUF based key protection
  - ROM enabled key management
- Arm Trustzone for cortex-M enhances protection from scalable remote attacks
  - Enforced for the CPU and the SoC microarchitecture (i.e. Secure GPIO)
- Secure Debug capabilities address the usability of security enabled systems
  - Enabled by ROM
  - Using the same PKI as Secure Boot

## **Questions & Answers Session**





## SECURE CONNECTIONS FOR A SMARTER WORLD

NXP and the NXP logo are trademarks of NXP B.V. All other product or service names are the property of their respective owners. © 2018 NXP B.V.