Security From The Ground Up

Soft processor IP certification using the Common Criteria scheme.


Silicon and system design are complex and costly enough in the ultra-deep sub-micron era. Now factor in security.

Virtually every end application requires some level of security, and, as the cybersecurity threat rises, the importance and value of trust and assurance rises as well. This is even more evident in “high-security” use cases such as smart cards used to enter buildings, SIM cards in mobile devices and banking cards because malicious entities are increasing their use of many different techniques to compromise IoT devices. Because of this changing landscape, Arm and the semiconductor industry need to constantly push the boundaries, making sure security is always advocated from the ground up.

At Arm, our role in the ecosystem has been not only to deliver a broad array of excellent IP to make design more efficient and effective, but also to provide our partners with quality security IP they can trust.

In this context, we recently achieved a milestone, not only for Arm but for the industry: Two Arm Cortex-M soft processor IPs, Cortex-M33 and Cortex-M35P have been thoroughly evaluated and certified to EAL6+ for the Common Criteria ISO 15408 standard. The complete development cycle has been assessed and the security analysis focused on the below security features:

  • TrustZone and the memory protection unit for both processors
  • The specific security features present in Cortex-M35P, addressing some additional attacks typically requiring proximity to the target device (we refer to these security features – also in this blog – as “physical security”).

In these days of cybersecurity risk and uncertainty, it is more important than ever to bring certification standards to the very foundation of the device – to the soft or synthesizable processor IP level.

The Common Criteria for Information Technology Security Evaluation (abbreviated as “Common Criteria” or “CC”) is an international standard that defines a methodology for evaluating computer systems security. Simply put, this framework defines a standard way for implementations of computer systems to be evaluated against the relevant security requirements and best development practices. The outcome, an Evaluation Assurance Level (EAL) ranging up to EAL7, provides a measure of the level confidence that the security features are reliably implemented and fulfill the supplier claims.

This is not only the first time Arm IP has been certified in such a way by third parties; it’s the first time any soft processors with such security provisions built in have been certified using the Common Criteria scheme. The evaluation of soft IP is done earlier in the value chain than the evaluation of complete end devices, such as SoCs, ASICs, and ASSPs. Brightsight – an independent lab accredited to perform CC evaluations – conducted the certification evaluation, reviewing the security approach as well as the development methodology and the security of the development sites.

After completion of our processors’ evaluation, the Dutch CC certification scheme, NSCIB formally audited and confirmed the achievement of the targeted security level.

Partners interested in having their complete SoC certified, must add security functionality at SoC level and undergo penetration testing separately, but the portion of their SoC involving Cortex-M33 or Cortex-M35P can leverage on our certification effort (using the so called “composite evaluation” approach).

In parallel, Brightsight formally audited our development site and NSCIB confirmed our compliance with the Minimum Site Security Requirements (MSSR).

Leveraging our certification outcome
The security industry uses the “composite model” for security evaluations. In other words, the security of a product typically starts at the hardware level which might be security certified. Then, software added later by other developers as part of a final product is certified in “composition” with the hardware, taking the results from the hardware evaluation into consideration.

Because the final product use of the hardware is typically not known at design time, only the composition method provides protection assurance within a certain context of use.
Arm now offers the concept of composition for Cortex-M33 and Cortex-M35P, delivered as IP blocks for further integration into a full secure platform, covering this key aspect of secured hardware.

This will make our partners’ design experiences as efficient as possible and assure them they are using security-certified processors. Arm understands the intricacies of the CPU architecture and with this certification, saves partners the time and expense of having to get certification of processors they’re not intimately familiar with.

To leverage the advantage of our processor certificates, the chip designers will have to follow the security guidance related to those processors during integration. They will also have to implement further layers of security to protect against attacks which cannot be defended alone at soft IP processor level.

Partners who seek certification of products using our processors can leverage the achieved Arm MSSR site certification as it removes the need for them to arrange an audit of the Arm development site and can lead to cost and time saving.

Security assurance is an increasingly important component of design, and the Common Criteria certifications of our processor IPs provide a level of assurance with regard to the features under evaluation and the underlying design processes. For Arm to achieve this milestone, the design and implementation of the features of these processors had to be thorough and extremely comprehensive. TrustZone and the MPU on both Cortex-M33 and Cortex-M35P were proven using a formal methodology at the architecture level. The evaluation also verified the total adherence of the RTL implementation to the architecture definition. The evaluated physical security features on Cortex-M35P were proven using FPGA testing. The fact that no vulnerabilities were discovered for Cortex-M35P and that our claim on TrustZone for both processors was proven with an architecture model during the evaluation process, provides assurance in the quality of the security features in the Cortex-M33 and Cortex-M35P processors.

To be clear, this certification means our partners can trust that the portion of their SoC design involving Cortex-M33 or Cortex-M35P has been thoroughly reviewed and analyzed to the highest level following this evaluation scheme.

“Security certifications are important for developers addressing accountability, compliance and risk management,” said Dirk Jan Out, CEO at Brightsight. “Arm leads the way by certifying the building blocks serving as the foundation for future secure products.”

Companies designing products for a broad range of applications can take advantage of our certification effort. This can be especially important in “high-security” areas such as smart cards, SIM cards, banking cards, or SoCs intended for secure apps like authentication terminals at an airport’s passport control. Those are areas where the strengths of Cortex-M35P processor come into play as its physical security features provide protection against several non-invasive and semi-invasive attacks. On the other hand, the Cortex-M33 processor is more broadly deployed in IoT devices to address various logical and software attacks.

Certified assurance
Arm and its ecosystem of partners are keenly aware that end-system designs, especially in the Internet of Things (IoT), will only succeed if consumers and the value chain believe and trust in the technology they are using. The high assurance (EAL6+) Common Criteria-based certification of the Arm Cortex-M33 and Cortex-M35P processors enables design teams to deploy these processors across a spectrum of SoCs targeting different certification targets, from mass-market devices aiming for the PSA Certified scheme (a broader independent security assessment of IoT chips, platforms, and products in non-regulated markets) to smart cards aiming for Common Criteria certification.

Arm is the first company to successfully certify soft processor IP for microcontrollers at one of the highest security assurance levels by passing one of the industry’s most stringent security evaluation methodologies. Semiconductor companies can now accelerate the path to achieving high-assurance certification of their complete design with security packages for the Arm Cortex-M33 and Cortex-M35P processors that are certified to the Common Criteria at EAL6+.

For more detail on this certification and to learn more about the Cortex-M33 and Cortex-M35P processors, please read my colleague Asaf Shen’s blog on the topic.

Leave a Reply

(Note: This name will be displayed publicly)