Security-centric applications that require compliance with Common Criteria (CC) Evaluation Assurance Levels (EAL) traditionally have relied on microprocessors rather than microcontrollers (MCUs). But MCUs with ramping performance are increasingly capable of running the software needed for CC EAL compliance. Moreover, MCUs and their integrated peripheral set may prove to be the most cost-effective way to approach many secure-system designs.
Let’s consider the requirements of CC EAL compliance, the type of software that can implement such capability and the MCUs available that can readily host that software with headroom to also host an application.
The Common Criteria for Information Technology Security Evaluation is defined in the ISO/IEC 15408 standard, and is informally referred to as the Common Criteria or CC. CC was developed to protect code and data in security-centric information technology (IT) applications such as financial transaction processing. Subsequently, the standard has been applied in many types of embedded systems. Examples include military, aerospace, medical, and even industrial-control applications where a security breach could cause problems ranging from a breach of national security to an accident on a factory floor.
Systems designed for CC compliance are graded on a scale called the Evaluation Assurance Level, which ranges from EAL 1 through EAL 7 – with EAL 7 being the most secure. General-purpose operating systems such as Linux or Windows can achieve a rating in the EAL 4 range, which corresponds to moderate security. More specialized off-the-shelf operating systems can achieve levels of EAL 6, which implies a high level of robustness for protecting of high-value assets.
Security-centric operating systems typically use a scheme called Multiple Independent Levels of Security (MILS) to protect code and data. Generally, a layer of software called a separation kernel isolates sensitive code and data. For example, the code that controls a dangerous factory process might be partitioned and protected from non-secure user interface code, although data may be passed between the two code partitions.
Real-time operating system vendor Green Hills Software offers secure operating systems that allow an embedded system to achieve EAL 6+ levels. The + designation indicates that the company has augmented the product for protection in excess of the EAL 6 requirements. Indeed, Green Hills announced that the National Information Assurance Partnership (NIAP), operated by the National Security Agency, certified the Integrity-178B operating system to EAL 6+.
The Green Hills Integrity-178B operating system has been used in applications ranging from military and aerospace, to medical and industrial. The range includes applications from IT to embedded uses. Figure 1 depicts the partitioning scheme used in the kernel, which ensures a lower-security task can’t corrupt high-security tasks.
Figure 1: Green Hills Integrity-178B operating system partitions security-centric tasks and meets EAL6+ requirements. (Source: Green Hills)
Separation kernels have been more often deployed on microprocessors, but high-end MCUs also can support the security layer. Green Hills has delivered board-support packages for numerous MCU-based boards developed as reference designs or developed by third parties for specific applications. The Green Hills software can be deployed on a wide range of MCUs based on ARM, ColdFire and Power architecture-based processing cores.
A range of ColdFire MCUs can host the Integrity software. ColdFire is the Freescale MCU family derived from the 68000 microprocessor architecture. ColdFire has evolved through a series of architectural optimizations and process-technology shrinks, which deliver greater performance and lower power.
Integrity has been ported to ColdFire V2 MCUs (e.g. , MCF5249), ColdFire V3 MCUs (MCF5307 family), and ColdFire V4e MCUs (MCF548x and MCF5475). Even the older V2 MCUs are quite capable from a performance perspective. For example, the MCF5249 family is available at speeds as fast as 140 MHz and delivers 125 DMIPS (Dhrystone MIPS) at that clock rate.
The MCF5249 also integrates a hardware multiply-accumulate (MAC) unit that can accelerate math-intensive applications. One example is audio applications. The MCU includes audio-codec capabilities and an on-chip audio bus that allows audio streaming with no processor intervention.
Newer Freescale V4e-based MCUs up the ante in terms of performance. The MCF547x and MCF548x families deliver 410 DMIPS with clock speeds that max out at 266 MHz. Moreover, the ICs – which fall on a fine line between classification as an MCU or an embedded microprocessor – offer a number of features that work well in security-centric applications.
The MCUs don’t include code ROM but rather rely on external memory. The devices do include a memory-management unit (MMU) in hardware, a typical microprocessor feature that can control off-chip memory and help enable security partitions. The devices also include an encryption accelerator that enables secure network communications.
To further enhance processing capability, Freescale integrates both a MAC in hardware for DSP algorithms and a hardware floating-point unit (FPU). The peripheral roster, meanwhile, looks very much like a typical MCU with timers, I/O, a DMA controller and an Ethernet controller. The MCF548x family also includes CAN support that was originally used primarily in automotive applications, but today is widely used in industrial and even aerospace applications.
Proponents of the RISC-based ARM processor architecture also have a number of MCU options that can readily host the Integrity platform. NXP Semiconductors, STMicroelectronics and Atmel all offer such products. Based on ARM7 cores, NXP offers the LPC2468 that operates at 72 MHz, and STMicroelectronics offers the STR710F that operates at 66 MHz. The NXP offering comes with as much as 512 Kbytes of flash, while the STMicroelectronics MCUs range from 128 to 256 Kbytes of flash.
More powerful MCUs based on the ARM9 core include the AT91SAM family from Atmel and the LH7A400 and LH7A404 from NXP. Generally, all the ARM9 products support the Thumb instruction set that allows design teams the option of using 32- or 16-bit instructions to optimize code density in applications where memory footprint is a concern.
NXP optimized the LH7A404 architecture to host an operating system, integrating an MMU and a 133-MHz external bus for fast off-chip memory. The MCUs operate as fast as 266 MHz and integrate features that will minimize the need for external components. For example, the MCUs include an LCD controller capable of 1024x768-pixel resolution, along with an AC ’97 codec for audio requirements. The MCUs include a wide array of peripherals such as data converters, PWM controllers, timers and general-purpose I/O.
Atmel’s AT91SAM family, meanwhile, includes MCUs that can operate as fast as 400 MHz. Some of the MCUs include no integrated memory for code storage, while others offer as much as 512 Kbytes of flash or 128 Kbytes of ROM. The AT91SAM9G45 (no flash or ROM) and AT91SAM9263 (128 Kbytes ROM) include an LCD controller and an AC ’97 audio codec. The AT91SAM9XE family includes an LCD controller, resistive touch-screen interface, and a memory controller for DDR and SDRAM memory (Figure 2).
Figure 2: The ARM9-based Atmel AT91SAM9XE family MCUs integrate an LCD controller, and a broad array of typical MCU peripherals, and can interface with DDR or SDRAM memory.
ARM isn’t the only RISC architecture used in MCUs that can host the Integrity platform. Freescale has several MCUs based on the Power Architecture (formerly PowerPC) to which Integrity has been ported. The MPC555 and MPC565 operate at speeds from 40 to 56 MHz, and integrate as much as 2 Mbytes of flash. CAN is a prominent feature, and as Figure 3 shows, the MCUs come with a broad peripheral set. In keeping with a recurring theme for Freescale, the design includes a hardware FPU to accelerate math operations that will prove valuable in executing security algorithms.
Figure 3: Freescale’s Power-Architecture-based MPC555 MCU integrates flash and an FPU along with typical peripherals such as data converters, timers, and a CAN interface. (Source: Freescale Semiconductor)
A wide range of MCU options in terms of performance and integrated peripheral set also can host a security platform such as the Green Hills Integrity-178B operating system. This doesn’t mean an MCU is always the best choice in a security application. Some applications will require a higher-end microprocessor. But if an MCU can concurrently run the security operating system and meet your application performance requirements, the integrated peripheral set will likely deliver lower system cost and a smaller footprint.