Azure Sphere Secure IOT - First look

Overview

Azure Sphere is a new platform from Microsoft it consists of a system on chip, SDK and online tools for management. The key problem they are trying to solve is making IOT devices secure.

Edit media

Dimensions x Small Medium Large Custom

Subject (required) Brief Description Tags (separated by comma) Video visibility in search results Visible Hidden

Parent content

Azure Sphere Secure IOT - First look Sensing and securing valuables with Azure Sphere

Poster

Upload Preview

Ok

Cancel

Some of the principles they've used are described in the "Seven Properties of Highly Secure Devices" white paper, a summary shown in the table below.

To achieve this, they have designed a new architecture along with MediaTek, the system on chip MT3620. This consists of multiple cores. The "Pluton" is a security processor, this is responsible for hardware random number generation, key and certificate storage, cryptographic functions and failure management. Alongside this is an Arm Cortex-A7 application processor and two Cortex-M4 cores with floating point units that can be used to offload processing or I/O from the main processor. It also has the usual range of peripherals such as UART,I2C,SPI,I2S,PWM,GPIO and ADC.  There's also Wifi connectivity supporting a/b/g/n in the 2.4GHz,  5GHz ranges. All these components are separated by "I/O Firewalls" so you can lock given peripherals to just specific cores. Given the sheer number of things on this SOC I'm expecting a higher than average power consumption, that's something I'll have to look into.

Comparable products

I've not looked at the alternatives in detail but both Microchip and Cypress have "Secure IOT" offerings.

https://www.microchip.com/design-centers/embedded-security

http://www.cypress.com/solutions/internet-things-iot

Getting going

https://azure.microsoft.com/en-us/services/azure-sphere/get-started/

Microsoft has partnered with French and German distributors but I could not work out how to order from them for the UK. So I ordered from Seeed making sure to pick the EU model so it works properly with our Wifi.

There's not much in the box, just a card with the Wifi conformity details and URL for SDK along with the board and a USB cable.

Visual studio community

It is possible to cross-compile Azure Sphere code from the command line using just the SDK and GCC but if you use Visual Studio it's possible to build and debug from the IDE. I use VS at work so am fairly familiar with it so that seemed my preferred option. The Visual Studio suite of tools is pretty large so I installed the "Comunity Edition" onto my home machine using just the core editor to start with. That was still 650MB.

https://azure.microsoft.com/en-gb/blog/developing-an-azure-sphere-experience-with-visual-studio/

I then downloaded the SDK which at this time is still a preview. http://aka.ms/AzureSphereSDKDownload

Installing the SDK took some time on this machine as it needed to install all of the other prerequisites and dependencies, the Azure Sphere components when it finally got to them did not take long at all.

I then fired up Visual Studio, created a new project using the blink sample and hit build.

That completed successfully.

1>------ Build started: Project: Mt3620Blink1, Configuration: Debug ARM ------
1>Azure Sphere Utility version 2.0.2.45571
1>Copyright (C) Microsoft Corporation. All rights reserved.
1>
1>Start time (UTC): Wednesday, 07 November 2018 22:40:04
1>verbose: Creating image.
1>verbose: Azure Sphere application image written.
1>verbose: Appending metadata.
1>verbose: Wrote metadata:
1>  Section: Identity
1>    Image Type:        Applications
1>
1>    Component UID:     d762ff43-6761-45b0-bb44-6c555b55cf14
1>
1>    Image UID:         71bad514-7fc9-4af5-b766-7e1bf8e0ac75
1>
1>  Section: Signature
1>    Signing Type:      ECDsa256
1>
1>    Cert:              a8d5cc6958f48710140d7a26160fc1cfc31f5df0
1>
1>  Section: Debug
1>    Name:              Mt3620Blink1
1>
1>    Built On (UTC):    07/11/2018 22:40:10
1>
1>    Built On (Local):  07/11/2018 22:40:10
1>
1>  Section: Temporary Image
1>    Remove image at boot: False
1>
1>    Under development: True
1>
1>  Section: ABI Depends
1>    Depends:           ApplicationRuntime@1
1>
1>
1>verbose: Packaging completed successfully.
1>verbose: Output file is at: C:\Users\owner\Desktop\Andy\Azure Sphere\Mt3620Blink1\Mt3620Blink1\bin\ARM\Debug\Mt3620Blink1.imagepackage
1>Command completed successfully in 00:00:07.2077566.
========== Build: 1 succeeded, 0 failed, 0 up-to-date, 0 skipped ==========

One point of interest is that the code contains a manifest file, that contains the capabilities that the processors are allowed to use. This is part of the firewalls mentioned earlier. If you don't include a required GPIO or UART then the processors won't connect to them. As an experiment, I removed GPIO 8 from this list (the LED that is toggled by the code) and it still compiled successfully so this is only checked at runtime.

{
  "SchemaVersion": 1,
  "Name" : "Mt3620Blink1",
  "ComponentId" : "d762ff43-6761-45b0-bb44-6c555b55cf14",
  "EntryPoint": "/bin/app",
  "CmdArgs": [],
  "TargetApplicationRuntimeVersion": 1,
  "Capabilities": {
    "AllowedConnections": [],
    "Gpio": [ 8, 9, 10, 12 ],
    "Uart": [],
    "WifiConfig": false
  }
}

Claiming the board

The next step is to claim the board so that I can deploy code to it and monitor it from Azure IOT Hub. I've not completed this yet but there's a few steps such as setting up logins so I'll cover that in more detail in the next post.

https://azure.microsoft.com/mediahandler/files/resourcefiles/azure-sphere-device-authentication-and-attestation-service/…

https://azure.microsoft.com/en-us/services/iot-hub/

Project

Those who know of my previous projects will be happy to know that this one is also going to be in the form of an enchanted object. I'm not going to let too much out of the bag at the moment but here's a teaser.