The Internet of Things on AWS – Official Blog

Support for Secure Elements in FreeRTOS

Secure elements represent a category of devices intended to enhance security in connected devices. For microcontroller (MCU)–based devices, secure elements provide tamper-resistant storage of private keys and certificates, and offloading of cryptographic functions from the host microcontroller.

You can now leverage two new qualifications that include support for secure elements within Amazon FreeRTOS.  These qualifications expand choice and enhance security in development and deployment processes to securely connect Amazon FreeRTOS devices to mutually authenticated cloud services, such as AWS IoT Core.

Using a secure element means that the secret keys are not exposed to the host microcontroller and application. Memory-constrained devices can benefit from running cryptographic functions offloaded to a secure element. Also, the device provisioning process can be simplified and made more secure by taking advantage of secure elements with pre-provisioned keys, generated keys, and certificates.

Amazon FreeRTOS uses secure elements through the open standard PKCS#11 interface. Device credentials and secret keys are accessed indirectly through handles, reducing the risk of data leakage. Use cases include Transport Layer Security (TLS), verifying signed Over the Air update (OTA) images, and device provisioning.  When secure elements are available, cryptographic functions are mapped to the features provided by the secure element.

The following diagram represents the data flow between the customer application, Amazon FreeRTOS libraries, the silicon vendor–provided PKCS #11 implementation, and the secure element.



There are two reference integrations that use secure elements:

· The Amazon FreeRTOS windows simulator implementation is connected to the Microchip ATECC608A secure element

· The Infineon XMC4800 IoT Connectivity Kit with OPTIGA Trust-X

Both reference integrations have been qualified using AWS IoT Device Tester for Amazon FreeRTOS.

With these two new qualifications, you can use secure elements on these configurations, and use them as references when porting to other configurations. For more information about the use of secure elements with Amazon FreeRTOS, see PKCS#11 Cryptographic Libraries , and review the Securing Amazon FreeRTOS devices at scale with Infineon OPTIGA Trust X post.