Who provides the “hard” support behind Microsoft’s Azure Sphere IoT security platform?
Two years after its official release, Azure Sphere, Microsoft’s IoT high-security application service development platform, was launched for commercialization in February 2020. It means that, from now on, Microsoft can leverage its powerful cloud platform to provide overall protection for each Azure Sphere device in the IoT.
As a security application service based on IoT cloud computing, Azure Sphere can support maintenance, updates and control for Azure Sphere-certified chips. Its main functions include: creating connections between devices, the Internet, and various assisting cloud services to ensure secure boot and authenticate device identity, integrity, and root of trust (RoT); ensuring that devices run approved code bases; providing a channel to automatically download and install Azure Sphere OS updates and application updates on deployed devices, and more.
These functions are provided through a cloud platform. With a one-time fee of less than US $8.65, each Azure Sphere-certified chip entitles the user to access all Azure Sphere components and enjoy OS updates within the chip’s life cycle, without incurring additional charges. However, do not assume Azure Sphere is just another simple IoT cloud service. In fact, Azure Sphere is a complete IoT security system, consisting of three components as follows:
- An Azure Sphere-certified chip with built-in Microsoft security technology to provide connectivity and reliable hardware RoT.
- Linux-based custom Azure Sphere OS, designed to create a reliable platform for all-new IoT experiences.
- A cloud platform-based Azure Sphere security service that mediates the device-to-cloud communication trust, checks for threats, and updates device security, thus providing continuous protection for devices.
Figure 1 Complete Azure Sphere IoT security system (Image source: Microsoft)
It’s not difficult to understand the reason behind Azure Sphere’s ‘three-in-one’ systematized solution, since IoT in itself is a complex system, involving everything from edge devices to cloud. A fault in any link may cause fatal cyber security hazards, and only through complete control of every link in the system can the security of the complete IoT system be guaranteed.
It’s common knowledge that building a comprehensive security system is not easy. Two out of three of Azure Sphere’s components relate to software and should be a piece of cake for Microsoft. However, the success of “security chips” requires the involvement of a hardware partner to build Azure Sphere’s associated security functions into chips.
Finding a hardware partner for Azure Sphere was part of Microsoft’s plan from the start. In 2018, not long after Microsoft announced plans to launch the Azure Sphere platform, MediaTek introduced the Azure Sphere microcontroller MT3620.
MT3620 is equipped with an ARM Cortex-A7 application processor with up to 500MHz clock speed, two general-use ARM Cortex-M4F cores with 200MHz clock speed, and a variety of peripheral resources. These powerful computing abilities support a range of potential applications. MT3620’s security functions in relation to Azure Sphere are especially worth mentioning:
- MT3620 contains an independent Microsoft Pluton security subsystem that acts as Azure Sphere’s RoT. The subsystem has its own Arm Cortex-M4F core and is in charge of the chip’s secure boot and secure operations.
- In addition, the 1x1 dual band 802.11a/b/g/n Wi-Fi radio subsystem is controlled by a dedicated Andes N9 32-bit RISC core. This subsystem contains components such as radio, baseband, and MAC, and efficiently supports high throughput applications.
The MT3620 security subsystem and Wi-Fi network subsystem both run independently and are separate from the end user applications in the MCU. This ensures that only hardware functions supported by Azure Sphere will be provided to MT3620 end users, thus protecting device security.
Naturally, Microsoft’s hardware partnership ecosystem construction did not stop there. The collaboration with MediaTek can be viewed as both a test and a demonstration, and many more semiconductor manufacturers such as Nordic, Nuvoton, NXP, STMicro, and Silicon Labs followed. More and more chip products that support Azure Sphere are also being introduced in quick succession. Last year, for example, NXP announced a collaboration with Microsoft, introducing the i.MX 8 high-performance application processor with Azure Sphere security certification. The processor runs Azure Sphere security platform seamlessly and provides a secure, high-performance and intelligent embedded multi-core heterogeneous computing platform for edge nodes.
From chips to solutions
Regardless, anyone in hardware development knows that the development process from a chip to a marketable product and solution is a lengthy one. Many developers and users need a helping hand. The ideal candidate for the job needs plenty of experience in hardware security, as well as expertise in microcontroller and IoT application development. Extended industry chain resources for support would also come in handy. Ultimately, Microsoft chose Avnet as the first technological support distributor for its Azure Sphere solutions.
One of the major outcomes of this collaboration, Avnet developed an MT3620-based Azure Sphere starter developer kit that allows developers to quickly create highly secure end-to-end IoT applications with all the advantages of Azure Sphere services.
Figure 2 Avnet developed an Azure Sphere starter developer kit based on MT3620 (Image source: Avnet)
The core of the developer kit is an Azure Sphere module based on MT3620, with Wi-Fi connectivity. It can connect with peripheral sensors, displays and electrical machinery, and relays through various extension interfaces. The developer kit’s baseboard connects the Sphere module I/O to two MikroE Click slots, an I2C Grove connector, a connector that supports addition of a 128x64 OLED image display, and on-board sensors (including a 3D accelerometer, a 3D gyroscope, a temperature sensor, and an ambient light sensor). Adjustment of the developer kit is completed through USB-to-UART interface, which also supplies necessary 5V power to the development board.
Figure 3 On-board resources for Avnet’s MT3620-based Azure Sphere starter developer kit (Image source: Avnet)
Figure 4 System framework diagram for Avnet’s MT3620-based Azure Sphere starter developer kit (Image source: Avnet)
In fact, before Azure Sphere was officially commercialized, the Azure Sphere by Avnet was already being widely promoted among IoT development communities. By providing a hardware development platform to compensate for the lacking resource link in the chip to solution development process, many developers could trial and experience Azure Sphere’s powerful security protective functions in advance. Now, with the official commercialization of Azure Sphere, the full benefits of Avnet’s ‘hard’ support will become more and more apparent. Get ready to welcome the arrival of Azure Sphere’s IoT cloud service!