Security

The following sections give a brief introduction to core security features available in Nordic Semiconductor products. The features are made available either as built-ins in modules, drivers, and subsystems, or are shown in samples or applications in nRF Connect SDK.

Secure boot

The nRF Connect SDK supports secure boot of application images enforced by the bootloader. The secure boot utilizes signature validation and security hardware features to establish a root-of-trust during the boot process, and to ensure the validity of the firmware that is booted.

There are two available bootloaders in nRF Connect SDK:

When enabling the NSIB, the MCUboot can serve as an upgradable second-stage bootloader. For more information about the bootloaders, see Bootloaders and Device Firmware Updates.

Trusted Firmware-M

The Trusted Firmware-M project (TF-M) is a reference design of the Arm Platform Security Architecture (PSA). Through TF-M, nRF Connect SDK utilizes the security features of the Arm TrustZone technology to configure secure peripherals and memory, and to provide PSA functional APIs as secure services.

TF-M enables hardware supported separation of a Secure Processing Environment (SPE) and a Non-Secure Processing Environment (NSPE) that constitutes the Zephyr RTOS, protocol stacks, and the application. Enable TF-M in a project by enabling the CONFIG_BUILD_WITH_TFM option.

For more information about the TF-M, see the TF-M documentation and Running applications with Trusted Firmware-M.

Hardware unique key

Nordic Semiconductor devices featuring the CryptoCell cryptographic accelerator allow the usage of a hardware unique key (HUK) for key derivation. A HUK is a unique symmetric cryptographic key which is loaded in special hardware registers allowing the application to use the key by reference, without any access to the key material. To enable the HUK in an application, enable the CONFIG_HW_UNIQUE_KEY option.

For more information, see the hardware unique key library and sample.

Device firmware upgrade (DFU)

The nRF Connect SDK supports firmware upgrade using over-the-air (OTA) and serial firmware upgrades, depending on the capabilities of the device. For more information about the firmware upgrades, see the available DFU libraries.

The nRF Connect SDK can be configured to enforce secure DFU mechanisms, including validating the digital signature of an image and checking for the version to prevent downgrade attacks. The secure DFU mechanisms are handled by the MCUboot bootloader. For more information, see the MCUboot documentation.

Cryptographic operations in nRF Connect SDK

Cryptographic operations in nRF Connect SDK are handled by the Nordic Security Module, which is configurable through Kconfig options. The module can be enabled through the CONFIG_NRF_SECURITY Kconfig option, and it allows the usage of Mbed TLS and PSA Cryptography API 1.1 for cryptographic operations and random number generation in the application.

The Nordic Security Module acts as an orchestrator for the different cryptographic libraries available in the system. These libraries include the binary versions of accelerated cryptographic libraries listed in Crypto Libraries, and the open source Mbed TLS implementation in nRF Connect SDK located in sdk-mbedtls.

The Kconfig option CONFIG_NRF_SECURITY prioritizes the usage of the accelerated libraries by default when this is supported by the platform. For more information about the configuration and usage of the Nordic Security Module, see the Configuration page.