The following sections give a brief introduction to core security features available in Nordic Semiconductor products. The features are made available either as built-ins in modules, drivers, and subsystems, or are shown in samples or applications in nRF Connect SDK.
The nRF Connect SDK supports secure boot of application images enforced by the bootloader. The secure boot utilizes signature validation and security hardware features to establish a root-of-trust during the boot process, and to ensure the validity of the firmware that is booted.
There are two available bootloaders in nRF Connect SDK:
nRF Secure Immutable Bootloader (NSIB), enabled by the configuration option
A customized version of sdk-mcuboot, enabled by the configuration option
When enabling the NSIB, the MCUboot can serve as an upgradable second-stage bootloader. For more information about the bootloaders, see Bootloaders and Device Firmware Updates.
The Trusted Firmware-M project (TF-M) is a reference design of the Arm Platform Security Architecture (PSA). Through TF-M, nRF Connect SDK utilizes the security features of the Arm TrustZone technology to configure secure peripherals and memory, and to provide PSA functional APIs as secure services.
TF-M enables hardware supported separation of a Secure Processing Environment (SPE) and a Non-Secure Processing Environment (NSPE) that constitutes the Zephyr RTOS, protocol stacks, and the application.
Enable TF-M in a project by enabling the
For more information about the TF-M, see the TF-M documentation and Running applications with Trusted Firmware-M. For more information about SPE and NSPE in the nRF Connect SDK, see Processing environments.
Hardware unique key
Nordic Semiconductor devices featuring the CryptoCell cryptographic accelerator allow the usage of a hardware unique key (HUK) for key derivation.
A HUK is a unique symmetric cryptographic key which is loaded in special hardware registers allowing the application to use the key by reference, without any access to the key material.
To enable the HUK in an application, enable the
For more information, see the hardware unique key library and sample.
Device firmware upgrade (DFU)
The nRF Connect SDK supports firmware upgrade using over-the-air (OTA) and serial firmware upgrades, depending on the capabilities of the device. For more information about the firmware upgrades, see the available DFU libraries.
The nRF Connect SDK can be configured to enforce secure DFU mechanisms, including validating the digital signature of an image and checking for the version to prevent downgrade attacks. The secure DFU mechanisms are handled by the MCUboot bootloader. For more information, see the MCUboot documentation.
Cryptographic operations in nRF Connect SDK
Cryptographic operations in nRF Connect SDK are handled by the Nordic Security Module, which is configurable through Kconfig options.
The module can be enabled through the
CONFIG_NRF_SECURITY Kconfig option, and it allows the usage of Mbed TLS and PSA Cryptography API 1.0.1 for cryptographic operations and random number generation in the application.
The Nordic Security Module acts as an orchestrator for the different cryptographic libraries available in the system. These libraries include the binary versions of accelerated cryptographic libraries listed in Crypto Libraries, and the open source Mbed TLS implementation in nRF Connect SDK located in sdk-mbedtls.
The Kconfig option
CONFIG_NRF_SECURITY prioritizes the usage of the accelerated libraries by default when this is supported by the platform.
For more information about the configuration and usage of the Nordic Security Module, see the Configuration page.
See also Cryptography samples for examples of how to configure and perform different cryptographic operations in the nRF Connect SDK.
Access port protection mechanism
Several Nordic Semiconductor SoCs supported in the nRF Connect SDK offer an implementation of the access port protection mechanism (AP-Protect). When enabled, this mechanism blocks the debugger from read and write access to all CPU registers and memory-mapped addresses. Accessing these registers and addresses again requires disabling the mechanism and erasing the flash.
For more information, see Enabling access port protection mechanism.