Microsoft Unveils Secure MCU Platform with a Linux-Based OS

By Eric Brown

Microsoft has announced an “Azure Sphere” blueprint for for hybrid Cortex-A/Cortex-M SoCs that run a Linux-based Azure Sphere OS and include end-to-end Microsoft security technologies and a cloud service. Products based on a MediaTek MT3620 Azure Sphere chip are due by year’s end.

Just when Google has begun to experiment with leaving Linux behind with its Fuchsia OS —new Fuchsia details emerged late last week— long-time Linux foe Microsoft unveiled an IoT platform that embraces Linux. At RSA 2018, Microsoft Research announced a project called Azure Sphere that it bills as a new class of Azure Sphere microcontrollers that run “a custom Linux kernel” combined with Microsoft security technologies. Initial products are due by the end of the year aimed at industries including whitegoods, agriculture, energy and infrastructure.

Based on the flagship, Azure Sphere based MediaTek MT3620 SoC, which will ship in volume later this year, this is not a new class of MCUs, but rather a fairly standard Cortex-A7 based SoC with a pair of Cortex-M4 MCUs backed up by end to end security. It’s unclear if future Azure Sphere compliant SoCs will feature different combinations of Cortex-A and Cortex-M, but this is clearly an on Arm IP based design. Arm “worked closely with us to incorporate their Cortex-A application processors into Azure Sphere MCUs,” says Microsoft. 

Azure Sphere OS architecture (click images to enlarge)

Major chipmakers have signed up to build Azure Sphere system-on-chips including Nordic, NXP, Qualcomm, ST Micro, Silicon Labs, Toshiba, and more (see image below). The software giant has sweetened the pot by “licensing our silicon security technologies to them royalty-free.”

Azure Sphere SoCs “combine both real-time and application processors with built-in Microsoft security technology and connectivity,” says Microsoft. “Each chip includes custom silicon security technology from Microsoft, inspired by 15 years of experience and learnings from Xbox.”

The design “combines the versatility and power of a Cortex-A processor with the low overhead and real-time guarantees of a Cortex-M class processor,” says Microsoft. The MCU includes a Microsoft Pluton Security Subsystem that “creates a hardware root of trust, stores private keys, and executes complex cryptographic operations.”

The IoT oriented Azure Sphere OS provides additional Microsoft security and a security monitor in addition to the Linux kernel. The platform will ship with Visual Studio development tools, and a dev kit will ship in mid-2018.

Azure Sphere security features (click image to enlarge)

The third component is an Azure Sphere Security Service, a turnkey, cloud-based platform. The service brokers trust for device-to-device and device-to-cloud communication through certificate-based authentication. The service also detects “emerging security threats across the entire Azure Sphere ecosystem through online failure reporting, and renewing security through software updates,” says Microsoft.

Azure Sphere eco-system conceptual diagram (top) and list of silicon partners (bottom)

In many ways, Azure Sphere is similar to Samsung’s Artik line of IoT modules, which incorporate super-secure SoCs that are supported by end-to-end security controlled by the Artik Cloud. One difference is that the Artik modules are either Cortex-A applications processors or Cortex-M or -R MCUs, which are designed to be deployed in heterogeneous product designs, rather than a hybrid SoC like the MediaTek MT3620.Hybrid, Linux-driven Cortex-A/Cortex-M SoCs have become common in recent years, led by NXP’s Cortex-A7 based i.MX7 and -A53-based i.MX8, as well as many others including the -A7 based Renesas RZ/N1D and Marvell IAP220.

MediaTek MT3620

The MediaTek MT3620 “was designed in close cooperation with Microsoft for its Azure Sphere Secure IoT Platform,” says MediaTek in its announcement. Its 500MHz Cortex-A7 core is accompanied by large L1 and L2 caches and integrated SRAM. Dual Cortex-M4F chips support peripherals including 5x UART/I2C/SPI, 2x I2S, 8x ADC, up to 12 PWM counters, and up to 72x GPIO.

The Cortex-M4F cores are primarily devoted to real-time I/O processing, “but can also be used for general purpose computation and control,” says MediaTek. They “may run any end-user-provided operating system or run a ‘bare metal app’ with no operating system.”

In addition, the MT3620 features an isolated security subsystem with its own Arm Cortex-M4F core that handles secure boot and secure system operation. A separate Andes N9 32-bit RISC core supports 1×1 dual-band 802.11a/b/g/n WiFi.

The security features and WiFi networking are “isolated from, and run independently of, end user applications,” says MediaTek. “Only hardware features supported by the Azure Sphere Secure IoT Platform are available to MT3620 end-users. As such, security features and Wi-Fi are only accessible via defined APIs and are robust to programming errors in end-user applications regardless of whether these applications run on the Cortex-A7 or the user-accessible Cortex-M4F cores.” MediaTek adds that a development environment is avaialble based on the gcc compiler, and includes a Visual Studio extension, “allowing this application to be developed in C.”

Microsoft learns to love LinuxIn recent years, we’ve seen Microsoft has increasingly softened its long-time anti-Linux stance by adding Linux support to its Azure service and targeting Windows 10 IoT at the Raspberry Pi, among other experiments. Microsoft is an active contributor to Linux, and has even open-sourced some technologies.

It wasn’t always so. For years, Microsoft CEO Steve Ballmer took turns deriding Linux and open source while warning about the threat they posed to the tech industry. In 2007, Microsoft fought back against the growth of embedded Linux at the expense of Windows CE and Windows Mobile by suing companies that used embedded Linux, claiming that some of the open source components were based on proprietary Microsoft technologies. By 2009, a Microsoft exec openly acknowledged the threat of embedded Linux and open source software.

That same year, Microsoft was accused of using its marketing muscle to convince PC partners to stop providing Linux as an optional install on netbooks. In 2011, Windows 8 came out with a new UEFI system intended to stop users from replacing Windows with Linux on major PC platforms.


Azure Sphere promo video

Further information

Azure Sphere is available as a developer preview to selected partners. The MediaTek MT3620 will be the first Azure Sphere MCU, and products based on it should arrive by the end of the year. More information may be found in Microsoft’s Azure Sphere announcement and product page.

Microsoft | www.microsoft.com

This article originally appeared on LinuxGizmos.com on April 16.

And check out this follow up story also from LinuxGizmos.com :
Why Microsoft chose Linux for Azure Sphere

 

ADVERTISMENT