How to Ensure Safe Device Updates on Matter – Arm Community IoT Blog

Keeping Matter devices secure with PSA Certified Firmware Update

There are many individuals who share Arm’s vision of smart connected devices enabling rapid innovation at work and home in the coming years. Such connectivity promises to yield new applications for solving problems and improving lives. But onlookers are keen to see how the industry resolves a large obstacle to the next phase of digital transformation: how to keep these smart devices securely updated over time and protected from evolving threats. This blog looks at how Arm and its partners are helping the secure update of Matter devices.

At Arm, the new smart home standard, Matter, is considered a turning point for the electronics industry. Matter is a unifying protocol enabling devices to connect to different cloud services and supporting a new era of mass deployment. The Matter standard extends all the way up to the application enabling simplicity of use, interoperable devices and cloud services, better reliability, and improved security. The good news is that Matter-enabled devices should emerge this year for smart home use cases, such as lights, door locks, and cameras. With a Matter enabled home, the vision is that a resident IT specialist will no longer be needed to keep it running. In brief, Matter removes the fragmentation to drive mass adoption.

Beyond connectivity there is further collaboration on security

But what of the issue of ensuring secure by design devices and services? Over many years, Arm has enabled ecosystem partners to adopt common security principles and a hardware Root of Trust (RoT). An example of this industry approach is PSA Certified, an open standard for security certification of chips, system software, and devices. PSA stands for Platform Security Architecture. PSA Certified Application Programming Interfaces (APIs) have been developed and made available on GitHub to standardize the interface to the hardware RoT and its Trusted Services. The APIs help developers more efficiently manage secure update, cryptographic operations, secure storage, and attestation. And of course, this open support frees developers up to focus more of their time on product and feature differentiation.

Industry support for PSA Certified

Image shows industry take-up for PSA from psacertified.org, January 2023

Alongside bringing interoperability to connected home devices, the Matter project provides some beneficial security features. Among those features is the ability to run secure firmware updates, a crucial requirement for maintaining devices and patch vulnerabilities over long periods of time.

Arm has been working intently with partners on defining a low-level firmware update API. One that enables easy and secure firmware updates on microcontrollers, and which has PSA Certified alignment and backing. So how are the two initiatives related?

Matter specifications for firmware update

First, from a Matter perspective, the Matter specification (v1.0 October 2022) (reference *1) defines how firmware images are identified as possible candidates for updates. It also defines how devices and servers communicate about new firmware versions and how to request the user’s consent before applying an update.

Matter also defines specific properties expected from Firmware update mechanisms, specifying that:

  • Firmware images must be signed, may be encrypted.
  • Firmware updates are always expected to be packaged as a single file.
  • Firmware cannot be rolled back.

For more details, check out the Matter specification sections 11.19.2 for rollback protection, 11.19.4.1 for image encryption, 11.19.4.2 for image verification and single-image updates.

The Matter specification can be downloaded from here.

Matter describes the detailed sequence to achieve a secure firmware update in their Over-The-Air (OTA) update time diagram published in the Matter specification (page 735). This process takes care of identifying the correct firmware image, downloading it, validating it and managing integrity and signature checks. It then relies on the device to know how to apply the update. Unfortunately, applying a firmware update contains an unexpectedly rich set of possible failures that need to be considered: this is where the PSA Certified firmware update API takes over.

Addressing possible failures with the PSA Certified firmware update API

The PSA Certified Firmware update API takes care of step 62 in the Matter OTA update process.

Diagram showing how Matter deals with Over-the-Air updates

Figure from the Matter 1.0 Core Specifications, chapter 11.19.3 Software Update Workflow.

Seen from the outside, the problem can be subdivided into two main concerns:

Common terminology for firmware updates

Diagram from the PSA Certified Firmware Update API (API v1.0-BETA, paragraph 3.1 Concepts and Terminology)

Flow of Matter device updates
Image shows the flow for device updates, extracted from the PSA Certified Firmware Update API

Matter’s job is to specify requirements for the Firmware Creator, the Update Server, and how the Update Client downloads and validates firmware images.

The API’s job is to take a downloaded firmware image to installation and handle all possible errors along the way.

Matter’s specific requirements around firmware images are all handled by the API:

  • Signed images are always required, with early checks done by the Update Client and final validation from the bootloader.
  • Encryption is optional for both Matter and API.
  • The API can deal with single or multiple images for a single update operation.
  • The API supports rollback protection.

Both Matter and the API support constrained devices that cannot download more than a given block size at a time, providing firmware images in successive chunks. This is the expected case for many microcontrollers.

Between steps 62 (apply update) and step 63 (Notify Update Applied) on the Matter diagram, the device may be rebooted, sometimes multiple times, before the update can be considered complete. Those cases are handled in the Firmware Update state diagram.

Conclusion

In summary, while Matter ensures connectivity at the application layer, Arm and its partners provide secure connectivity at the device level, and to PSA Certified standards. These two aspects are complementary, as illustrated for OTA updates, where Matter delivers the firmware and Arm’s API performs the update.

Developers can focus on the code innovation that will bring about a smarter home, not on deciphering fine-grained security or connectivity issues. In other words, focusing on writing better code for their device and not wasting time on low-level software plumbing.

The firmware update model is a clear example of how the diverse Arm ecosystem offers connected, secure, and certified platforms running out of the box. The result being that when innovating on Arm, you can be up and developing from day one, get to market quicker and capture the market opportunity. With support from over 400 Arm ecosystem partners, Matter is truly delivering on the promise of “Matter just works out of the box!”

Feedback and contributions on both specifications and reference implementation are welcome.

PSA Certified Firmware Update API Spec

Further reading

Reference code for all PSA Certified APIs can be found in the TF-M project hosted on:

TF-M

References:

*1) in Chapter 11.19 Over-the-Air (OTA) Software Update

Latest articles

Related articles