The CRA specifies a minimum set of security features to be mandatory for all IoT devices marketed in Europe from 2025. It requires device OEMs to build in functionality to secure each device, its software and its connections. Under the terms of the law, the OEM must also be able to rapidly identify and fix any exposures to a known vulnerability in any production device in the field, for the full lifespan of those devices.
Foundries.io, a provider of cloud-native development and deployment DevOps solutions for secure IoT and Edge devices, has teamed up with Arduino to give users of the Portenta X8, a SoM for high-performance embedded computing applications, a ready-made system that offers the full set of hardware and software security and operational features required for compliance with the CRA for the lifetime of each device.
Developers who use the SOM can manage device authentication, secure storage, provisioning, a software bill-of-materials (SBOM), and over-the-air (OTA) updating, all in a single, cloud-based user environment. The system is highly secure against all known forms of cyber-attack and malware, and enables rapid, device-specific responses to emerging Common Vulnerabilities and Exposures (CVE) notices.
Arduino has met the requirements of the EU’s CRA by building the Linux microPlatform (LmP) and FoundriesFactory DevOps product from Foundries.io into the Portenta X8 SoM. This provides users with a fully maintained Linux distribution – Arduino develops and provides updates to the Linux microPlatform operating system using the secure The Update Framework (TUF) compliant OTA updating utility in the FoundriesFactory product.
The Portenta X8 offers a comprehensive suite of security functions provided by the Linux microPlatform and FoundriesFactory platform, including:
- Secure boot
- A trusted execution environment
- Remote attestation
- Key installation
- Cloud authentication
- TUF-compliant secure OTA updating
- A SBOM that is automatically generated after every software update
The complexity of implementing all these capabilities is addressed with Foundries.io software that can be easily configured and deployed on the Portenta X8. The X8 Board Manager tool provides a visual interface that ensures a user experience familiar to users of the Arduino EE development environment.
John Weil, Chief Marketing Officer of Foundries.io, said, “Normally, SoM manufacturers supply their boards with a sample Linux distribution that is not maintained after shipment to the customer, and with none of the security infrastructure such as an SBOM tool and OTA update utility required to maintain device security for life.
“Thanks to the capabilities of the FoundriesFactory platform implemented by Arduino, the Portenta X8 has become the first SoM to provide a straightforward path to full compliance with the EU’s CRA, right out-of-the-box."
Commenting Fabio Violante, CEO of Arduino, added, “When deploying Linux based edge devices, security cannot be an afterthought. That’s why we designed the Arduino Portenta X8 giving the highest priority to security features, end to end. This spans from Hardware and Firmware to the Linux distribution and device management with FoundriesFactory technology. This allowed us to be naturally CRA compliant from the very beginning.”