Secure Processing Unit on the Qualcomm SDA845 SoC


Intrinsyc Technologies offers many leading-edge development kits featuring the Qualcomm SnapdragonTM processor. One of the new capabilities introduced in some of their latest processors is a hardware-based Secure Processing Unit (SPU). This new feature is available in the Qualcomm SDA845, used on Intrinsyc’s new Open-Q™ 845 µSOM, as well as the Snapdragon 8551, which is available for testing and evaluation on the Snapdragon 855 Hardware Development Kit.

Secure processing is important in many areas, including authentication of software to ensure it is an authorized, trusted software image, as well as important key management used by many software systems including Android2.

An SPU is an independent processor subsystem and boot chain for hardened security applications, with its own CPU, memories, and cryptographic engine to provide cryptographic services to other subsystems.

The SPU hardware is a dedicated subsystem that provides an independent boot-loader and boot chain, dedicated clock, hardware-based anti-replay protection, key management unit, and a crypto management unit with inline accelerators. Operating condition sensors are integrated into the subsystem to prevent power attacks. Side-channel resistant cryptographic algorithm implementation includes masking and blinding. SPU is Common Criteria EAL 4+ certifiable, and the SPU’s ARM SC-300-based CPU is not susceptible to the recently published melt down and spectre attacks.

As mentioned by Qualcomm3, there are many capabilities for secure processing. These can include using the above dedicated hardware for authentication of operational software to enable confidence in numerous security-critical applications, including financial transaction validation.

The following are the key features of the SPU:

  • Key management unit
  • Crypto management unit with inline secured hash algorithm/advanced encryption standard (SHA/AES) accelerators
  • Random number generator (RNG)
  • Anti-replay protection
  • Physical protection counter measures

The SPU adds a new root of trust for SPU applications and it provides a distinct security domain independent of the rest of the system and mutually distrustful of all other domains. To maintain the highest level of security the Snapdragon SPU is a closed environment. As a Qualcomm Partner and licensee, Intrinsyc Technologies is uniquely positioned to help develop and deploy SPU applications in concert with Qualcomm’s support team.

The SPU on Snapdragon 845 and Snapdragon 855 SoC’s incorporates a secure hardware subsystem that is independent but yet integrated with the system-on-chip (SoC). This reduces the cost associated with a discrete secure element (SE) component and extends security capabilities beyond the already available traditional Trustzone and Qualcomm Secure Execution Environments. Flexible key storage in hardware-backed (Trustzone or SPU) options enables solutions supporting public and private key generation, management, signing, and verification.

Qualcomm’s Snapdragon processors support a plethora of security capabilities4. With the new option of the SPU, this gives one even greater level of security with independent, secure storage and data management.