Embedded Development and EU Regulations
Leveraging Zephyr RTOS
With the achieved and projected growth of Internet of Things (IoT), it has become crucial to look into the effects of such a large number of inter- and internet- connected devices that are becoming more ubiquitous in our lives with every passing day.
Governments are trying to bring control to how they’re developed and deployed and within the European Union (EU) there are several existing, and planned regulations that try to address the cybersecurity challenges posed by such a landscape.
General Data Protection Regulation (GDPR) has been implemented since 2018 and is a regulation on information privacy that mandates strict rules on how personal data of EU citizens is collected, processed, and stored.
Network and Information Security (NIS) Directive has been around since 2016, and has been superseded with Network and Information Security Directive2 (NIS2) in 2023. It aims to improve cybersecurity across EU by putting out requirements for organizations which will improve their cybersecurity capabilities.
Cyber Resilience Act (CRA) is entering the force as we write and aims to ensure that products or software with a digital component are developed securely, and address vulnerabilities throughout their life-cycle.
Influence on Embedded Development
Even though all of the mentioned regulations can have an effect on companies developing embedded software, CRA is probably the most influential one, which is why we will focus on its impact on embedded development and look into how a modern operating system such as Zephyr can help with compliance.
Zephyr is a real-time operating system (RTOS), which means it can be used in apps that need to satisfy critically defined time constraints. In order to satisfy the timing requirements, a real-time OS implements an advanced scheduling algorithm which is event-based and preemptive. That means that the system can switch between tasks based on their priorities, instead on giving each task a certain predefined amount of run time. This makes real-time operating systems especially useful for safety critical applications.
Zephyr’s modular architecture enables developers to introduce only the elements they need, reducing the attack surface, and built-in security features such as secure boot, cryptographic libraries, and memory protection make compliance with regulations easier.
Secure Boot and Root of Trust
Through the Trusted Firmware-M implementation and the architecture that makes separation of Secure Processing Environment and Non-Secure Processing Environment, Zephyr enables segregation of sensitive and security-critical services and components from the unsecure ones. Leveraging Secure Boot and Root of Trust architecture, Zephyr enables creation of hierarchies of trust that prevent less trusted components from accessing or compromising more critical parts of the system, and validates the integrity and authenticity of the application firmware.
Memory Protection Design
Focusing on enhancing system security and stability, and leveraging Memory Protection Units (MPU) of microcontrollers where available, Zephyr provides memory protection features on multiple levels, including stack overflow detection and memory isolation.
Thread level — threads running in user mode have access only to their own stack, and stacks of other threads in the same memory domain, if so configured, reducing the the risk of their effect on the rest of the system.
Memory domains — conceptually a collection of memory partitions, memory domains are a way to grant access to additional blocks of memory to a user thread (besides its own stack buffer, program text, and read-only data that it can access by default).
Stack protection — whether with a hardware stack overflow detection feature, or by using stack canaries (special values used to detect stack overflows), Zephyr enables catching the issues of stack overflow in supervisor and user modes, making the application more robust and reliable.
Secure Communication
By providing multiple communication security and cryptography features designed to protect data both in transit and at rest, Zephyr enables end-to-end security of devices running it.
More features, such as secure access modules (SAMs), Trusted Platform Modules (TPMs), and Trusted Execution Environments (TEEs) are also planned and in various states of development.
Cryptographic libraries — through PSA Crypto, with mbedTLS as the underlying implementation (additional libraries are also available), Zephyr enables applications to leverage multiple cryptographic algorithms and ensure secure cryptographic operations.
Communication protocols — Zephyr supports TLS and DTLS for secure network connections, ensuring confidentiality and integrity of transmitted data.
System level security — wide array of features such as device authentication, over the air (OTA) updates, or access control of onboard resources are available to make the application more resilient and better managed.
Quality assurance
Zephyr takes great care of quality assurance for the project. By implementing an automated quality assurance process into its development, including mandatory code reviews, static code analysis, and feature/issue management, as well as following a well defined secure development practices, Zephyr makes sure the OS can be used to develop more secure software and address security compliance requirements.
Be it through secure development practices used in the ZephyrOS itself, or by offering features such as secure boot, memory protection, over the air updates, secure communication, and more, Zephyr allows developers to create more secure and robust applications and align them with strict regulations such as NIS and CRA. Being open-source and following regulatory-driven best development practices means that security is a foundational element of Zephyr, which can help create resilient, privacy-conscious, and future-proof IoT solutions ready to satisfy government requirements.
How Concept Reply can help you
We at Concept Reply regularly help our customers leverage state-of-the art tools and frameworks, as well as best development practices, to implement needed security features and create robust and reliable software that is future-proof, protects user data, and reduces the risk of costly incidents.
