« Previous 1 2 3 Next »
Azure Sphere for Internet of Things
Well Rounded
Certified Hardware
The first important building block is an MCU that is certified for Azure Sphere. Microsoft does not manufacture this kind of hardware but works with third-party suppliers that manufacture devices to spec. Several compatible devices from various manufacturers can be found on the market [3]. The core of all devices is the MT3620 processor by MediaTek with an ARM32 processor architecture and a total of five cores (Figure 1).
One of these cores is Microsoft's Pluton security chip, which is basically comparable to a Trusted Platform Module (TPM), although it offers significantly more functionality. Pluton acts as a hardware root of trust and random number generator, securing the MCU with Secure Boot and implementing encryption functions. The chip makes sure a device does not execute unsigned code, and the integrity of each device is maintained with remote attestation in collaboration with the Azure Sphere cloud service. Each MCU is uniquely identifiable worldwide for this purpose.
The MCU also has an ARM Cortex-A core, which is designed for particularly low power consumption, and two ARM Cortex-M cores. The latter are optimized for real-time control functions. The MCU has a variety of interfaces and devices for interaction with sensors, actuators, and other peripherals and can exclusively assign all ports for peripherals (Table 1) to one of these cores and ensure that code executed by this core cannot access the other cores. Finally, a separate core implements the WLAN subsystem. The MCU is dual-band and compliant with the 802.11a/b/g/n standards. The MT3620 isolates the security functions and the WLAN from end-user code.
Table 1
MCU Interfaces
Interface | Function |
---|---|
GPIO (general-purpose input/output) | An interface for bidirectional transmission of digital signals, whose function is completely definable in software. One pin each maps the values 0 and 1 in the simplest case – for example, to switch on an LED (output) or to query the position of a switch (input). |
PWM (pulse width modulation) | Generates variable analog signals (e.g., suitable for controlling motors or the brightness of LEDs). |
TDM (time-division multiplexing) | A digital interface for transmitting multiple data streams in a single signal. |
I2S (inter-integrated sound) | A digital serial bus for transmitting audio signals. |
UART (universal asynchronous receiver/transmitter) | A bidirectional serial interface for communicating with connected devices (e.g., for a classic terminal connection with a PC connected by USB for debugging purposes). Some sensors communicate over UART. |
I2C (inter-integrated circuit) | A bidirectional serial communication similar to UART typically used for modules and sensors. |
SPI (serial peripheral interface) | Bidirectional serial communication; faster than UART and I2C. |
ADC (analog-to-digital converter) | Converts analog signals into digital signals (e.g., for sensors that measure temperature, humidity, or electrical voltage). |
Linux and Local Apps
Certified MCUs come with the Azure Sphere operating system out of the box. It is a Microsoft-customized and open source Linux system with a hardened kernel specifically optimized for IoT applications. The operating system is reduced to the bare essentials and has neither a shell nor a package manager.
You can either feed in application code in the form of a compiled image to a local device by USB or deliver your images in the cloud with the Azure Sphere Security Service (firmware over the air, FOTA), which is the approach of choice for larger numbers of devices, especially because endpoints in production are often geographically distributed and permanently installed in systems, so no longer physically accessible. Transferring images directly by USB is also known as side-loading, but this method only works if the respective device is registered with the cloud service.
Microsoft distinguishes between high-level apps that run on the A-core of the MCU and low-level apps that use the M-cores [4]. A high-level app runs in the user context and can only use defined libraries and API functions. It mediates certificate-based, authenticated connections between devices and the cloud, interacts with interfaces such as GPIO or UART, and communicates with low-level apps that access the hardware directly or by an additional real-time operating system (RTOS). Each low-level app runs in complete isolation and cannot interact with the outside world directly, but only with a high-level app.
Cloud Service Updates
The Azure Sphere Security Service takes care of remote attestation, ensuring that the MCU is genuine and tamper-free with a bona fide and up-to-date operating system. The cloud service uses authentication with client certificates to secure device-to-device and device-to-cloud communication. Devices only need to contact the cloud service for updates of the operating system and application images. Apart from that, the devices also work in offline mode.
The operating system and cloud service are included in the purchase price of the MCU. With each controller, you get 10 years of support and updates for the operating system and the right to use the cloud service for the same amount of time. Beyond that, you won't incur any additional costs – unless you use Microsoft's in-house Azure IoT services in conjunction with Azure Sphere devices, for which Microsoft will bill you separately. However, Azure IoT Central and the Azure IoT Hub [5] are optional. Although the Azure Sphere Security Service runs within the Azure Cloud, you can integrate your Azure Sphere devices with any service in a public or private cloud for control tasks and further processing of data, such as sending data by MQTT to a broker on your local network.
« Previous 1 2 3 Next »
Buy this article as PDF
(incl. VAT)