How to Establish a Secure Hardware Foundation for Long-Term CRA Compliance

The European Union (EU) Cyber Resilience Act (CRA) has fundamentally shifted cybersecurity from an afterthought to a core architectural concern for products containing digital elements. With full regulatory enforcement beginning in 2027, developers must be aware of their responsibilities under this legislation. They can then select the appropriate processing hardware to fulfill these responsibilities throughout an embedded product’s lifecycle. The right hardware will enable a secure-by-design architecture that supports continuous vulnerability management, for example, through over-the-air (OTA) updates.

This article provides a brief overview of CRA requirements and explores secure enclave technology as a basis for isolating sensitive data and managing a hardware root of trust (RoT) to ensure device integrity. It then introduces microcontroller units (MCUs) and application processors from NXP Semiconductors that can serve as a foundation for a CRA-aligned solution and demonstrates a practical implementation.

Cybersecurity obligations are changing

Under the CRA, the manufacturer carries full legal responsibility for ensuring compliance. In summary, the CRA requires that manufacturers:

• Protect devices against tampering and ensure software integrity from first boot
• Provide a support period of at least five years, or the expected lifetime of the product if shorter, with continuous vulnerability management and regular security updates
• Retain update availability and up-to-date technical documentation for 10 years, or for the duration of a longer support period
• Provide a specified end-of-support date for products upon market release
• Report actively exploited security vulnerabilities to the national Computer Security Incident Response Team (CSIRT) and the European Union Agency for Cybersecurity (ENISA) within 24 hours, with detailed reporting within 72 hours and a final report within 14 days
• Provide third-party certification for specialized products under the CRA’s “Important” (Class I and II) and “Critical” designations
• Sign a formal declaration of conformity (DoC) that allows manufacturers to use the Conformité Européenne (CE) mark for EU market access

At the heart of the CRA’s mandatory practices is a commitment to ensure and maintain device integrity, starting with establishing a secure hardware foundation for every product. While the CRA does not define a specific framework, secure enclave technology provides designers with a reliable way to manage this mandatory commitment.

How secure enclave technology supports firmware authentication

Usually contained within a larger system-on-chip (SoC), a secure enclave (Figure 1) is a secure hardware subsystem that generates, stores, and manages software verification assets (such as encryption keys) and provides a hardware RoT for the system. By isolating these resources from the rest of the device, developers can protect against unauthorized access. The entire system can then be protected against unauthorized software using a secure boot process.

Figure 1: A secure enclave establishes a hardware RoT against which each stage of the boot process can be verified as authentic, ensuring system integrity. (Image source: Brandon Lewis)

Startup commences within the secure enclave, where the RoT validates signatures at each stage of the secure firmware boot up, verifying that the secure subsystem has not been compromised. If there is a mismatch, the boot process stops, as the RoT cannot validate the integrity of the boot sequence. This is the first stage in protecting the main system against tampering.

At each subsequent boot stage, the secure enclave then verifies signatures using public keys anchored in the hardware RoT. Verification ensures that only authentic, manufacturer-signed code executes. Thus, if verification fails at any stage, the main system will either abort startup or run with limited functionality, thereby isolating potential threats.

Since long-term CRA compliance also requires regular updates throughout a product’s lifecycle, secure boot is essential for verifying that each patch is genuine. This is especially true for OTA updates, where installations are often automatic. A secure enclave provides a foundational element in the secure boot chain of trust. Thus, developers benefit from sophisticated hardware components that contain this subsystem.

A high-performance MCU that supports security by design

When building CRA-aligned products, the MCX N series MCUs (Figure 2) from NXP provide a dedicated, secure subsystem alongside a dual Arm® Cortex®-M33 architecture with an integrated neural processing unit (NPU) for edge AI processing. Low-power operation down to 57 microamperes per megahertz (µA/MHz) enables long operating life in battery-powered designs, with additional power-down modes that reduce current draw to as low as 2 µA.

The NXP EdgeLock secure subsystem functions as a secure enclave. In addition to glitch and tamper-detect modules to prevent hardware exploits, the EdgeLock subsystem features several measures to maintain software integrity, including:

• A debug authenticator to prevent unauthorized access
• Public key cryptography (PKC), with AES-256 and ECC-256 modules for encryption, SHA-512 for cryptographic hashing, and a PRINCE module for low-latency block ciphering
• An SRAM-based physical unclonable function (PUF) for generating a device unique identifier and deriving keys to support an immutable hardware RoT

Figure 2: In addition to the CRA-aligned EdgeLock secure subsystem, the NXP MCX N94x MCUs feature a wide range of interfaces to suit many diverse applications. (Image source: NXP)

For additional protection, the MCX N94x MCUs feature Arm TrustZone for secure execution environments and a real-time clock (RTC) with anti-tamper pins to protect time-based security mechanisms. Secure direct memory access (DMA) controllers, a memory protection unit (MPU), and error correction code (ECC) RAM are also present to prevent memory exploits. The MCX N94x MCUs offer two variants that allow developers to scale memory requirements for a given application: the MCXN946VDFT integrates 1 megabyte (Mbyte) of flash and 352 kilobytes (Kbytes) of SRAM in a 184-pin VFBGA package, while the MCXN947VDFT has 2 Mbytes of flash and 512 Kbytes of SRAM in a 172-pin HDQFP package.

In addition to security and memory features, the MCX N94x MCUs offer digital and analog I/O, human-machine interfaces (HMIs), and motor control subsystems. Combined with an operating temperature range of -40°C to +125°C, these features enable a variety of CRA-compliant product designs, including industrial automation equipment, smart appliances, power tools, and medical devices.

When developing applications with the MCX N94x MCUs, the FRDM-MCXN947 evaluation board (Figure 3) provides an effective starting point. It features ample connectivity options, including Ethernet and USB Type-C ports and expansion headers, enabling fast application development with familiar tools. NXP also provides resources such as its Expansion Board Hub and Application Code Hub to support teams in selecting compatible hardware and programming with MCUXpresso.

Figure 3: The FRDM-MCXN947 evaluation board enables rapid prototyping of CRA-compliant systems. (Image source: NXP)

NXP EdgeLock for embedded Linux applications

NXP also includes an EdgeLock secure enclave on its i.MX 93 series (Figure 4) power-efficient applications processors. These offer a similar range of high-performance peripherals to the MCX N94x MCUs while combining a single Cortex-M33 core with two Linux-capable Arm Cortex-A55 application cores.

Figure 4: i.MX 93 applications processors combine EdgeLock with a Cortex-M33 and two Cortex-A55 cores to provide a secure foundation for embedded Linux systems. (Image source: NXP Semiconductors)

Like the MCX N94x MCUs, the i.MX 93 applications processors’ EdgeLock secure enclave includes tamper detection and cryptographic modules. However, a dedicated secure clock (included to prevent time-based exploits) and eFuse key storage also serve the hardware RoT. Again, wider system memory is protected by ECC RAM and an MPU within the real-time subsystem. Both the Cortex-A and Cortex-M cores feature Arm TrustZone for secure software partitioning, supported further by a trusted resource domain controller (TRDC).

In addition to producing i.MX 93 devices for commercial, automotive, and industrial temperature ranges, NXP also offers scalable compute options for a wide range of applications. For example, the MIMX9351DVVXMAB features a single Cortex-A55 core running up to 1.7 gigahertz (GHz) and an NPU to support high-performance edge AI applications such as smart home hubs. In contrast, the MIMX9302DVVXDAB offers two Cortex-A55 cores running up to 900 MHz and omits the optional NPU, making it a general-purpose computing solution suitable for digital information kiosks and multi-camera security systems. Other permutations of these resources are available.

To accelerate development with i.MX 93 applications processors, the MCIMX93-QSB evaluation board (Figure 5) features several physical connectors for programming, networking, and system expansion. These include Ethernet and USB Type-C ports, expansion headers, and an M.2 Key-E slot. The board is supported by i.MX software and development tools.

Figure 5: The MCIMX93-QSB evaluation board and supporting software accelerate i.MX 93 application development. (Image source: NXP Semiconductors)

To further strengthen device security in line with the CRA’s support period commitments, NXP’s EdgeLock 2GO cloud service offers developers secure OTA updates, code signing, and certificate and key management throughout a device’s lifecycle. By natively integrating into EdgeLock-secured devices, it completes the foundation for a comprehensive security strategy that supports long-term CRA compliance.

Conclusion

The EU’s CRA will shape digital product development for years, but developers need to understand it now to meet the deadline. When designing CRA-aligned products, devices such as NXP’s MCX N94x MCUs and i.MX 93 applications processors, provide a robust hardware security foundation via EdgeLock secure enclave and additional hardware security measures. With EdgeLock 2GO, development teams can further strengthen their commitment to long-term CRA compliance and secure-by-design products in this evolving regulatory landscape.