The design of WSIoTSDK follows a layered approach, comprising five layers, from top to bottom:
- DID Communication messaging
- Identity and credential
- Cryptographic service
- Cryptographic primitive
- Root of trust
Each layer consists of multiple components in the WSIoTSDK, enabling developers to customize the SDK flexibly to meet hardware constraints and application requirements.
In particular, the Cryptographic Service and Cryptographic Primitive layers can be split into five different components, shown in the image. Each component contains a number of sub-components.
These sub-components implement services such as key management, secure storage, audit logging, etc.
These sub-components contain cryptography libraries suitable for various embedded devices.
This sub-layer provides the PSA abstraction and API-level support.
This sub-layer provides hardware abstraction for various embedded platforms.
These sub-components, highlighted in the pink rectangle below) provide functionalities for configuration, compilation and testing of the entire SDK.
Cryptographic service & Criptographic primitive layers
In practice, developers can customize WSIoTSDK to meet their requirements by selecting proper sub-components from all available components. Note that sub-components in the image above are grouped by color and those within the same color group could be used as a specific customization of WSIoTSDK.
Here we provide some customization examples:
IoTeX Firmware + MbedTLS + Hardware Acceleration
This combination is suitable for embedded platforms that do not support TrustZone®, e.g., Raspberry Pi. In this mode, users can use the complete PSA APIs to implement cryptographic operations.
TF-M + MbedTLS + Hardware CryptoLib
This combination is suitable for Cortex-M series MCUs with TrustZone® support (e.g., Cortex-M23/M33/M55).
IoTeX Firmware + TinyCrypt
This combination is suitable for embedded platforms with highly constrained hardware resources (e.g., low-end Arduino boards). In this case, users need to customize WSIoTSDK for addressing specific hardware resource challenges.
WSIoTSDK has been designed to be modular and easily expandable through the use of different cryptographic libraries. To facilitate this, the cryptographic functions used in the SDK have been encapsulated in a cryptographic module. All interaction with the cryptographic module should be done via the industry standardised PSA API. This allows for decoupling the crypto backend and the rest of the components of the SDK.
Sub-components in the PSA abstraction layer (PSA_AL) are shown in the image below:
Currently, the only supported cryptographic library by the SDK is MbedTLS 3.2.1. However, other libraries are planned to be supported in the near future, such as TinyCrypt.
In the case of TinyCrypt, the library will need to be integrated with the SDK through a PSA abstraction layer. IoTeX will provide this PSA abstraction layer. Theoretically, any other cryptographic library could be integrated with WSIoTSDK, as long as a PSA abstraction layer is provided for it.
Contributions from third party to port other libraries to WSIoTSDK are also highly appreciated.