Mistake on this page? Email us

Requirements for embedded production devices

Hardware and software requirements for Pelion Device Management Client/Lite production devices.

Tip: If you are still in development, you can see Pelion Device Management-compatible devices on our Boards page.

Reference numbers are from Mbed OS, but they are typically the same for all embedded systems.

Capability Device Management Client Client Lite Comments
CPU Performance as in Cortex-M3 or better. *1 Performance as in Cortex-M3 or better. *1. No specific CPU architecture requirements. CPU performance impacts (D)TLS handshake duration.
RAM - with eXecute in Place 56KiB minimum config
107KiB maximum config
7KiB static
26KiB dynamic
Consumption depends a lot on network stack and configurations. Dynamic number includes client, OS, TLS and networking stack.
Verify your assumptions with your application and board combination.
Flash 112KiB (minimal) 63KiB Excluding firmware download area.
See Embedded system RAM and flash consumption for more details.
Verify your assumptions with your application and board combination.
Networking IP based networking. IP based networking. Ethernet, Wi-Fi or similar.
For non-IP based connectivity, see Device Management Edge and its protocol translator capability.
Root-of-Trust (RoT) Recommended. Recommended. Secure memory for hardware root of trust.
On-die flash as minimum. See note *2.
True Random Number Generator (TRNG) Recommended. Recommended. See note *3.
Clock Optional. Optional. Choose one:
- A Real Time Clock.
- Some low-frequency crystal (for sleepy devices).
- Software clock (non-sleeping devices) that provides the device proper time.
This is needed to handle any certificate validity time attacks.
Secure boot module Optional. Optional. The secure boot module checks the integrity and authenticity of the firmware at boot time to protect the device from reflash attacks.

Notes:

*1 Device Management Client (or Lite) does not require any specific Arm CPU. All of the code is C/C++. As long as there is a working C and C++ toolchain, any CPU will do. Porting has been done to multiple Arm, Intel x86, Intel x64 and MIPS architectures.

*2 Device identity and keys stored on the device need to be protected for their integrity and confidentiality. Some of these must be immutable.

The recommended practice is using a local root of trust, stored on die, which protects information stored on an external flash. The local root of trust is stored on die in a one-time-programming bits or internal flash, with access control and optional write protection. This protects the device from physical access attacks (such as reflash attacks) and software vulnerability exploitations, which extract the keys and remotely take over the device.

*3 For secure communication and secure device identity, a Random Number Generator needs to be seeded with cryptographically strong entropy. The recommended practice to provide such a seed is by TRNG hardware capability. Alternatively, if your platform has no TRNG, we offer software-based DRBG and rely on entropy or key injection during device production. The NUCLEO-F411RE board is an example of this.