The Qualcomm Snapdragon 855’s Secure Processing Unit receives EAL4+ certification
When Qualcomm announced the Snapdragon 845 back in December of 2017, the company touted the SoC’s new Secure Processing Unit (SPU). The SPU is an on-die secure element to protect biometric profiles, payment information, and SIM data. Qualcomm’s latest flagship SoC, the Snapdragon 855, also has the SPU, but over 6 months later Qualcomm is announcing that the SPU has received EAL4+ certification. That means every device equipped with Qualcomm’s latest chipset, even currently available smartphones like the ASUS ZenFone 6, the OnePlus 7 Pro, the U.S. Samsung Galaxy S10, and the Xiaomi Mi 9, will be capable of new functionality even though they lack discrete security modules.
The Common Criteria and Evaluation Assurance Level
The Common Criteria for Information Technology Security Evaluation, commonly abbreviated as CC, provides the standards for evaluating the security of products. CC’s Evaluation Assurance Level (EAL) is a certification that products can receive to provide a meaningful assurance that those products meet a minimum level of security. A higher EAL means a product has received a higher level of scrutiny and is suitable for more secure transactions. Although the EAL goes up to 7, level 4 is “the highest level at which it is likely to be economically feasible to retrofit to an existing product line,” and it’s also the level that most smart cards and embedded secure elements are certified for. Qualcomm says that, by achieving EAL4+ security certification, the Snapdragon 855 is “the first mobile SoC…to attain smart card levels of security assurance.” The SPU was evaluated by an independent authority: Germany’s Federal Office for Information Security (in German, the Bundesamt für Sicherheit in der Informationstechnik, or BSI).
EAL4+ Certification and the Snapdragon 855
There are two reasons why the Secure Processing Unit achieving EAL4+ certification is important: reduced Bill of Materials for OEMs and the opportunity for new functionality in the future. In the former case, OEMs purchasing the Snapdragon 855 can save money by not having to integrate a separate secure element, such as in the case of Google with the Pixel 3’s Titan M. Since the SPU is now EAL4+ certified, OEMs can rest assured that the SoC is secure enough to be used for sensitive transactions such as storing digital driver’s licenses in Android R. Furthermore, since the SPU is on-die, that means it’s manufactured with the same TSMC’s 7nm process technology, providing the SPU a small power efficiency advantage over other discrete security modules.
With EAL4+ certification, the Snapdragon 855’s SPU can be used for additional secure transactions down the road. Currently, the SPU is involved in hardware-backed key attestation for the Android StrongBox Keymaster and Gatekeeper subsystem. Introduced in Android 9 Pie, the StrongBox Keymaster implementation allows for secure transactions such as authenticating the administration of Insulin through an Insulin pump. At Mobile World Congress Shanghai, Qualcomm will demonstrate an integrated SIM (iSIM) in conjunction with digital security company Gemalto. The iSIM will be integrated into the Qualcomm Snapdragon 855 SoC, and it can handle switching between multiple virtual SIM profiles.
In the future, we may see use cases such as “offline payment[s], trusted platform module (TPM) functions, transit, electronic ID, and crypto wallets.” Storing cryptocurrency wallets is a feature we’ve seen on the Samsung Galaxy S10 and HTC’s blockchain phones, but that capability will be possible for more devices thanks to the SPU’s EAL4+ certification. Electronic ID support is something that Google is actively working on for the next version of Android, and the Qualcomm Snapdragon 855’s SPU should meet the requirements of this API to securely store electronic IDs.
I asked Qualcomm about support for the IdentityCredential API, specifically whether the SPU will enable support for the “direct access” mode that will allow users to pull up electronic IDs without fully booting up Android, and received the following statement from a Qualcomm spokesperson:
“We do not currently support this API on SPU in Snapdragon 855, but are looking into supporting it in the future.”
Thus, today’s announcement is just a preview of what’s to come. EAL4+ certification is just assurance that the hardware is secure against a number of potential attacks and vulnerabilities. What OEMs, Google, and developers do with this assurance is up to them. Hopefully, we’ll see this secure hardware get taken advantage of for new use cases that we haven’t yet seen on the market. There are many medical and financial services that could benefit, but it’ll take time for these sectors to get on board.