zur Hauptnavigation springen zum Inhaltsbereich springen

 
Menu

Categories: Embedded

CodeMeter Embedded: Security Down to the Microcontroller

Is the firmware of sensors, controllers, or drives protected against copying and attacks? CodeMeter Embedded protects intellectual property (IP) and implements licensing seamlessly, all the way down to the microcontroller level. Manufacturers can deploy CodeMeter technology specifically for embedded environments.

The valuable know-how embedded in the firmware of small devices such as controllers, frequency inverters, or sensors is vulnerable to attacks on integrity. This affects both the firmware itself and the licensing models in use. Wibu-Systems extends CodeMeter Embedded to microcontrollers and real-time operating systems (RTOS) to deliver future-proof, crypto-agile solutions. Manufacturers can protect their IP, implement licensing, and benefit from end-to-end compatibility across the CodeMeter ecosystem.

Challenges in Embedded Systems

Firmware in industrial sensors, controllers, or drives contains trade secrets that are exposed to the risk of reverse engineering. Cyberattacks can compromise individual components or, if these are used as entry points, endanger entire machines and industrial plants. While the potential damage in isolated machines may still be manageable, it becomes significantly more severe in critical infrastructure (KRITIS) environments.

Microcontrollers, particularly those running a single application or an RTOS, present challenges for secure protection and licensing due to limited resources such as memory, processing power, and communication interfaces. Integrating a cryptographic library for signatures or encryption may seem simple at first, but it quickly becomes complex when considering the overall environment:

  • Where are keys stored securely?
  • How are keys and key updates delivered to the device?
  • How are licenses provisioned to the device?
  • How are keys and licenses managed centrally?
  • How is data transferred when devices are not networked at all or only via specialized interfaces?

In production facilities or KRITIS environments, devices are often isolated from the public Internet. As a result, online-hosted license management systems and traditional cloud solutions are not viable options. These constraints affect not only microcontroller-based systems, but virtually all embedded platforms used in industrial automation, medical technology, and comparable control and regulation applications.

CodeMeter Embedded on MCUs and RTOS

CodeMeter Embedded is a compact library providing CodeMeter API functions for embedded operating systems such as Linux, VxWorks, or QNX. For many microcontroller platforms, however, even a few hundred kilobytes can be too large, and features such as caching, shared memory, or network access are often unnecessary. This is where CodeMeter’s modularity comes into play: the code can be configured to run even on severely resource-constrained microcontrollers in bare-metal environments or in combination with an RTOS.

The well-known CodeMeter Embedded package is delivered as a source code package, allowing developers to compile it for a wide range of microcontroller platforms. The CodeMeter API remains fully compatible with the entire CodeMeter API ecosystem, enabling familiar function calls to be seamlessly ported to the microcontroller level. Unlike OS-based CodeMeter Embedded deployments, developers must implement application-specific adaptations for MCUs, such as storing licenses in defined flash memory areas, enabling remote updates, or connecting to a CodeMeter ASIC via SPI.

Most importantly for manufacturers, the CodeMeter API and license formats remain the same as those used in PC environments. This creates a licensing system at the microcontroller level that is fully compatible with larger embedded systems, as well as PC and server platforms. CodeMeter License Central can issue licenses consistently for both powerful PC systems and small microcontrollers, keeping production, rollout, and update processes consistent. Software manufacturers and firmware developers select the appropriate CodeMeter Embedded variant from a modular toolkit and integrate it directly into the application to be protected.

Crypto Agility and Post-Quantum Cryptography (PQC)

Currently, asymmetric cryptographic algorithms have not yet been broken by quantum computers. However, such a breakthrough could happen at any time and without warning. Even if initially limited primarily to academic relevance, each decryption attempt would require deployment of quantum resources – resources that will likely be applied where economic incentives are high, such as for copying highly valuable software.

Once the value of the protected data exceeds the cost of a quantum attack on the keys in use, protection strategies must be updated. For this reason, PQC is currently being incorporated into all CodeMeter products, ensuring that fully PQC-capable software is already deployed in the field on day one. The next generation of CodeMeter dongles will support longer PQC keys and modern PQC algorithms such as ML-KEM and ML-DSA. Crypto agility has been built in to allow seamless algorithm transitions using existing hardware and software.

For CodeMeter customers, this means they do not need to develop complex PQC strategies themselves. Instead, they benefit from a platform that has already made the necessary preparations and continues to evolve. Where PQC cannot be deployed directly due to key length or computational constraints, such as on very small microcontrollers, hybrid approaches are used to ensure secure protection and licensing.

Regulatory Requirements and Security Standards

Organizations are subject to strict standards for secure software in systems and components, with each economic region defining its own regulations and compliance frameworks. CodeMeter Embedded and complementary products such as CodeMeter Certificate Vault help software vendors and system integrators meet these requirements efficiently through tamper-proofing, crypto agility, license compliance, and the secure use of certificates.

Key standards include:

  • Worldwide
    • IEC/ISA 62443
  • Europe
  • USA
    • NIST Cybersecurity Framework (CSF 2.0)
    • CISA Cybersecurity Performance Goals (CPGs)
  • China
    • Grading Protection 2.0 (MLPS 2.0)
    • CCoP 2.0 (Cybersecurity Compliance for CII)
    • GB Safety Standards (2026)

CodeMeter addresses core requirements such as risk management, integrity, and secure updates, facilitating certification and enabling standardized security-by-design approaches in embedded systems.

CodeMeter Portfolio at a Glance

CodeMeter Runtime is a service that runs on desktop PCs and high-performance embedded systems, while CodeMeter Embedded is integrated as a software library directly into the application being protected. Both use the same CodeMeter API, the same license format, and store licenses and keys in CmContainers (CmDongles, software-based CmActLicenses, CmCloudContainers). They are fully compatible with CodeMeter License Central and support a wide range of operating systems and hardware platforms, down to the microcontroller level.

CodeMeter Protection Suite complements this approach by embedding high-security IP protection directly within the application. This enables manufacturers to combine licensing, copy protection, and know-how protection within a unified technical and organizational framework.

CodeMeter Embedded lays the foundation for a unified security and licensing concept across all device classes. From desktops to bare-metal MCUs, the same mechanisms for licenses, keys, and cryptography apply, all supported by a crypto-agile architecture. This makes heterogeneous embedded landscapes manageable and allows manufacturers to focus their development resources on core competencies and new services built around their connected devices.

 

KEYnote 51 – Edition Spring/Summer 2026

Back
To top