zeroRISC
Hardware teams evaluating RISC-V for new designs frequently ask a version of the same question: for applications where security is a first-order requirement, how does RISC-V stack up against ARM? The question is reasonable, and deserves an honest answer rather than a promotional one. We build RISC-V security infrastructure, so we have an obvious stake in the answer. We also have specific technical knowledge about where RISC-V security is strong, where it is still maturing, and what the ecosystem gaps look like today.
The short answer: for most embedded security use cases, a well-chosen RISC-V platform with appropriate security tooling is competitive with or better than ARM equivalents. For applications where ecosystem maturity and the breadth of existing certifications are critical, ARM PSA Certified has a head start that matters in specific procurement contexts. RISC-V's longer-term structural advantages are real, but they require more integration work today than the comparable ARM path.
Here is the detailed breakdown.
Where ARM Has a Lead Today
Ecosystem maturity and toolchain breadth: ARM's PSA Certified program provides a standardized certification path for Cortex-M based security implementations. There are dozens of PSA Certified chips, hundreds of certified products, and a well-developed toolchain from silicon vendors and OS providers. For teams who need to ship a security-certified product on a short timeline and do not have in-house hardware security expertise, PSA Certified on Cortex-M is the lower-friction path today.
TrustZone ecosystem: ARM TrustZone has been deployed in hundreds of millions of devices and has a large ecosystem of TEE software stacks (OP-TEE, TrustRTOS, commercial alternatives). For applications that specifically require an OS-level trusted execution environment with mature software support, TrustZone has advantages that RISC-V WorldGuard and similar mechanisms are still developing toward.
Reference implementations and documentation: ARM's security reference implementations — the PSA reference firmware, the trusted firmware-m codebase — are mature and well-documented. RISC-V has equivalent initiatives but they are newer and have less accumulated implementation history.
Where RISC-V Is Competitive or Better Today
Hardware root of trust quality: OpenTitan, which the zeroRISC platform extends, is arguably the most rigorously designed open-source hardware root of trust available for any architecture. The threat model is comprehensive, the security architecture review history is public, and the implementation has been audited by multiple independent parties. For applications where the root of trust itself needs to be independently verified — rather than trusted based on certification — OpenTitan-derived RISC-V designs have a structural advantage over proprietary ARM implementations.
ISA extensibility for custom security: RISC-V's open, extensible ISA allows custom security extensions that are simply not possible on ARM without departing from the standard ISA. Hardware acceleration for specific cryptographic primitives, custom isolation mechanisms, domain-specific security operations — all can be added to RISC-V cores in ways that compose cleanly with the standard security architecture. This extensibility is particularly valuable for applications with specialized security requirements that standard security architectures do not cleanly address.
Physical memory protection: RISC-V's PMP (Physical Memory Protection) mechanism provides fine-grained hardware memory isolation that is well-specified and consistently implemented across RISC-V cores. Combined with the ePMP extensions, RISC-V PMP provides isolation capabilities that are competitive with ARM's MPU for constrained embedded applications, with the advantage of open specification and consistent behavior across silicon vendors.
Supply chain transparency: For applications where supply-chain security is a primary concern, the ability to audit the full hardware implementation stack is a genuine advantage. RISC-V silicon designs that implement open-source IP blocks — including open-source hardware security modules — can be fully audited in ways that ARM implementations cannot, because ARM's microarchitecture is proprietary. The security implications of this are non-trivial: an adversary with access to the full implementation can look for vulnerabilities, but so can defenders.
Where RISC-V Is Still Closing Gaps
TEE software maturity: RISC-V Trusted Execution Environment software stacks are less mature than OP-TEE for ARM. Keystone and other RISC-V TEE frameworks are research-quality rather than production-quality for most enterprise applications. Teams that need a production TEE with commercial support today have more options on ARM.
Certification pathways: PSA Certified on ARM has a clear, well-understood certification path that enterprise procurement teams recognize. RISC-V security certification pathways are less standardized. RISC-V International is developing security standards, and FIDO Alliance has published relevant specifications, but the certification ecosystem is less mature. For applications where third-party certification is a procurement requirement, this matters.
Provisioning toolchain: The toolchain for manufacturing-time security provisioning on RISC-V is less standardized than on ARM. Contract manufacturers are more familiar with ARM PSA provisioning workflows. RISC-V teams often need to develop more of the provisioning infrastructure in-house, which increases both development time and risk.
The Architectural Verdict
The security comparison between RISC-V and ARM is ultimately a comparison between a more mature ecosystem with proprietary constraints and an emerging ecosystem with architectural openness. For teams who prioritize verifiability, extensibility, and the ability to audit the full hardware security stack, RISC-V has structural advantages that will become increasingly pronounced as the ecosystem matures. For teams who prioritize shortest time-to-market and the broadest possible ecosystem of certified components, ARM has a meaningful head start today.
The decision is not binary. Many production RISC-V designs use ARM-derived security concepts adapted to the RISC-V architecture, and the RISC-V security ecosystem is developing faster than the ARM ecosystem did at a comparable stage of adoption. The RISC-V security gap is real but shrinking, and for new designs with multi-year timelines, the trajectory matters as much as the current state.
Our honest recommendation: if your security requirements can be met by PSA Certified ARM implementations today and time-to-market is a primary constraint, ARM is a reasonable choice for a first generation product. If your application requires verifiable security architecture, custom cryptographic capabilities, or supply-chain transparency that proprietary silicon cannot provide, RISC-V with appropriate security infrastructure is the better long-term investment.
Evaluating RISC-V for a security-sensitive application? Talk to the zeroRISC team about your specific requirements.