Hardware-Rooted Device Identity for IoT: Integrating Silicon PUFs and DICE in RISC-V Embedded Systems

The security of Internet of Things (IoT) and embedded systems critically depends on establishing trustworthy, unclonable device identities from the earliest boot stages. Conventional approaches often rely on externally stored secrets, which remain vulnerable to extraction and cloning, or heavyweight hardware modules, which are unsuitable for constrained platforms. In this work, we present a lightweight Hardware Root of Trust (HRoT) architecture that integrates silicon-based Physically Unclonable Functions (PUFs) with the Device Identifier Composition Engine (DICE) directly into the boot ROM of RISC-V embedded systems. Unlike existing RoTs, our design eliminates the need for persistent key storage by generating manufacturer-unknown identities on demand, and it extends trust across the system through DICE-based layered attestation. We further introduce lifecycle-aware mechanisms for identity provisioning, renewal, and secure zeroization, ensuring long-term device trustworthiness. The proposed architecture is implemented and evaluated on the open-source SPIRS RISC-V platform, embedding hardware accelerators for cryptography and PUF-bound secrets. Experimental results demonstrate strong resistance against physical and software attacks, compliance with IEC 62443 SL2+ requirements, robust lifecycle support, and negligible performance overhead (<1\% increase in boot time). By bridging unclonable hardware identities with standardized attestation, this work establishes a scalable and interoperable foundation for secure authentication and continuous trust in IoT and embedded devices.