Secure Provisioning of TrustFLEX

This document explains the steps involved in the secret exchange, certificate signing, and creation of a support case to track the status of the secure provisioning of TrustFLEX.

If this document is being followed, then the following steps must have been completed:

  • Defined the application and the Use Case with the Trust Platform Design Suite and be ready to order pre-provisioned secure elements from Microchip with “production-based crypto keys”
  • Created an XML configuration file for ATECC608A-TFLXTLS
  • myMicrochip account has been set up

This document covers the steps needed for Microchip to provision the TrustFLEX devices for your specifications.

myMicrochip Account Creation

  • If the account already exists, then skip this step.
  • Create the myMicrochip account on the New Registration page.
  • Enter the details and complete the registration.
  • There will be an email-confirming link sent to the email used for the registration.

Support Case Creation

  • Once the account is created, the next step is to create a support case
  • Visit the Microchip Case Console. Log in with the email address used to create the myMicrochip account.

Note: The URL can also be visited in the later stage to check the support case status.

provisioning1.png
  • Click on the My Cases tab and select the New Case option present on the top right corner of the page.
provisioning2.png
  • Now select Value Added Services and click Next.
provisioning3.png
  • Enter the following information then click Next:
    • Subject: Enter your company details
    • Target Device: ATECC608A-TFLXTLS
    • Category: Provisioning Services
    • Sub-Category: TrustFlex
trust_flex_info.png
  • In the Ticket Description, enter the following details:
    • Program Name: This will be a short name that will help in differentiating the specific TrustFLEX configuration from several other TrustFLEX configurations present.
    • Version Number: This will be a short number that will help to differentiate different configurations under the same program name.
    • Comments: This is a short description that will be displayed on the E-Commerce portal, that will help describe more about the program.
    • MicrochipDirect Email Address: Please provide the email address that was used to register at www.microchipdirect.com. This email address will be used to authorize the purchase of the product that contains the configuration/secrets that will be provided in this ticket portal.

Note: Please ensure that you provide the correct email address(es), as this will be the only account that will be authorized to purchase a product with the shared secret.

provisioning4.png
  • The Design Stage and Urgency are entered by default. They can be changed as required. Enter any other required information in the Application Details option and click on Submit.
provisioning5.png
  • Once submitted, if there are any files to be uploaded it can be done now. Click Done.
provisioning7.png
  • Check the case home page after the case is created.
provisioning8.png
  • Questions and comments can be added by clicking on the Add Comment option.

Secret Exchange

  • To begin with the Secret Exchange, you will have to enter your final production-based crypto keys in the TrustFlex Configurator Tool that is available in the Trust Platform Design Suite.
  • If the custom PKI certificate option is selected, the tool will require you to enter MAN ID (Manufacturing ID).
    • You will receive this ID information in the support ticket from Microchip.
  • Once all crypto keys and details are entered in the TrustFlex Configurator tool, you can click on Generate TFLXTLS Provisioning Package and this will download the XML file along with a few source files that are meant to be integrated into the embedded firmware project.

Note: The XML file at this stage contains secrets that are still not encrypted, and so special handling of the file is required at this stage.

  • Microchip will send RSA encryption keys (typically three different keys) via a support ticket portal, which are the public keys for the production Hardware Security Module (HSM).
  • This key should be used along with the XML file in an encryption utility MicrochipEncryptionUtility.exe that is available in the Trust Platform Design Suite.
  • In the utility, click Device and select ATECC608A. Click on Load RSA Public Key and select the public key file that is sent in the support ticket by Microchip.
rsa_pub_key.png
  • Select Load Device Configuration File and browse to the file that is generated by the TrustFlex configurator tool. This will encrypt the file and a new ATECC608A-TFLXxx_SITE.enc.xml file will be generated and stored.
  • The secrets that are entered in the XML file, once encrypted can only be decrypted by our HSMs in a protected area and the keys are never exposed.

Note: The unencrypted XML file having the secrets must be stored in a safe and secure location. Microchip does not take responsibility for the un-encrypted XML file.

Note: Make sure that while uploading the file, it must be encrypted with the RSA keys provided by Microchip that will be shared in the system. Uploading an unencrypted file leads to the probability of exposing your sensitive data.

Signature Exchange

  • Along with secret exchange, the signature exchange must also be implemented if the Custom Certificate option is selected in the TrustFlex configurator.

Note: This step is required if you select a Custom Certificate option in the TFLX configurator.

provisioning13.png
  • This requires a Certificate Authority to be established for the product eco-system. This can be:
    • A root certificate authority (with a self-sign certificate)
    • An intermediate certificate authority that chains back to the root
  • This certificate authority will be used to sign the Microchip production signers, which will sign the device certificates.
  • If your root certificate is established, careful security provisions must be observed. Protection of the root private key is of utmost importance, as it forms the backbone of the entire authentication process.

Note: Microchip is not responsible for setting up the root certificate and root private key protection.

  • Microchip generates the signer certificates for our production signers to be used for the provisioning of the devices and the Certificate Signing Requests will be sent in the support case.
  • Once the signer certificates are signed by the root signer, they are locked and cannot be modified. These signed certificates will be sent back to Microchip.

Placing order with Provisioned keys:

  • Once Microchip receives the encrypted configuration file (along with signed certificates if the Custom Certificate option is selected), the Microchip support team will respond on the case to notify you to proceed with ordering verification samples and the production units.
  • Login to the microchipdirect.com account (with the email address provided in the case that is associated with the configuration file) and there will be a screen as shown below.
  • You will be able to order 20 (default qty) verification samples that will be shipped. If more than 20 samples are needed, you must specify that in the ticket at the time of exchanging the configuration files.
provisioning15.png
  • If you log into a MicrochipDirect account with an unregistered email account (login email address not sent in the ticket support portal where the secret exchange steps are handled), you will not be able to see the specific configuration but instead will see a page similar to this:
provisioning16.png
  • For a registered account, by clicking on the Place verification order button, the verification parts can be ordered so that you can verify if the parts work for your application and have been provisioned correctly with the shared secrets.
  • Once the parts are tested and they are successfully working with the application, then log back into MicrochipDirect and click on Approve or Reject the verification samples.
    • If Approved is selected, then there will be a screen as shown below where the production orders can be placed.

Note: For the TrustFLEX devices the minimum order quantity (MoQ) is 2000 units. Each order can contain any number of units above 2000. There will be an MoQ limit for every order.

provisioning10.png
  • Once the parts are ordered and are shipped by Microchip, log back into MicrochipDirect and click on the Order History tab to find the option to Download Manifest for the shipped parts.
  • Manifest file format details can be found in the Trust Platform Design Suite.
provisioning17.png
© 2019 Microchip Technology, Inc.
Notice: ARM and Cortex are the registered trademarks of ARM Limited in the EU and other countries.
Information contained on this site regarding device applications and the like is provided only for your convenience and may be superseded by updates. It is your responsibility to ensure that your application meets with your specifications. MICROCHIP MAKES NO REPRESENTATIONS OR WARRANTIES OF ANY KIND WHETHER EXPRESS OR IMPLIED, WRITTEN OR ORAL, STATUTORY OR OTHERWISE, RELATED TO THE INFORMATION, INCLUDING BUT NOT LIMITED TO ITS CONDITION, QUALITY, PERFORMANCE, MERCHANTABILITY OR FITNESS FOR PURPOSE. Microchip disclaims all liability arising from this information and its use. Use of Microchip devices in life support and/or safety applications is entirely at the buyer's risk, and the buyer agrees to defend, indemnify and hold harmless Microchip from any and all damages, claims, suits, or expenses resulting from such use. No licenses are conveyed, implicitly or otherwise, under any Microchip intellectual property rights.