ECC608 TFLXWPC SECURE PROVISIONING PROCESS

Microchip offers Secure Provisioning Services for its security solutions before shipment. To leverage this service, secure exchange process is required between customers and Microchip Hardware Secure Modules (HSM). The process starts with requesting a unique custom Part Number, a manufacturing ID (MAN-ID), and the HSM encryption keys (unique per project) through the Microchip Technical Support Portal. Refer to the Secure Provisioning Guide for detailed steps of the secure sub-system configuration and secure exchange process.

Select Use Cases :

ECC608-TFLXWPC XML Generator

Choose TrustFLEX device interface:



WPC Customer data (For prototyping these fields can be left blank):

  1. PTMC Code: Provide your PTMC code registered through the Wireless Power Consortium (WPC).
  2. Company Qi ID: Provide your Qi ID registered through WPC.
  3. Manufacturer CA Sequence ID: Provide your requested Manufacturer CA Sequence ID. The default value for this field is 01.


Click on table rows for more info.

Slot Number Slot Use-case Description Slot Property
Slot 0 WPC Slot0 Authentication WPC Slot0 Primary ECC Authenication Key Permanent, Ext Sign, Not Readable,
Optional Secure Boot Enable
Slot Description:
This is the primary ECC key used for WPC Device authentication using Slot0. This key is permanent and cannot be changed. It also prevents Denial-Of-Service attacks where the key is changed, either intentionally or by accident.

Provisioning:
Private key is generated and locked, no further modifications can be made to the slot.

Slot 1 WPC Slot1 Authentication WPC Slot1 Primary ECC Authenication Key Permanent, Ext Sign, Not Readable,
Optional Secure Boot Enable
Slot Description:
This is the primary ECC key used for WPC Device authentication using Slot1. This key is permanent and cannot be changed. It also prevents Denial-Of-Service attacks where the key is changed, either intentionally or by accident.

Provisioning:
Private key is generated and locked, no further modifications can be made to the slot.

Slot 2 TLS Authentication Primary TLS ECC Authentication Key Permanent, Ext Sign, ECDH, Not Readable,
Optional Secure Boot Enable
Slot Description:
This is the primary ECC key used for IoT connectivity. This key is permanent and cannot be changed. It also prevents Denial-Of-Service attacks where the key is changed, either intentionally or by accident.

Provisioning:
Private key is generated and locked, no further modifications can be made to the slot.

Slot 3 WPC Slot0 Authenication WPC Slot0 Certificate Chain Digest Permanent or Writable with Slot Lockable, Clear Read
Slot Description:
This is a WPC Digest Slot. As an alternative to doing a full authentication using certificates, the WPC authentication specification allows for a rapid authentication by simply comparing the digest associated with WPC Slot0 if defined.

Provisioning:
The slot is provisioned by Microchip with WPC Slot0 Certificate chain digest. Slot data is not user modifiable

Disable slot write: If the checkbox is checked, the contents of the slot cannot be modified under any circumstances.

Slot 4 WPC Slot0 Authentication WPC Slot0 Extra Information No Write, Clear Read
Slot Description:
This is a WPC Slot0 Information slot. This slot contains WPC Slot0 certificates additional information.

Provisioning:
The slot is provisioned by Microchip with WPC Slot0 Certificate chain digest. Slot data is not user modifiable
Slot 5 WPC Slot0 Authenication WPC Slot0 Extra Information No Write, Clear Read
Slot Description:
This is a WPC Slot0 Information slot. This slot contains WPC Slot0 certificates additional information.

Provisioning:
The slot is provisioned by Microchip with WPC Slot0 Certificate chain digest. Slot data is not user modifiable
Slot 6 IO protection key Key used to protect the I2C bus communication (IO) of certain commands.
Requires setup before use.		 Clear write, Lockable, No Read
Slot Description:
Using the IO protection features is optional, but the IO protection key is saved here. The idea is that on first boot, a random key will be generated and saved to this slot and the MCU's NVM, then the slot locked. Locking may not be necessary, if key rotation is needed for this key, but it does open up the device to a DOS attack where the key is changed unexpectedly.

Provisioning:
The data entered in the below step will be stored into the device slot during provisioning.
Data input method:



Disable slot write: If the checkbox is checked, the contents of the slot cannot be modified under any circumstances.

Slot 7 Secure Boot digest Storage location for Secure Boot digest.
This is an internal function, so no reads or writes are enabled.		 No Write, No Read
Slot Description:
This slot is used as a secure location to store the Secure Boot digest. This slot can be updated only through internal commands so no external read/write is possible on this slot.

Provisioning:
No external writes are allowed to this slot, data can be stored only using internal commands. This slot is not user writable.

Slot 8 WPC Slot1 Authentication Storage of WPC Slot1 Information PublicKey, Certificate and Slot Digest Permanent or Writable with Slot Lockable, Clear Read
Slot Description:
This is a WPC Slot1 Information slot. This slot contains WPC Slot1 details like Manufacturer PublicKey, compressed Device and Manufacturer certificates, Slot1 Certificate chain digest and other information related to WPC Slot1

Provisioning:
The slot is provisioned by Microchip with WPC Slot1 Certificate chain digest. Slot data is not user modifiable

Disable slot write: If the checkbox is checked, the contents of the slot cannot be modified under any circumstances.

Slot 9 WPC Slot0 Authentication WPC Slot0 Manufacturer Public Key No Write, Clear Read
Slot Description:
This is a WPC Slot0 Information slot. This slot contains Manufacturer PublicKey.

Provisioning:
The slot is provisioned by Microchip with WPC Slot0 Certificate chain digest. Slot data is not user modifiable
Slot 10 TLS Authentication TLS Device Compressed Certificate in CryptoAuthentication compressed format Permanent or Writable with Slot Lockable, Clear Read
Slot Description:
Device compressed certificate for TLS authentication is stored in this slot. This slot is written with certificate signed by Microchip signers and root.

Provisioning:
The slot is provisioned by Microchip with its own root and signers. It is possible that customers can choose between Microchip Standard Certificate and Custom Certificate.
  1. Microchip standard certificate: Certificate elements like Org name, CommonName and certificate validity will be filled by Microchip. The certificate will be signed with Microchip root.
  2. Custom Certificate: This option will allow the Customer to define some of the certificate elements like Org name, CommonName and certificate validity.
Select product unit certificate type:




Notes on Custom Product Unit Certificate
  1. Due to the way the certificates are stored/retrieved from the ECC608 device, using Custom certificates will require some knowledge on compressed certificates and certificate templates.
  2. The issue date only has a resolution of hours. Minutes and seconds are assumed to be zero. Refer to Compressed Certificate Definition for further details on the compressed certificates.
  3. The custom definition files (.c, .h) being generated assumes the size of Organization and Common Names matches with MCHP standard certificates.
  4. The Distinguished Names, both for the Issuer and for the Subject in all certificates must be comprised of an Organization Name and a Common Name entry, in that order.
  5. The Organization Name entered here gets padded and spaces replaced with '_' to match with MCHP standard certificates sizes.
  6. It is recommended to use default CommonName i.e. device serial prefixed with sn. If this needs to be different, its size would be matched to MCHP standard certificates with spaces replaced by '_'
  7. For the Product Unit certificate, Basic Constraints come before the Key Usage, following is the order of extensions:
    1. Basic Constraints: critical, CA:FALSE
    2. Key Usage: critical Digital Signature, Key Agreement
    3. Subject Key Identifier
    4. Authority Key Identifier
Populate below to customize certificate fields:

   

Slot 11 TLS Authentication TLS PublicKey for the CA (Signer) that signed the product unit certificate Permanent or Writable with Slot Lockable, Clear Read
Slot Description:
This slot holds the TLS authentication Signer public key.

Provisioning:
The slot is provisioned by Microchip with the signer public key. Slot data is not user modifiable.

Slot 12 TLS Authenication TLS Certificate for the CA (Signer) certificate for the device certificate in the CryptoAuthentication compressed format Permanent or Writable with Slot Lockable, Clear Read
Slot Description:
This slot holds the TLS authentication Signer compressed certificate.

Provisioning:
The slot is provisioned by Microchip's root key. It is possible that customers can choose between Microchip Standard Certificate and Custom Certificate.
  1. Microchip standard certificate: Certificate elements like Org name, CommonName and certificate validity will be filled by Microchip. The certificate will be signed with Microchip root.
  2. Custom Certificate: This option will allow the Customer to define some of the certificate elements like Org name, CommonName and certificate validity.
Select certificate type:




Notes on Custom Manufacturer Certificate:
  1. Due to the way the certificates are stored/retrieved from the ECC608 device, using Custom certificates will require some knowledge on compressed certificates and certificate templates.
  2. The issue date only has a resolution of hours. Minutes and seconds are assumed to be zero. Refer to Compressed Certificate Definition for further details on the compressed certificates.
  3. The custom definition files (.c, .h) being generated assumes the length of Organization and Common Names matches with MCHP standard certificates.
  4. The Distinguished Names, both for the Issuer and for the Subject in all certificates must be comprised of an Organization Name and a Common Name entry, in that order
  5. The Organization Name entered here gets padded and spaces replaced with '_' to match MCHP standard certificates sizes.
  6. The Subject Common Name in the Manufacturer certificate resp. the Issuer Common Name in the Manufacturer certificate gets padded and spaces replaced with '_' to match MCHP standard certificates sizes.
  7. The Manufacturer certificates must contain exactly the following extensions in exactly the same order:
    1. Key Usage, critical: Digital Signature, Certificate Sign, CRL Sign
    2. Basic Constraints, critical: CA: TRUE, PATHLEN: 0
    3. Subject Key Identifier
    4. Authority Key Identifier
Populate below to customize certificate fields:



Slot 13 WPC Slot0 Authenication WPC Slot0 Compressed Product Unit Certificate No Write, Clear Read
Slot Description:
This is a WPC Slot0 Product Unit compressed certificate slot. This slot contains Product Unit certificate in the compressed format.

Provisioning:
The slot is provisioned by Microchip with WPC Slot0 Certificate chain digest. Slot data is not user modifiable
Slot 14 WPC Slot0 Authenication WPC Slot0 Compressed Manufacturer Certificate No Write, Clear Read
Slot Description:
This is a WPC Slot0 Manufacturer compressed certificate slot. This slot contains Manufacturer certificate in the compressed format.

Provisioning:
The slot is provisioned by Microchip with WPC Slot0 Certificate chain digest. Slot data is not user modifiable
Slot 15 Secure Boot public key Secure Boot public key Permanent or Writable with Slot Lockable, Clear Read
Slot Description:
Secure Boot public key will be stored in this slot.

Provisioning:
The data entered in the below step will be stored into the device slot during provisioning.

Provisioning data input method:


TrustFLEX Secure Boot Options:
Using the following option private key in Slot0 can be set to require a Secure Boot before this key will be authorized for use. If the following option is enabled, user will be able to use Slot0 private key only after a successfull secuerboot operation. The slot access policy changes for Slot0 ties to the persistent latch being set.



Disable slot write: If the checkbox is checked, the contents of the slot cannot be modified under any circumstances.

Custom root (Signer CA) Information





Custom root (Signer CA) public key is needed to verify the full certificate chain (device-signer-root) during production.
Choose provisioning data input method(Provide public key):




Part Number details
Provide the Part Number received from MCHP in the support system. For prototyping, one can leave these blank.




Prototyping

The prototype package is for prototyping and learning only. Do NOT share the prototype package because secrets are in plain text. Alternatively, you may use dummy secrets.
Click here to provision the ECC608-TFLXWPC-PROTO with the package generated from "Generate provisioning Package - Prototype". Make sure to load the generated zip file.

Production

Click here to generate the Secure Exchange Package then upload it to Microchip Provisioning Service (through Microchip Technical Support Portal). You will be prompted to add the HSM encryption keys when starting the generation process.
Both "Generate Provisioning Package" buttons compile all the data provided in the above slots into a zip package containing .ENC.xml/.xml, .c, .h and certificate files.
  1. '.xml' file contains device configuration and user data to be loaded into the ECC608-TFLXWPC slots. In the prototyping package, all user data are in unencrypted plain text whereas in the production package, user data are encrypted.
  2. '.c, .h' are 'C' source files that are meant to be used with CryptoAuthLib. These files are required to use certificates in CryptoAuthLib.
  3. Certificate files are generated for verification purpose.

MICROCHIP

This text will be replaced