With mobile devices housing more and more sensitive data that is utilized in a wide variety of applications, chip and device companies must meet the complex security requirements for each potential use case or capability. Most security measures require the injection of secret identity data and cryptographic keys. Currently, cryptographic keys are provisioned in the open without encryption on test equipment which is operated by third party contract manufacturers. These current provisioning methods expose chip manufacturers to liability and risks for any security breach that occurs within their supply chain.
Utilizing the CryptoManager Security Engine core IP, SoC architects have a builtin design for the secure provisioning of cryptographic keys during chip manufacturing. For OEM device manufacturing, this feature also enables remote secure key provisioning at the ODM (Original Device Manufacturer).
As illustrated in Figure 1 above, the CryptoManager solution provides the flexibility to provision keys and other sensitive data at any point in the manufacturing flow. More specifically, a key may be securely provisioned at any point in the chip manufacturer’s supply chain. In cooperation with their OEM customer, the provisioning of keys may even be pushed to the ODM for downstream provisioning at boardlevel test or as a postproduction provisioning step prior to shipping. Since the communication channel is secured to a silicon root of trust provided by the Security Engine (see Figure 2), robust provisioning is possible at the earliest stages of manufacturing. The CryptoManager solution has flexibility for highly specialized key management requirements such as the provisioning of key splits at different stages of manufacturing. For unique keys, there are also features to protect against key duplication in multiple devices. The uniqueness of such keys is checked at multiple locations during a provisioning event. This includes duplicate checking at the CryptoManager Service (see Figure 2) located in the datacenter of the chip or device manufacturer and at the CryptoManager Appliance located in the contract manufacturing location. The CryptoManager platform helps solve challenging business use cases for manufacturing through the use of CryptoManager modules which specify device service transactions such as key provisioning. A module may provision one or multiple key types depending on the customer’s requirement. Each module is authorized for the provisioning of key(s) at specified manufacturing locations.