Please note this page is for Trust Platform Design Suite version 1. Training for Trust Platform Design Suite version 2 can be found here: Trust Platform Design Suite v2.
This page describes Microchip's secure provisioning process for TrustCUSTOM devices and shows you how to order devices that have been provisioned with your secrets, keys, and certificates. This page applies to the ATECC608A, ATECC608B, and ATSHA204A devices.
Before proceeding with the secure provisioning process, a signed NDA must be in place with Microchip. An NDA can be initiated through your local sales representative. Once an NDA is completed, Microchip will need the customer’s Github account credentials, which will allow access to the TrustCUSTOM configuration tools in the Trust Platform Design Suite.
After prototyping your use case with the Trust Platform Design Suite, you are ready to begin the secure provisioning process. Microchip will have to provision these devices for you. This means you'll have to securely transmit your provisioning details (secrets, keys, and certificates) to us using our secret exchange process. After verifying these devices perform as expected, you'll be ready to place your first production orders.
- Create a Technical Support Case
- Secret Exchange Process
- Signature Exchange (Optional)
- Placing Verification Orders
- Placing Production Orders
Create a Technical Support Case
The Microchip Technical Support Portal (also known as myMicrochip) will be used to create a technical support case. The creation of this case enables you to:
- Obtain your TrustCUSTOM project part number
- Obtain the keys needed to encrypt your provisioning file
- Upload your encrypted provisioning file
You won’t be able to order any provisioned devices without creating a support case first.
1
On the microchip.com homepage, click the Technical Support icon near the top of the page.
2
Click the Log in button (top right corner) to log into the technical support portal.
MicrochipDirect and myMicrochip share login credentials. Use your MicrochipDirect login credentials to log into this site. If you do not have a MicrochipDirect account, you can register for a new myMicrochip account.
5
In the “Provide more specific information” section, provide the following information:
- Subject: Enter your company name.
- Target Device: Begin typing the part number you want to order. This window has an auto-complete function that will assist in selecting the appropriate device.
- Category: Provisioning Services
- Sub-Category: TrustCUSTOM
Once complete, click Next.
6
In the “Describe your issue here” section, please add the following details:
- Program Name: Provide a short but descriptive name for this project so it will help distinguish between other projects you may have associated with your account.
- For distributors and contract manufacturers: Please include the OEM customer name in the program name to distinguish between multiple customers.
- Version Number: Provide a short name or numerical value for this program such as 1.0, etc.
- Device Package: Provide your desired package (e.g., UDFN or SOIC).
- Comments: Provide a short program description that will be displayed on the e-commerce portal.
- MicrochipDirect Email Address: Provide all email addresses registered at MicrochipDirect that will be authorized to purchase products associated with this project. Make sure to include any distribution or contract manufacturer email addresses if they will be ordering parts for you. Please ensure all email addresses are accurate.
Attention: You have total control over who can order your provisioned TrustCUSTOM devices. If a MicrochipDirect account is not associated with an email listed in this text box, the account will not be able to order TrustCUSTOM devices provisioned for your use case.
Secret Exchange Process
Obtain Your Encryption Keys and Your Project Part Number
Your technical support case enables Microchip to assign you a project part number and provide you with keys used to encrypt your provisioning file. The project part number must be included in your provisioning file (instructions to do this are shown below).
Microchip's hardware security modules (HSM) will generate the RSA public/private key pairs used to encrypt and decrypt your provisioning file. Each manufacturing location has its own HSM, so you’ll need one public key for each location. This means you will need to provide an encrypted provisioning file for each location, and the location name must be included in the file name. The details will be provided to you in the support case.
Create Your Provisioning File
With the TrustCustom Configurator plugin installed, open the Trust Platform Design Suite homepage on your computer by clicking the Getting Started button in the Trust Platform Design Suite program.
Navigate to the TrustCUSTOM homepage by selecting TrustCUSTOM at the top of the page then Click here to start with TrustCUSTOM Pre-defined Use Case(s) and Configurator.
Encrypt Your Provisioning File
Open the Trust Platform repository folder on your computer to find and start the encryption utility (MicrochipEncryptionUtility.exe).
The SHA204A device requires a different encryption utility that will be provided to you.
Each manufacturing location generates the RSA key pairs inside its hardware security module, so you’ll need one public key for each location. You will encrypt your provisioning file using each key provided to you (creating one encrypted XML file per key). Each filename must include the manufacturing location name so we know which key goes with each file.
4
Another window will open asking you to choose a filename for your encrypted XML provisioning file. Use the following format to create the new file name:
<project part number>-<RSA key site>.enc.xml (e.g., ATECC608A-MAHxx-COSP-T.enc.xml)
This Microchip encryption utility doesn’t actually encrypt the whole XML file. It only encrypts your secrets. Feel free to open the encrypted file to see what is and is not encrypted.
Attention: Make sure you only upload files that have been encrypted with the Microchip Encryption Utility. Configuration files encrypted via other means cannot be accepted by Microchip.
Upload Your Provisioning File
Use your technical support case to upload your encrypted XML provisioning files. The support case does not have the ability to upload XML files directly. Please add all your XML files to one ZIP file and upload that file instead.
Open your case, click on Attachments, then click the Upload files button to upload the ZIP file containing your XML files.
Signature Exchange (Optional)
If your use case requires a custom certificate, a signature exchange must be completed. This requires a Certificate Authority to be established for the product eco-system. This can be a root certificate authority (with a self-sign certificate) or an intermediate certificate authority that chains back to the root. This certificate authority will be used to sign the Microchip production signers, which will sign the device certificates. The Certificate Authority used to sign our production signers must use the P-256 curve for our system when using ECC keys.
Microchip will generate Certificate Signing Requests (CSRs) representing the different manufacturing sites (typically 160 CSRs) and upload them in the support case you created. These CSRs will need to be signed and uploaded back to the support case.
If you are using your own root certificate, careful security provisions must be observed. Protection of the root private key is very important as it forms the backbone of the entire authentication process. Microchip is not responsible for the setup of your root certificate and root private key protection.
Placing Verification Orders
Important notes for placing verification orders:
- Your project part number provided to you in your support case is not a Microchip custom part number and is not searchable through MicrochipDirect. It cannot be used to directly order units.
- Remember that you control which accounts can order these devices. Only accounts with emails listed in your support case can place orders.
- You will be ordering a standard TrustCUSTOM device that has your project part number (and therefore your provisioning file) associated with it. You won’t be able to order these verification samples until Microchip has set this up for you.
- For distributors: The distributor email account must be the email address associated with the distributor trust account in the region the order will be placed.
After you’ve uploaded your encrypted provisioning files (and provided signed certificates if your use case requires custom certificates), you will be notified through your support case when provisioned verification samples are ready to be ordered.
1
Go to the Microchip Direct Trust Platform Products page and log into your Microchip Direct account:
https://www.microchipdirect.com/trustplatform
The page that opens will show your program name, project part number, and other information that was provided in your technical support case.
If you log into Microchip Direct without going to the Trust Platform page, you can still order your verification devices, but it’s a bit more work:
- Log into the microchipdirect.com main landing page.
- Type the TrustCUSTOM part number in the What can we help you find today? search window (e.g. ATECC608A-TCSMU). This will open the generic TrustCUSTOM device page shown below.
- Select the Please go to the pre-provisioned part page to purchase link. This should then re-direct you to the project ordering page shown above.
If you log into a Microchip Direct account with an unregistered email (login email address not sent in the ticket support portal where the secret exchange steps are handled), you will not be able to see the specific configuration but instead will see a page similar to the one shown below. Ask the person that created the technical support case to add your email to the case.
Placing Production Orders
Important notes for placing production orders:
- Your project part number provided to you in your support case is not a Microchip custom part number and is not searchable through MicrochipDirect. It cannot be used to directly order units.
- Remember that you control which accounts can order these devices. Only accounts with emails listed in your support case can place orders.
- You will be ordering a standard TrustCUSTOM device that has your project part number (and therefore your provisioning file) associated with it. You won’t be able to order production devices until you have approved your verification samples.
- For distributors: The distributor email account must be the email address associated with the distributor trust account in the region the order will be placed.
1
Go to the Microchip Direct Trust Platform Products page and log into your Microchip Direct account:
https://www.microchipdirect.com/trustplatform
The page that opens will show your program name, project part number, and other information that was provided in your technical support case.
If you log into Microchip Direct without going to the Trust Platform page, you can still order your production devices, but it’s a bit more work:
- Log into the microchipdirect.com main landing page.
- Type the TrustCUSTOM part number in the What can we help you find today? search window (e.g. ATECC608A-TSCMU). This will open the generic TrustCUSTOM device page shown below.
- Select the Please go to the pre-provisioned part page to purchase link. This should then re-direct you to the project ordering page shown above.
If you log into a Microchip Direct account with an unregistered email (login email address not sent in the ticket support portal where the secret exchange steps are handled), you will not be able to see the specific configuration but instead will see a page similar to the one shown below. Ask the person that created the technical support case to add your email to the case.