Secure provisioning of TrustCUSTOM

Please note this page is for Trust Platform Design Suite version 1. Training for Trust Platform Design Suite version 2 can be found here: Trust Platform Design Suite v2.

This page describes Microchip's secure provisioning process for TrustCUSTOM devices and shows you how to order devices that have been provisioned with your secrets, keys, and certificates. This page applies to the ATECC608A, ATECC608B, and ATSHA204A devices.

Before proceeding with the secure provisioning process, a signed NDA must be in place with Microchip. An NDA can be initiated through your local sales representative. Once an NDA is completed, Microchip will need the customer’s Github account credentials, which will allow access to the TrustCUSTOM configuration tools in the Trust Platform Design Suite.

After prototyping your use case with the Trust Platform Design Suite, you are ready to begin the secure provisioning process. Microchip will have to provision these devices for you. This means you'll have to securely transmit your provisioning details (secrets, keys, and certificates) to us using our secret exchange process. After verifying these devices perform as expected, you'll be ready to place your first production orders.


Create a Technical Support Case

The Microchip Technical Support Portal (also known as myMicrochip) will be used to create a technical support case. The creation of this case enables you to:

  • Obtain your TrustCUSTOM project part number
  • Obtain the keys needed to encrypt your provisioning file
  • Upload your encrypted provisioning file

You won’t be able to order any provisioned devices without creating a support case first.

1

On the microchip.com homepage, click the Technical Support icon near the top of the page.

tech_support.png

2

Click the Log in button (top right corner) to log into the technical support portal.

MicrochipDirect and myMicrochip share login credentials. Use your MicrochipDirect login credentials to log into this site. If you do not have a MicrochipDirect account, you can register for a new myMicrochip account.

register.png

3

After logging into the technical support portal, click on My Cases at the top of the page, then click New Case.

case1.png

4

In the “Let us know how we can help you” section, select Value Added Services as the case reason, then click Next.

case2.png

5

In the “Provide more specific information” section, provide the following information:

  • Subject: Enter your company name.
  • Target Device: Begin typing the part number you want to order. This window has an auto-complete function that will assist in selecting the appropriate device.
  • Category: Provisioning Services
  • Sub-Category: TrustCUSTOM

Once complete, click Next.

case3.png

6

In the “Describe your issue here” section, please add the following details:

  • Program Name: Provide a short but descriptive name for this project so it will help distinguish between other projects you may have associated with your account.
    • For distributors and contract manufacturers: Please include the OEM customer name in the program name to distinguish between multiple customers.
  • Version Number: Provide a short name or numerical value for this program such as 1.0, etc.
  • Device Package: Provide your desired package (e.g., UDFN or SOIC).
  • Comments: Provide a short program description that will be displayed on the e-commerce portal.
  • MicrochipDirect Email Address: Provide all email addresses registered at MicrochipDirect that will be authorized to purchase products associated with this project. Make sure to include any distribution or contract manufacturer email addresses if they will be ordering parts for you. Please ensure all email addresses are accurate.

Attention: You have total control over who can order your provisioned TrustCUSTOM devices. If a MicrochipDirect account is not associated with an email listed in this text box, the account will not be able to order TrustCUSTOM devices provisioned for your use case.

case4.png

7

In the “Project Information” section enter the following:

  • Design Stage and Urgency: Will automatically populate for you.
  • Application Details: Add any additional, relevant information you think we may need.

Then click Submit.

case5.png

8

After creating your technical support case, a window will open allowing you to attach files to it. If you have no files to attach just click Done.

case6.png

9

If you want to add a comment or a question to the case, click Add Comment.

case7.png

Secret Exchange Process

Obtain Your Encryption Keys and Your Project Part Number

Your technical support case enables Microchip to assign you a project part number and provide you with keys used to encrypt your provisioning file. The project part number must be included in your provisioning file (instructions to do this are shown below).

Microchip's hardware security modules (HSM) will generate the RSA public/private key pairs used to encrypt and decrypt your provisioning file. Each manufacturing location has its own HSM, so you’ll need one public key for each location. This means you will need to provide an encrypted provisioning file for each location, and the location name must be included in the file name. The details will be provided to you in the support case.

Create Your Provisioning File

With the TrustCustom Configurator plugin installed, open the Trust Platform Design Suite homepage on your computer by clicking the Getting Started button in the Trust Platform Design Suite program.

getstarted.png

Navigate to the TrustCUSTOM homepage by selecting TrustCUSTOM at the top of the page then Click here to start with TrustCUSTOM Pre-defined Use Case(s) and Configurator.

home.png

1

Use the Configurator GUI to select the desired options for your configuration zone.

use_case.png

2

Export the finalized configuration setting from the Import/Export Format pane (near the bottom of the page) and paste it into your full configuration XML file.

config.png

Encrypt Your Provisioning File

Open the Trust Platform repository folder on your computer to find and start the encryption utility (MicrochipEncryptionUtility.exe).

The SHA204A device requires a different encryption utility that will be provided to you.

folder.png

Each manufacturing location generates the RSA key pairs inside its hardware security module, so you’ll need one public key for each location. You will encrypt your provisioning file using each key provided to you (creating one encrypted XML file per key). Each filename must include the manufacturing location name so we know which key goes with each file.

1

In the utility, click the Device label. A dropdown menu will appear to select the appropriate secure element device.

device.png

2

Click on the Load RSA Public Key button and select a public key XML file provided by Microchip via the support ticket.

load_key.png

3

Extract the TFLXTLS_Provisioning_package.zip file you created in the previous step. Click the Load Device Configuration File button, browse to the extracted ZIP folder, and select your XML provisioning file.

load_config.png

4

Another window will open asking you to choose a filename for your encrypted XML provisioning file. Use the following format to create the new file name:
<project part number>-<RSA key site>.enc.xml (e.g., ATECC608A-MAHxx-COSP-T.enc.xml)

This Microchip encryption utility doesn’t actually encrypt the whole XML file. It only encrypts your secrets. Feel free to open the encrypted file to see what is and is not encrypted.

Attention: Make sure you only upload files that have been encrypted with the Microchip Encryption Utility. Configuration files encrypted via other means cannot be accepted by Microchip.

Upload Your Provisioning File

Use your technical support case to upload your encrypted XML provisioning files. The support case does not have the ability to upload XML files directly. Please add all your XML files to one ZIP file and upload that file instead.

Open your case, click on Attachments, then click the Upload files button to upload the ZIP file containing your XML files.

upload.png

Signature Exchange (Optional)

If your use case requires a custom certificate, a signature exchange must be completed. This requires a Certificate Authority to be established for the product eco-system. This can be a root certificate authority (with a self-sign certificate) or an intermediate certificate authority that chains back to the root. This certificate authority will be used to sign the Microchip production signers, which will sign the device certificates. The Certificate Authority used to sign our production signers must use the P-256 curve for our system when using ECC keys.

Microchip will generate Certificate Signing Requests (CSRs) representing the different manufacturing sites (typically 160 CSRs) and upload them in the support case you created. These CSRs will need to be signed and uploaded back to the support case.

If you are using your own root certificate, careful security provisions must be observed. Protection of the root private key is very important as it forms the backbone of the entire authentication process. Microchip is not responsible for the setup of your root certificate and root private key protection.


Placing Verification Orders

Important notes for placing verification orders:

  • Your project part number provided to you in your support case is not a Microchip custom part number and is not searchable through MicrochipDirect. It cannot be used to directly order units.
  • Remember that you control which accounts can order these devices. Only accounts with emails listed in your support case can place orders.
  • You will be ordering a standard TrustCUSTOM device that has your project part number (and therefore your provisioning file) associated with it. You won’t be able to order these verification samples until Microchip has set this up for you.
  • For distributors: The distributor email account must be the email address associated with the distributor trust account in the region the order will be placed.

After you’ve uploaded your encrypted provisioning files (and provided signed certificates if your use case requires custom certificates), you will be notified through your support case when provisioned verification samples are ready to be ordered.

1

Go to the Microchip Direct Trust Platform Products page and log into your Microchip Direct account:
https://www.microchipdirect.com/trustplatform

The page that opens will show your program name, project part number, and other information that was provided in your technical support case.

2

Click the PLACE VERIFICATION ORDER button to request validation samples.

order1.png

3

Once the parts are ordered and are shipped by Microchip, log back into Microchip Direct and click on the Order History tab to find the option to Download Manifest for the shipped parts. Manifest file format details can be found in the Trust Platform Design Suite.

order2.png

4

Once the verification samples have been successfully validated, log back into Microchip Direct and click on the APPROVE button in the associated project.

order3.png

If you log into Microchip Direct without going to the Trust Platform page, you can still order your verification devices, but it’s a bit more work:

  • Log into the microchipdirect.com main landing page.
  • Type the TrustCUSTOM part number in the What can we help you find today? search window (e.g. ATECC608A-TCSMU). This will open the generic TrustCUSTOM device page shown below.
  • Select the Please go to the pre-provisioned part page to purchase link. This should then re-direct you to the project ordering page shown above.
order4.png

If you log into a Microchip Direct account with an unregistered email (login email address not sent in the ticket support portal where the secret exchange steps are handled), you will not be able to see the specific configuration but instead will see a page similar to the one shown below. Ask the person that created the technical support case to add your email to the case.

order5.png

Placing Production Orders

Important notes for placing production orders:

  • Your project part number provided to you in your support case is not a Microchip custom part number and is not searchable through MicrochipDirect. It cannot be used to directly order units.
  • Remember that you control which accounts can order these devices. Only accounts with emails listed in your support case can place orders.
  • You will be ordering a standard TrustCUSTOM device that has your project part number (and therefore your provisioning file) associated with it. You won’t be able to order production devices until you have approved your verification samples.
  • For distributors: The distributor email account must be the email address associated with the distributor trust account in the region the order will be placed.

1

Go to the Microchip Direct Trust Platform Products page and log into your Microchip Direct account:
https://www.microchipdirect.com/trustplatform

The page that opens will show your program name, project part number, and other information that was provided in your technical support case.

2

Enter the requested order quantity in the project and click on the shopping cart icon.

order6.png

Note: The Minimum Order Quantity (MOQ) for this device is 4k units.

3

Click on the shopping cart at the top of the page to review the shopping cart

order7.png

4

Click the PROCEED TO SECURE CHECKOUT button.

order8.png

5

Once the parts are ordered and are shipped by Microchip, log back into Microchip Direct and click on the Order History tab to find the option to Download Manifest for the shipped parts. Manifest file format details can be found in the Trust Platform Design Suite.

order9.png

If you log into Microchip Direct without going to the Trust Platform page, you can still order your production devices, but it’s a bit more work:

  • Log into the microchipdirect.com main landing page.
  • Type the TrustCUSTOM part number in the What can we help you find today? search window (e.g. ATECC608A-TSCMU). This will open the generic TrustCUSTOM device page shown below.
  • Select the Please go to the pre-provisioned part page to purchase link. This should then re-direct you to the project ordering page shown above.
order10.png

If you log into a Microchip Direct account with an unregistered email (login email address not sent in the ticket support portal where the secret exchange steps are handled), you will not be able to see the specific configuration but instead will see a page similar to the one shown below. Ask the person that created the technical support case to add your email to the case.

order11.png
© 2024 Microchip Technology, Inc.
Notice: ARM and Cortex are the registered trademarks of ARM Limited in the EU and other countries.
Information contained on this site regarding device applications and the like is provided only for your convenience and may be superseded by updates. It is your responsibility to ensure that your application meets with your specifications. MICROCHIP MAKES NO REPRESENTATIONS OR WARRANTIES OF ANY KIND WHETHER EXPRESS OR IMPLIED, WRITTEN OR ORAL, STATUTORY OR OTHERWISE, RELATED TO THE INFORMATION, INCLUDING BUT NOT LIMITED TO ITS CONDITION, QUALITY, PERFORMANCE, MERCHANTABILITY OR FITNESS FOR PURPOSE. Microchip disclaims all liability arising from this information and its use. Use of Microchip devices in life support and/or safety applications is entirely at the buyer's risk, and the buyer agrees to defend, indemnify and hold harmless Microchip from any and all damages, claims, suits, or expenses resulting from such use. No licenses are conveyed, implicitly or otherwise, under any Microchip intellectual property rights.