Secure Provisioning of TrustFLEX
This page describes Microchip's secure provisioning process for TrustFLEX devices and shows you how to order devices that have been provisioned with your secrets, keys, and certificates. This page is applicable to both the ATECC608A and ATECC608B devices.
After prototyping your use case with the Trust Platform Design Suite, you are ready to place a device verification order. Microchip will have to provision these devices for you. This means you'll have to securely transmit your provisioning details (secrets, keys, and certificates) to us using our secret exchange process. After verifying these devices perform as expected, you'll be ready to place your first production orders.
- Create a Technical Support Case
- Secret Exchange Process
- Signature Exchange (Optional)
- Placing Verification Orders
- Placing Production Orders
Create a Technical Support Case
The Microchip Technical Support Portal (also known as myMicrochip) will be used to create a technical support case. The creation of this case enables you to:
- Obtain your TrustFLEX project part number
- Obtain the keys needed to encrypt your provisioning file
- Upload your encrypted provisioning file
You won’t be able to order any provisioned devices without creating a support case first.
On the microchip.com homepage, click the Technical Support icon near the top of the page.
Click the Log in button (top right corner) to log into the technical support portal.
After logging into the technical support portal, click on My Cases at the top of the page, then click New Case.
In the “Let us know how we can help you” section, select Value Added Services as the case reason then click Next.
In the “Provide more specific information” section, provide the following information:
- Subject: Enter your company name.
- Target Device: Begin typing the part number you want to order. This window has an auto-complete function that will assist in selecting the appropriate device.
- Category: Provisioning Services
- Sub-Category: TrustFLEX
Once complete, click Next.
In the “Describe your issue here” section, please add the following details:
- Program Name: Provide a short but descriptive name for this project so it will help distinguish between other projects you may have associated with your account.
- For distributors and contract manufacturers: Please include the OEM customer name in the program name to distinguish between multiple customers.
- Version Number: Provide a short name or numerical value for this program such as 1.0, etc.
- Device Package: Provide your desired package (e.g., UDFN or SOIC).
- Comments: Provide a short program description that will be displayed on the e-commerce portal.
- Microchip Direct Email Address: Provide all email addresses registered at Microchip Direct that will be authorized to purchase products associated with this project. Make sure to include any distribution or contract manufacturer email addresses if they will be ordering parts for you. Please ensure all email addresses are accurate.
In the “Project Information” section enter the following and click Submit:
Design Stage and Urgency are automatically populated for you.
Application Details: Add any additional relevant information you think we may need.
After creating your technical support case, a window will open allowing you to attach files to it. If you have no files to attach just click Done.
If you want to add a comment or a question to the case, click Add Comment.
Secret Exchange Process
Obtain Your Encryption Keys and Your Project Part Number
Your technical support case enables Microchip to assign you a project part number and provide you with keys used to encrypt your provisioning file. The project part number must be included in your provisioning file (instructions are shown in the following section).
Microchip's hardware security modules (HSM) will generate the RSA public/private key pairs used to encrypt and decrypt your provisioning file. Each manufacturing location has its own HSM, so you’ll need one public key for each location. This means you will need to provide an encrypted provisioning file for each location, and the location name must be included in the file name. The details will be provided to you in the support case.
Create Your Provisioning File
The TrustFLEX homepage in the Trust Platform Design Suite contains a configurator tool that generates an XML file used to provision the TrustFLEX device.
Open the Trust Platform Design Suite homepage on your computer by clicking the Getting Started button in the Trust Platform Design Suite program.
Navigate to the TrustFLEX homepage by selecting TrustFLEX at the top of the page then Click here to start with TrustFLEX TLS Pre-defined Use Case(s).
Select a use case (or multiple use cases) from the Use Case Library.
The TrustFLEX Configuration section (near the bottom of the page) displays all the configuration slots in the TrustFLEX device. These slots are automatically configured for you based on your selection(s) of the use case(s). If a slot configuration may need additional information from you, it will be highlighted. Click on these highlighted slots to add this information.
If your use case requires certificates (i.e., custom PKI and accessory/disposable asymmetric authentication), a Microchip standard certificate will be selected by default. If you would like to use a custom certificate instead, click on slots 10 and 12 to add the additional information required. You will also have to enter additional information in the “Custom root CA provisioning” section.
The “Part Number details” section enables you to add your project part number (provided to you in the technical support case) to your provisioning file. If you require a custom certificate you will also have to add the manufacturing identity (MAN ID) also provided to you in the support case.
Create your XML provisioning file by clicking on the Generate TFLXTLS provisioning package button shown below. This provisioning package is a ZIP file (TFLXTLS_Provisioning_package.zip) that includes your XML provisioning file as well as C source and header files that can be used with CryptoAuthLib.
Encrypt Your Provisioning File
Open the Trust Platform repository folder on your computer to find and start the encryption utility (MicrochipEncryptionUtility.exe).
Each manufacturing location generates the RSA key pairs inside its hardware security module, so you’ll need one public key for each location. You will encrypt your provisioning file using each key provided to you (creating one encrypted XML file per key). Each filename must include the manufacturing location name so we know which key goes with each file.
In the utility, click the Device label. A dropdown menu will appear to select the appropriate secure element device.
Click on the Load RSA Public Key button and select a public key XML file provided by Microchip via the support ticket.
Extract the TFLXTLS_Provisioning_package.zip file you created in the previous step. Click the Load Device Configuration File button, browse to the extracted ZIP folder, and select your XML provisioning file.
Another window will open asking you to choose a filename for your encrypted XML provisioning file. Use the following format to create the new file name:
<project part number>-<RSA key site>.enc.xml (e.g., ATECC608A-MAHxx-COSP-T.enc.xml)
Upload Your Provisioning File
Use your technical support case to upload your encrypted XML provisioning files. The support case does not have the ability to upload XML files directly. Please add all your XML files to one ZIP file and upload that file instead.
Open your case, click on Attachments then click the Upload files button to upload the ZIP file containing your XML files.
Signature Exchange (Optional)
If your use case requires a custom certificate, a signature exchange must be completed. This requires a Certificate Authority to be established for the product eco-system. This can be a root certificate authority (with a self-sign certificate) or an intermediate certificate authority that chains back to the root. This certificate authority will be used to sign the Microchip production signers, which will sign the device certificates. The Certificate Authority used to sign our production signers must use the P-256 curve for our system when using ECC keys.
Microchip will generate Certificate Signing Requests (CSRs) representing the different manufacturing sites (typically 160 CSRs) and upload them in the support case you created. These CSRs will need to be signed and uploaded back to the support case.
Placing Verification Orders
After you’ve uploaded your encrypted provisioning files (and provided signed certificates if your use case requires custom certificates), you will be notified through your support case when provisioned verification samples are ready to be ordered.
Go to the Microchip Direct Trust Platform Products page and log into your Microchip Direct account.
The page that opens will show your program name, project part number, and other information that was provided in your technical support case.
Click the PLACE VERIFICATION ORDER button to request validation samples.
Once the parts are ordered and are shipped by Microchip, log back into Microchip Direct and click on the Order History tab to find the option to Download Manifest for the shipped parts. Manifest file format details can be found in the Trust Platform Design Suite.
Once the verification samples have been successfully validated, log back into Microchip Direct and click on the APPROVE button in the associated project.
If you log into Microchip Direct without going to the Trust Platform page, you can still order your verification devices, but it’s a bit more work:
- Log into the microchipdirect.com main landing page.
- Type the TrustFLEX part number in the What can we help you find today? search window (e.g. ATECC608A-TFLTLS). This will open the generic TrustFLEX device page shown below.
- Select the Please go to pre-provisioned part page to purchase link. This should then re-direct you to the project ordering page shown above.
If you log into a Microchip Direct account with an unregistered email (login email address not sent in the ticket support portal where the secret exchange steps are handled), you will not be able to see the specific configuration but instead will see a page similar to the one shown below. Ask the person that created the technical support case to add your email to the case.
Placing Production Orders
Go to the Microchip Direct Trust Platform Products page and log into your Microchip Direct account.
The page that opens will show your program name, project part number, and other information that was provided in your technical support case.
Enter the requested order quantity in the project and click on the shopping cart icon.
Click on the shopping cart at the top of the page to review the shopping cart
Click the PROCEED TO SECURE CHECKOUT button.
Once the parts are ordered and are shipped by Microchip, log back into Microchip Direct and click on the Order History tab to find the option to Download Manifest for the shipped parts. Manifest file format details can be found in the Trust Platform Design Suite.
If you log into Microchip Direct without going to the Trust Platform page, you can still order your production devices, but it’s a bit more work:
- Log into the microchipdirect.com main landing page.
- Type the TrustFLEX part number in the What can we help you find today? search window (e.g. ATECC608A-TFLTLS). This will open the generic TrustFLEX device page shown below.
- Select the Please go to pre-provisioned part page to purchase link. This should then re-direct you to the project ordering page shown above.
If you log into a Microchip Direct account with an unregistered email (login email address not sent in the ticket support portal where the secret exchange steps are handled), you will not be able to see the specific configuration but instead will see a page similar to the one shown below. Ask the person that created the technical support case to add your email to the case.
