An essential component of OEMs developing edge-connected technology is based
on their software intellectual property (IP) and reputation as a provider of secure products.
Manufacturing these products in a cost-effective way often conflicts directly
with the needs to protect that IP and secure device credentials for use in the
cloud. NXP believes that security should never be compromised and has offered
a solution with the new Smart Card Trust Provisioning capability.
Security is at the core of NXP. Not only do we want each element of our
devices or software to be safe and secure, but it is just as critical that we
enable the manufacturing of each customer's product to be secure. Manufacturing
processes should be worry-free and hassle-free with the backing of highly
secure technology, even if the manufacturing site itself cannot provide strong
assurances of security. With our new
Smart Card Trust Provisioning Solution, NXP is introducing a variety of features that enable OEMs to protect their IP and revenue. Utilizing our Smart Card and
MCUXpresso Secure Provisioning tool (SEC), this solution provides a way for our customers to manage the root of trust
of their manufacturing process. Moreover, it brings assurance to our customers
that their secrets (keys and certificates)—used to identify an OEM’s products
and its software IP—are safeguarded. This is a cost effective, secure and
reliable solution for customers of any size and utilizes NXP’s highly secure
SmartMX microcontrollers (MCUs) to implement the Smart Card itself—technology that has powered high-security applications over several years.
Many of our customers spend months or years developing their software for
their end products, including credentials and IP, which are among their most
valuable assets. The Smart Card Trust Provisioning Solution enables secure
credentials and IP deployment from our customer’s premise to an entrusted
factory. Our MCUs have secure boot capability built into ROM to ensure only a
signed image will run. The MCUs also include secure flash storage and device
unique key generation capability built on physical unclonable function (PUF) technology. Customer credentials
and IP, which are signed and encrypted at their trusted development site using
the MCUXpresso SEC tool, can only be verified and decrypted by NXP genuine
Credentials, such as secret keys for use in the customer application, are
securely stored in a Smart Card before it is sealed, preventing any further
changes. This way, the Smart Card acts as an essential element for security,
just like a hardware secure module (HSM). These credentials can then be
securely transferred to the target devices inside the customer end product
without exposure at the contract manufacturer (CM) factory. With the SEC tool,
only a genuine device with the corresponding built-in NXP certificate can be
provisioned with the customer’s secret keys and programmed with the customer’s
signed software. Even the last step, from the host running the SEC tool to
customer target system, is protected by a secured link between that computer
and the NXP MCU during provisioning and programming.
Over-production at CM factories can also be a concern for many OEMs. The Smart
Card Trust Provisioning Solution provides an essential production management
feature – production limit control – to address this concern. Customers can
personalize the Smart Card, when they get the SEC tool, with a production
quantity limit while creating the production package for its CM to use to
manufacture its products. Once at the factory, the SEC tool performing
provisioning of the devices communicates with the Smart Card to securely count
the quantity manufactured, preventing any attempt to go past the preset limit.
The SEC tool generates a factory audit log at the end of the production
process for the CM to return to the customer site for review.
Smart Card Trust Provisioning Flow Diagram
In each secure, edge-connected application, every device needs a unique
identity for cloud on-boarding. At NXP, we build in enablement of the
provisioning process from the design of our microcontrollers, and during
manufacturing we inject NXP crypto keys and digital certificates into these
devices at our factory for later use in the customer’s manufacturing process.
Our customers can generate their own device-unique certificate and replace (or
revoke) the default NXP device certificate with the SEC tool, using the Smart
Card to generate and protect their own certificate. This enables them to take
ownership of the device during factory provisioning and use the audit log
generated by the SEC tool to harvest the resulting device certificates. These
device certificates may then be used for uploading to cloud service providers
for use in device on-boarding.
The Smart Card Provisioning Solution replaces traditional, more expensive HSM
and third-party device programming services. We are enabling our customers to
take full advantage of the advanced security features of NXP MCUs to protect
their vital assets. With the purchase of a cost-effective Smart Card and use of
MCUXpresso SEC tool, our customers can prepare secure images to protect their IP, manage keys
and perform device provisioning. With no minimum order quantity and full
control over production quantities, the
Smart Card Provisioning Solution
makes secure manufacturing an affordable reality to all.