Provisioning & Key Management

Related to the inherent complexities and costs associated with building a brand new chip, fabless chip manufacturers are under constant pressure to improve operating efficiencies while, at the same time, satisfying OEM customer requirements. As such, large OEM customers requesting personalization, customer specific data preparation and feature customization of standard parts challenge the chipmakers ability to minimize inventory overhead and improve operating efficiencies.

Customer­ specific personalization services may be accomplished with a high degree of visibility and audit tracking controls that are secured by the CryptoManager solution for each step in the manufacturing supply chain.

For example (see Figure 1), if three OEM customers of a SoC manufacturer each request different feature configurations and/or data preparations for a standard SoC product, the SoC manufacturer needs to figure out how to support three customer­specific part types without creating three different SKUs.

Device personalization creates complexity in manufacturing and in inventory management. With multiple SKUs for standard products, managing inventory for each step requires accurate forecasts and discrepancies can result in wasted silicon or delays in fulfilling orders (see Figure 2)

In this case, pushing the personalization processing step to the end of the manufacturing flow just prior to or, in some cases after delivery to the customer, mitigates the impact on inventory and operations (See 3).

Download “Use Cases: Personalization”

With mobile devices housing more and more sensitive data that is utilized in a wide variety of applications, chip and device companies must meet the complex security requirements for each potential use case or capability. Most security measures require the injection of secret identity data and cryptographic keys. Currently, cryptographic keys are provisioned in the open without encryption on test equipment which is operated by third party contract manufacturers. These current provisioning methods expose chip manufacturers to liability and risks for any security breach that occurs within their supply chain.

Utilizing the CryptoManager Root of Trust hardware IP Core, SoC architects have a built-in design for the secure provisioning of cryptographic keys during chip manufacturing. For OEM device manufacturing, this feature also enables remote secure key provisioning at the ODM (Original Device Manufacturer).

Download “Use Cases: Secure Key Provisioning”

When chips are shipped into the field, it is required that test features, needed to test the chip during manufacturing, must be securely disabled (see Figure 1 below). If left enabled in the field, these test and debug ports could provide a back door into the device that could be used maliciously to read sensitive keys and other sensitive data from the device. These test features must be disabled when the part ships into the field, but must also be securely enabled later when defective parts are returned through the RMA (Return Merchandise Authorization) channel for failure analysis.

To prevent misuse of debug modes (e.g. BIST, scan, JTAG), the CryptoManager Root of Trust can be connected to the debug mode enable, which defaults to an off (safe) setting. The Root of Trust can selectively enable debug features as needed, for example:

• At specified manufacturing stages (wafer test, package test), necessary debug capabilities can be temporarily enabled
• In the case of a defective chip or device, debug capability can be re-enabled for Return Merchandise Authorization (RMA) and Failure Analysis (FA)

Once the debug is completed, the Root of Trust will disable the debug mode. The CryptoManager solution provides a method for chip and device companies to authenticate the device and authorize the provisioning of the debug enable/disable operation for each device.

Download “Use Cases: Debug Access Control”