15.2.7 SPPS Protocols

This section describes the protocols used by SPPS. It includes device-supported protocols, such as Authorization Protocols and OTPK, and protocols created above the device level, such as the Per-device key protocol.

15.2.7.1 Authorization Code Protocol

This is the main protocol used by SPPS. Authorization Code protocol support is built into SmartFusion 2, IGLOO 2, PolarFire, and PolarFire SoC devices. It allows SPPS to securely program initial security settings into the blank device, in an untrusted environment where simple monitoring or man-in-the-middle attacks would otherwise be possible.

This protocol is used by the ​Initiater bit stream in the HSM flow (see Initialization of ​Initiater Programming Bitstream). It is also used by the UEK1/2/3 Update bit stream to program devices that have per-device UEK1/2/3 keys programmed into them (see Initialization of UEK1/UEK2/UEK3 Update Bitstream).

The Authorization Code protocol enables secure delivery of a randomly generated encryption key (IP key, and KIP) to the device. The device can use the delivered KIP to decrypt an incoming programming bit stream. KIP remains in the device only until the end of the programming cycle, at which point it is erased—it is not stored in the device’s nonvolatile memory.

A KIP-encrypted user bit stream can only be programmed into those devices which are “authorized” to be programmed by this protocol.

KIP can only be delivered to the device if encrypted with one of the keys known to the device. In the case of a blank device, there are two such keys, depending on the type of device that is supported by SPPS.

  • A per-device Factory Key (FK) that is pre-placed in the device by Microchip during its manufacture.
  • A per-device Factory ECC public private key pair that is available in larger SmartFusion 2, IGLOO 2 devices (M2S060, M2GL060, M2S090, M2GL90, M2S150, and M2GL150), and all PolarFire and PolarFire SoC devices. The Factory ECC public private key pair are pre-placed in the device by Microchip during its manufacture. See UG0443: SmartFusion2 and IGLOO2 FPGA Security and Best Practices User Guide and PolarFire Family Security User Guide for details about this key pair.
  • A per-device User ECC public private key pair generated by the device internally prior to loading of the bit stream. See PolarFire Family Security User Guide for details about this key pair. The User ECC public private key pair is available only for programming using the ​Initiater Programming Bitstream.

If user security settings have already been programmed into the device, the Factory Key modes and User ECC key modes are disabled. For such a device, the user can only program FPGA, eNVM, and sNVM components with the Update bit stream using one of the user keys that was loaded with the ​Initiater bit stream. If the encryption key that must be used during this update is a per-device key, the Update bit stream is encrypted with KIP, and KIP is sent to the device through the Authorization Code protocol, which is protected by one of the user keys that was loaded.

The following sections provide more information about using the Authorization Code protocol during initial key loading and update flows.

15.2.7.1.1 Authorization Code Protocol in Initial Key Loading

SPPS initial key loading through the ​Initiater bit stream is based on the Authorization Code protocol. This protocol makes use of Diversified Factory Key (DFK) or Factory ECC Public Key Modes, which are described in the following sections.

Diversified Factory Key (DFK) and DFK Database

Following SmartFusion 2 and IGLOO 2 devices: M2S005, M2GL005, M2S010, M2GL010, M2S025, M2GL025, M2S050, M2GL050, have a unique Factory Key programmed into it. Microchip customers who use the SPPS HSM-based solution are given a database (DB) of the Diversified Factory Keys (DFKs) upon registering their U-HSM through the Microchip Portal. Upon registration, a UUID is assigned to the user HSM. The UUID is a 32-hex symbol string identifier (40-for M-HSM). The Customer UUID is used to diversify device Factory Key values to build a Diversified Factory Key Database (DFK DB) for the customer. Diversification is a non-reversible cryptographic operation that takes the device-unique Factory Key and Customer UUID as inputs. The resulting key is called the Diversified Factory Key or DFK. The DFK value is irreversible, unique per-device and per- customer, and is stored in the DFK database in encrypted form. Encryption is done using U-HSM and M-HSM Public Keys, thus allowing only HSM modules to directly access plain text DFK values.

Blank devices do not have knowledge of the Customer UUID, so it is passed to the device through the authorization code. The UUID is authenticated but not encrypted. The device then uses the value of the Factory Key and received UUID to derive the DFK value.

The process of obtaining a DFK DB by the OE, using it for test runs, and preparing for the M-HSM in production is described in the setup section of the User HSM Installation and Setup User Guide .

Factory ECC Public Key Modes

Larger SmartFusion 2, IGLOO 2 (M2S060, M2GL060, M2S090, M2GL90, M2S150, and M2GL150), and PolarFire and PolarFire SoC devices have Elliptic Curve Cryptography (ECC) hardware IP along with the SRAM-PUF, which allows these devices to have a unique-per-device factory enrolled ECC public private key pair. This allows customers to use the factory ECC public key instead of the Diversified Factory Key (DFK) for initial key loading

To use these key modes, the customer uses the Elliptic Curve Diffie-Hellman (ECDH) protocol to securely establish a shared secret key, which is used to encrypt the authorization code. The ECDH operation occurs within the security boundaries of the HSM and the FPGA, and the shared secret key is not known to the outside world. Before the HSM uses the Factory ECC Public Key from the device, it validates the public key by verifying the signature on the device certificate using Microchip keys. This ensures that the public key is valid and that it belongs to a Microchip device.

There are two available key modes:

  • KFP, in which the device uses the certified key pair and the HSM uses a randomly generated ephemeral key pair. They follow the ECDH protocol to derive the shared secret key.
  • KFPE, in which the device uses the certified key pair along with a second randomly generated ephemeral key pair, and the HSM uses two randomly generated ephemeral key pairs. In this case, the ECDH protocol is run twice, which results in two shared secret keys that are used in another round of key derivation to generate a single shared secret key. This key mode is preferred over KFP key mode, as it uses randomly generated key pairs and therefore is more secure. However, this key mode takes longer, because there are two ECDH operations and key generations.

For more information, see UG0443: SmartFusion2 and IGLOO2 FPGA Security and Best Practices User Guide and PolarFire Family Security User Guide .

Initial Key Loading of Project Keys

Bitstream Initialization

By selecting ​Initiater bit stream in the HSM-based flow, the user instructs the bit stream generation software to use the Authorization Code protocol with either DFK or Factory ECC key mode. The generated bit stream has a special programing algorithm for requesting the Authorization Code component from the M-HSM. The Authorization Code bit stream is generated dynamically by the M-HSM during production. The Authorization Code component is cryptographically linked to the programming bit stream, so it cannot be used with any other bitstreams, if intercepted during programming. Additional protocol-specific information is created for use by the M-HSM during generation of Authorization Code component.

HSM Job Export

Exported programming job includes the following protocol-specific information:

  • Instruction to use Authorization Key Protocol along with the key mode (DFK, KFP, or KFPE)
  • Header for the Authorization Code component generation and its binding with the associated bit stream
  • KIP value encrypted with the Ticket Key (see Adding HSM Data to the Job through HSM Tasks)

Job Execution

In the beginning of device programming, a programming algorithm reads the Device Serial Number (DSN) and makes a request to FlashPro Express software to provide the Authorization Code.

FlashPro Express, based on the context of the current programming action (device, programming action), retrieves ticket information, encrypted KIP value, and other controlling data and passes them to the M-HSM as a part of the request for the Authorization Code.

If the key mode for Authorization code is DFK, the M-HSM finds the encrypted DFK value in its DFK DB and passes a request to the secure execution engine (SEE machine) inside its HSM module. The firmware running in the SEE machine in the HSM decrypts KIP, the bit stream binding information, Authorization Code Header, and assembles the Authorization Code component. As the last step, it decrypts DFK and uses it to encrypt the resulting Authorization Code bit stream component.

Programming software shifts the Authorization Code component into the device and then shifts in the main programming bit stream components. In the case of programming a new device with a ​initiater bit stream, the device uses its pre-placed factory key (FK) and the UUID from the Authorization Code header to compute DFK. It uses DFK to authenticate and unwrap (decrypt) KIP from the encrypted payload of the Authorization Code. Finally, it uses KIP to authenticate and decrypt the main ​initiater bit stream components (for example, the security component and the optional FPGA fabric and eNVM components).

If the key mode for authorization code is KFP or KFPE, the M-HSM generates an ephemeral ECC key pair and exchanges the public key with the device. It then uses the ECDH protocol to securely derive the shared secret key inside the secure execution engine (SEE machine). The firmware running in the SEE machine in the HSM decrypts the KIP, the bit stream binding information, and Authorization Code Header, and assembles the Authorization Code component. As the last step, it uses the shared secret key to encrypt the resulting Authorization Code bit stream component. Programming software shifts the Authorization Code component into the device and then shifts in the main programming bit stream components. In the case of programming a new device with a ​initiater bit stream, the device uses the shared secret key that it generated when running the ECDH operation to authenticate and unwrap (decrypt) KIP from the encrypted payload of the Authorization Code. Finally, it uses KIP to authenticate and decrypt the main ​initiater bit stream components (for example, the security component and the optional FPGA fabric and eNVM components).

In the case of updating a device using a unique-per-device user key, the device retrieves the selected user key from its NVM security segment and uses it to authenticate the Authorization Code and unwrap KIP from its payload. KIP is used to authenticate and decrypt the main update bit stream components containing one or both of the FPGA fabric and eNVM components.

Initial Key Loading of Per-device Keys

This flow is the same as Initial Key Loading with Project keys, but with additional steps as follows:

The Job Manager-generated ​Initiater bit stream does not include a complete security component. This is because, the per-device key values can only be derived during programming, once DSN is known. Therefore, the security component is passed to the M-HSM as a pre-filled template through data structures protected by the Job Ticket. In addition to the standard Authorization Code protocol data, HSM module attached to the M-HSM receives the security component template along with the base key(s) (originally from the KeySet file) and derives actual per-device key(s) upon programming (see protocol details in Per-Device Protocol). Derived keys are inserted into the template of the security component. Then the HSM module firmware links all the bit stream components cryptographically and proceeds to the same steps of project keys listed in Initial Key Loading of Project Keys).

Update Flow with Per-device Encryption Keys

This flow is also similar to SPPS Main flow that does the initial key loading of project keys. The difference is that the Authorization Code is encrypted with the same per-device UEK1, UEK2, or UEK3 derived by the M-HSM upon initial programming.

In this case, ticket information passed to the M-HSM includes the base key value for the per-device key to be derived. This value is originally taken from the KeySet file on the U-HSM side. Firmware in the HSM module attached to the M-HSM will use the received DSN and the base key in the Per-device protocol (see Per-Device Protocol) to derive the actual per-device key value. That value then encrypts the Authorization Code component that is sent to the device in a way similar to Initial Key Loading of Project Keys. The Authorization Code is followed by the bit stream components (FPGA or eNVM) that are being updated.
Note: This flow does not require DFK DB on the M-HSM side.

15.2.7.1.2 Overbuild Protection

The Authorization Code protocol allows the user to limit any programming action to a specific maximum number of devices.

This is possible due to following:

  • The target devices do not have KIP and KIP needs to be sent to every target device.
  • KIP is not stored in the device even after being used during programming cycle.
  • KIP is delivered encrypted using a per-device encryption key (DFK, KFP, KFPE, or per-device UEK1/2/3). Therefore, the same authorization code cannot be used on other devices.

The HSM hardware module owns overbuild protection counters as a part of the Ticket information and will stop generating new Authorization Codes when the maximum allowed number of Authorization Codes has been generated.

15.2.7.2 Per-Device Protocol

The Per-device protocol is used to calculate per-device values of UPK1/UPK2/UEK1/UEK2/UEK3/DPK keys. Per-device keys are built on top of standard SmartFusion 2, IGLOO 2, PolarFire, and PolarFire SoC key types. They are programmed into the device as standard UPK1/UPK2/UEK1/UEK2/UEK3/DPK keys. If any encryption keys are designated as per-device unique keys, the passcode that protects that key from overwriting is a per-device unique passcode.

The Per-device protocol derives device-specific keys from the base key and DSN. This enables programming user models in which programming operations can be authorized per certain devices based on their DSN.

Derivation of per-device key values is done using a one-way cryptographic operation that takes the base key and DSN as inputs by firmware running inside the HSM module. The U-HSM generated KeySet file contains base key values for UPK1/UPK2/UEK1/UEK2/UEK3/DPK key types, as needed. Those values are passed to the M-HSM through Tickets under protection of the Ticket key.

The per-device protocol is used by SPPS in following cases:

  • Initial key loading through ​Initiater bit stream—to program per-device keys
  • Update bit stream, if device has per-device encryption keys programmed— to generate the required Authorization Codes
  • By the OTPK protocol—to unlock the device if per-device pass keys are used (see One Time Pass Key (OTPK) Protocol)
Note: UEK3 is only available for M2S060, M2GL060, M2S090, M2GL090, M2S150, and M2GL150 devices.

15.2.7.3 One Time Pass Key (OTPK) Protocol

This protocol is supported by SmartFusion 2, IGLOO 2, PolarFire, and PolarFire SoC devices and is used to unlock overwrite-protection or no-verify security policy settings (if used) in:

  • Erase/Verify actions in ​Initiater bit stream flow
  • Program/Erase/Verify actions in Update bit stream, if Fabric and/or eNVM/sNVM have security locks.

    This protocol is designed for temporary security unlock during programming actions. Use of the HSM allows hiding of the plain text values of the pass keys.

    SPPS automatically uses the OTPK protocol with no user interaction required.

15.2.7.4 Device Certificate of Conformance (CoC)

Upon being programming, a device can generate cryptographically signed digests for each freshly programmed bit stream component. Component digests with HSM-generated validators (message authentication codes) are together called the Certificate of Conformance (CoC). The CoC can be used as proof of device programming with a specific design.

The validators in the CoC can be verified by the Job Manager using the U-HSM.

The device generates and returns CoC, if the customer requests it upon initializing the programming bit stream (see Initialization of ​Initiater Programming Bitstream and Initialization of UEK1/UEK2/UEK3 Update Bitstream).

15.2.7.5 Job End Certifier Protocol

Upon job completion (see Job Completion), Job Tickets are removed from the HSM module. For every removed ticket, the HSM module returns proof of ticket deletion. This information can be validated by the Job Manager using the U-HSM. This information is cryptographically protected and cannot be modified without detection.

Job end certifier is a guarantee that the programming job cannot continue and is a part of the overall overbuild protection mechanism.

15.2.7.6 Device Authenticity Check Protocol

SmartFusion 2, IGLOO 2, PolarFire and PolarFire SoC devices have built-in device certificates that allow Microchip programing software to verify device origin. This check is enforced by FlashPro Express upon each programing operation, as a part of a check (certificate) chain operation (see FlashPro Express User Guide for details).

For any device failing Authenticity Check, a warning is issued.