15.4.1 Manufacturing Flows

The HSM-based manufacturing process uses device-supported security protocols. For more information, refer to the Secure Production Programming Solution (SPPS) User Guide .

The U-HSM allows the user to generate and use various encryption and pass keys. Cryptographical operations requiring those keys are executed inside the security boundaries of the HSM Module:

Operation support for the HSM-based Manufacturing Flow is as follows:

• Key import, generation, and use under protection of the U-HSM and the M-HSM
• Initial secure key injection into the device using the Authorization Code protocol
• Secure data transmission between the U-HSM and the M-HSM
• Overbuild protection
• Device authentication
• U-HSM verification of cryptographically sealed certificate of conformance (CoC) from the design programmed into the device
• U-HSM verification programming job end certificates
• ​Initiator and Upgrade programming job types
• eNVM and sNVM client update
• eNVM client selection
• Security overwrite
• Secure debug with SmartDebug tool

Non-HSM Manufacturing Flow support by the Job Manager allows bitstream file and programming job generation outside of the Libero tool. The Job Manager supports the following operations for non-HSM Manufacturing Flow:

• Initial key loading via KLK-protected bitstreams
• Generate UEK1/UEK2/UEK3 encrypted update bitstreams
• eNVM and sNVM client Update
• eNVM client selection
• Key value overwrite
• Security overwrite