13 Typical Use Case Scenarios
Describes common deployment scenarios from minimal secure boot to full multi-key provisioning.
Scenario A: Minimal Secure Boot (Signing Key Only)
Use this when the user only needs secure boot with no additional keys.
Step 1 Generate signing key (slot 2) Step 1a PUF enrollment Step 1c Wrap signing key with PUF Step 2 Load application hex Step 3 Generate metadata (check "Key codes" only) Step 4 Combine images Step 5 Program device
Result on device: 2 VSS slots (signing key + its key code).
Scenario B: Secure Boot + TLS Device Identity
Use this when the device needs a unique identity key pair for TLS.
Step 1 Generate signing key (slot 2) Step 1a PUF enrollment Step 1b Generate PUF key for TLS identity (slot 5) -- select "Yes - Generate with PUF" Step 1c Wrap all keys with PUF Step 2 Load application hex Step 3 Generate metadata (check "Key codes" only for production) Step 4 Combine images Step 5 Program device
Result on device: 4 VSS slots (signing key, TLS key, 2 key codes).
Scenario C: Secure Boot + Multiple Keys (Development)
Use this for development with full visibility into all key material.
Step 1 Generate signing key (slot 2) Step 1a PUF enrollment Step 1b Add ECC P-256 key via TPDS (slot 3) -- select "No", then "Asymmetric" Step 1b Add PUF key (slot 5) -- select "Yes - Generate with PUF" Step 1b Add AES-256 key (slot 10) -- select "No", then "Symmetric" Step 1c Wrap all keys with PUF Step 2 Load application hex Step 3 Generate metadata (check all 3 boxes for development) Step 4 Combine images Step 5 Program device
Result on device: 8 VSS slots (4 keys + 4 key codes).
Scenario D: Development Without PUF (No Wrapping)
Use this for quick iteration when PUF wrapping is not needed.
Step 1 Generate signing key (slot 2) Step 1a PUF enrollment Step 1b (optional) Add more keys Skip Step 1c entirely Step 2 Load application hex Step 3 Generate metadata (uncheck "Key codes") Step 4 Combine images Step 5 Program device
Result on device: Only plain keys, no key codes.