3.2.3 ECC608-TMNGTLS Slot Configuration Summary
The ECC608-TMNGTLS has 16 slots that are configured for specific purposes as part of the Trust Manager solution. The slots are divided into several types and are specified in the Slot Type column in the table below. The following slot types are defined:
- K = keySTREAM SaaS slots for use by Kudelski only
- P = Application slots provisioned through keySTREAM SaaS. This information is used by the customer application but is under the control of the keySTREAM SaaS.
- C = Customer Provisioned Slot. This information is known only to the customer and is updated in the customer’s production line.
- R = Reserved. Not in use at the time this data sheet was created but may be used for future applications.
| Slot | Slot Type | Key Name | Description |
|---|---|---|---|
| 0 | P | Device Identity Key | Primary Private key used to sign device compressed certificate stored in Slot 10. |
| 1 | K | Attestation Key | Private Key used by Kudelski to attest to the device authenticity. Only Kudelski knows the corresponding Public Key. |
| 2 | K | Seal Identity ID | Unique profile User ID (UID) stored in this slot. |
| 3 | K | Asymmetric Key | Managed and reserved by Kudelski. |
| 4 | K | Symmetric Key | Managed and reserved by Kudelski. |
| 5 | P | Symmetric Key for in-field provisioning | Slot to hold customer symmetric key. This slot can ONLY be updated by keySTREAM™ SaaS. The slot is set as encrypted write and WriteKey is in Slot 6. |
| 6 | R | Encrypt Write Key | Encrypted WriteKey for Slot 5 and Slot 14, provisioned at MCHP facility. The Parent Key is only known to Kudelski. The stored key is diversified. |
| 7 | C | IO Protection Key | Slot to hold customer I/O protection key. This slot is updated by the customer in their production line. |
| 8 | K | keySTREAM SaaS Onboarding Data | Kudelski-specific data used for multiple keySTREAM SaaS operations. |
| 9 | R | Symmetric Key | Managed and reserved by Kudleski. |
| 10 | P | Device Compressed Certificate | Compressed Device Certificate. |
| 11 | P | Signer Public Key | Public Key associated with the Kudelski signer. |
| 12 | P | Signer compressed Certificate | Kudelski Compressed Signer Certificate. |
| 13 | P | Secure Boot Digest | Slot to hold the Secureboot Digest (Stored digest mode). Can only be updated internally using Secure boot commands. |
| 14 | P | Public Key for in-field provisioning. | Slot to hold the customer-specific Public Key. This slot can only be updated by keySTREAM SaaS. The slot is set as encrypted write and WriteKey is in slot 6. |
| 15 | P | Secure Boot public key or C-Data | Slot to hold Customer SecureBoot public key. The slot is expected to be provisioned at the customer's production line. |