NXP Enables Secure Manufacturing Using MCUXpresso SEC Tools and Smart Card

An essential component of OEMs developing edge-connected technology is based on their software intellectual property (IP) and reputation as a provider of secure products. Manufacturing these products in a cost-effective way often conflicts directly with the needs to protect that IP and secure device credentials for use in the cloud. NXP believes that security should never be compromised and has offered a solution with the new Smart Card Trust Provisioning capability.

Security is at the core of NXP. Not only do we want each element of our devices or software to be safe and secure, but it is just as critical that we enable the manufacturing of each customer's product to be secure. Manufacturing processes should be worry-free and hassle-free with the backing of highly secure technology, even if the manufacturing site itself cannot provide strong assurances of security. With our new Smart Card Trust Provisioning Solution, NXP is introducing a variety of features that enable OEMs to protect their IP and revenue. Utilizing our Smart Card and MCUXpresso Secure Provisioning tool (SEC), this solution provides a way for our customers to manage the root of trust of their manufacturing process. Moreover, it brings assurance to our customers that their secrets (keys and certificates)—used to identify an OEM’s products and its software IP—are safeguarded. This is a cost effective, secure and reliable solution for customers of any size and utilizes NXP’s highly secure SmartMX microcontrollers (MCUs) to implement the Smart Card itself—technology that has powered high-security applications over several years.

Many of our customers spend months or years developing their software for their end products, including credentials and IP, which are among their most valuable assets. The Smart Card Trust Provisioning Solution enables secure credentials and IP deployment from our customer’s premise to an entrusted factory. Our MCUs have secure boot capability built into ROM to ensure only a signed image will run. The MCUs also include secure flash storage and device unique key generation capability built on physical unclonable function (PUF) technology. Customer credentials and IP, which are signed and encrypted at their trusted development site using the MCUXpresso SEC tool, can only be verified and decrypted by NXP genuine devices.

Credentials, such as secret keys for use in the customer application, are securely stored in a Smart Card before it is sealed, preventing any further changes. This way, the Smart Card acts as an essential element for security, just like a hardware secure module (HSM). These credentials can then be securely transferred to the target devices inside the customer end product without exposure at the contract manufacturer (CM) factory. With the SEC tool, only a genuine device with the corresponding built-in NXP certificate can be provisioned with the customer’s secret keys and programmed with the customer’s signed software. Even the last step, from the host running the SEC tool to customer target system, is protected by a secured link between that computer and the NXP MCU during provisioning and programming.

Over-production at CM factories can also be a concern for many OEMs. The Smart Card Trust Provisioning Solution provides an essential production management feature – production limit control – to address this concern. Customers can personalize the Smart Card, when they get the SEC tool, with a production quantity limit while creating the production package for its CM to use to manufacture its products. Once at the factory, the SEC tool performing provisioning of the devices communicates with the Smart Card to securely count the quantity manufactured, preventing any attempt to go past the preset limit. The SEC tool generates a factory audit log at the end of the production process for the CM to return to the customer site for review.

In each secure, edge-connected application, every device needs a unique identity for cloud on-boarding. At NXP, we build in enablement of the provisioning process from the design of our microcontrollers, and during manufacturing we inject NXP crypto keys and digital certificates into these devices at our factory for later use in the customer’s manufacturing process. Our customers can generate their own device-unique certificate and replace (or revoke) the default NXP device certificate with the SEC tool, using the Smart Card to generate and protect their own certificate. This enables them to take ownership of the device during factory provisioning and use the audit log generated by the SEC tool to harvest the resulting device certificates. These device certificates may then be used for uploading to cloud service providers for use in device on-boarding.

The Smart Card Provisioning Solution replaces traditional, more expensive HSM and third-party device programming services. We are enabling our customers to take full advantage of the advanced security features of NXP MCUs to protect their vital assets. With the purchase of a cost-effective Smart Card and use of the free MCUXpresso SEC tool, our customers can prepare secure images to protect their IP, manage keys and perform device provisioning. With no minimum order quantity and full control over production quantities, the Smart Card Provisioning Solution makes secure manufacturing an affordable reality to all.