UG519: Custom Part Manufacturing Service User's Guide

Introduction

This application note explains the process for ordering custom parts through the Custom Part Manufacturing Service (CPMS). It provides instructions for customizing device identity security certificates and wrapping custom keys.

What is CPMS?

Custom Part Manufacturing Service (CPMS) enables customization of Silicon Labs hardware, including wireless SoCs, modules, and MCUs, directly at the factory. The CPMS self-service web portal guides users through the customization process, offering various features and settings. Orders for customized test and production units can be placed securely via the CPMS portal.

CPMS is a secure provisioning service that allows customization with advanced features such as secure boot, secure debug, encrypted OTA, public/private/secret keys, and secure identity certificates. These custom features, identities, and certificates are injected securely, quickly, and cost-efficiently at Silicon Labs factories.

Why CPMS?

Securing an IoT device is complex and costly, involving key generation, code signing, secure key storage in Hardware Security Modules (HSMs), and programming certificates. CPMS streamlines the programming aspect of this process, enabling even advanced security features, certificates, and identities to be programmed securely, rapidly, and cost-effectively.

Key Points Covered:

Starting a new custom part.
Customizing four fields in the device certificate: Common Name, Organization, Country, and Organizational Unit.
Importing custom wrapped keys.

Custom Certificates

CPMS supports customization of device identity certificate chains using the X.509 format, conforming to RFC-3280. The following fields can be customized:

Common Name: A user-defined, 30-character name, typically ending with the device's 64-bit EUI.
Organization: A user-defined, 64-character company name.
Country: A legitimate country code letter pair (e.g., US).
Organizational Unit: A user-defined field of up to 64 characters.

For other certificate customizations, specify them in the "Special Instructions" section within the CPMS portal.

Custom Identity: Customers can extend the default Silicon Labs certificate identity chain. This advanced feature may incur additional charges; contact Silicon Labs sales for details.

Key Wrapping

Secure Vault High devices feature Key Wrapping, where keys are encrypted using a Physically Unclonable Function (PUF) key. PUF keys are secret, unique to each device, stored securely, and not vulnerable to flash extraction attacks.

CPMS allows users to provide their own keys, which are then wrapped by the secure element and stored on the device. This eliminates the need for the firmware image to contain the key during production.

To use this feature, the following four fields must be provided to CPMS:

Key Auth: An 8-byte password for key usage (can be disabled by setting to 0x0000000000000000).
Key Value: The key to be wrapped (max 200 bytes).
Key Metadata: 4 bytes of metadata (e.g., key type, allowed uses, length).
Key Address: The address in user flash where the key should be programmed.

CPMS Use Case Examples: Configuring a Device for an Untrusted Manufacturing Environment

This section details how to order a custom part that is secure from manufacturing onwards, featuring secure boot, secure debug lock, and encrypted upgrades. This prevents unauthorized access to the debug port or the upload of unsigned/unencrypted applications.

The example uses an EFR32MG21B (Secure Vault High part). Note that Secure Vault Base or Mid parts may have different customization options.

3.1.1 CPMS Access

To start a new custom part and configure debug lock and Secure Boot:

Open CPMS in a browser: https://cpms.silabs.com/login.
Log in using your www.silabs.com account credentials.

3.1.2 Generating the Application

Steps to generate and configure an application using Simplicity Studio:

Open Simplicity Studio.
Navigate to "EXAMPLE PROJECTS & DEMOS" in the Launcher view.
Search for and select the "Platform - Blink Bare-metal" project.
Click "Finish" to open the project in the IDE.
Open the project's configuration file (e.g., blink_baremetal.slcp).
In the "SOFTWARE COMPONENTS" tab, search for "bootloader".
Install the "Platform > Bootloader > Bootloader Application Interface" component.

An application_properties.c file is required to enable secure boot. The .cert pointer should be set to NULL, and signatureType and signatureLocation fields are handled by Simplicity Commander during signing.

After configuration, build the project to generate binaries.

3.1.3 Generating the Bootloader

Steps to generate and configure a bootloader:

In Simplicity Studio, search for "bootloader" in the Launcher.
Create the "Internal Storage Bootloader (single image on 1MB device)" example.
Open the bootloader-storage-internal-single.isc file.
In the "Plugins" tab, select "Bootloader Core, provides API: core".
Enable "Require encrypted firmware upgrade files" and "Enable Secure Boot".
Click "Generate" and then "Build" the project.

3.1.4 Generating Keys

Keys for secure boot and debug are typically managed by an HSM. This example uses the Commander utility:

Sign Key Pair (for secure boot): Use commander util genkey --type ecc-p256 --privkey cpms-sign-priv.pem --pubkey cpms-sign-pub.pem.
Command Key Pair (for secure debug): Use commander util genkey --type ecc-p256 --privkey cpms-cmd-priv.pem --pubkey cpms-cmd-pub.pem.
OTA Decryption/Encryption Key: Use commander util genkey --type aes-ccm --outfile cpms-gbl.txt.

3.1.5 Signing and Merging Images

Prepare application and bootloader images for CPMS by signing and merging them:

Navigate to your Simplicity Studio workspace in a terminal.
Sign Bootloader: Execute commander convert "[bootloader_path].hex" --secureboot --keyfile cpms-sign-priv.pem --outfile cpms-btl-signed.hex.
Sign Application: Execute commander convert "[app_path].hex" --secureboot --keyfile cpms-sign-priv.pem --outfile cpms-app-signed.hex.
Merge Hex Files: Execute commander convert cpms-app-signed.hex cpms-btl-signed.hex -o cpms-merged.hex. This creates a single merged file.

3.1.6 Programming Keys and Flash Memory

Upload the public sign key and the merged hex file into CPMS:

In CPMS, go to the "Standard Security Keys" section.
Upload the cpms-sign-pub.pem file to the "Secure Boot Key" field.
Upload the cpms-cmd-pub.pem file to the "Command Key" field.
Copy the hex value from cpms-gbl.txt into the "OTA Decryption Key" field.
Scroll to the "Flash Programming" section.
Select "Firmware Type: App and Bootloader".
Upload the cpms-merged.hex file.
Proceed to review and finalize the custom part order.

3.2 Importing Custom Wrapped Keys

To import custom wrapped keys into CPMS, four fields are required: value, address, auth, and metadata. The following examples demonstrate obtaining metadata values for asymmetric and symmetric keys.

Example #1: Importing Custom Wrapped Asymmetric Keys

This involves using Simplicity Studio examples to generate and wrap keys, then importing them. Key steps include:

Creating a "SE Manager" project (e.g., "Platform - SE Manager Digital Signature").
Modifying the project code to import a specific ECC key instead of generating one.
Writing the wrapped key blob into flash memory.
Using the console to retrieve the "Keyspec" (key metadata) value.
Updating key descriptor flags in the code.
Building, flashing, and testing the device with the wrapped key.

Example #2: Importing Custom Wrapped Symmetric Keys

Similar to asymmetric keys, this involves using Simplicity Studio examples for symmetric keys (e.g., "Platform - SE Manager Block Cipher"). Key steps include:

Creating a "SE Manager Block Cipher" project.
Modifying code to import a specific AES key.
Writing the wrapped key blob into flash.
Retrieving the "Keyspec" (key metadata) from the console.
Updating key descriptor flags.
Building, flashing, and testing the device.

In both examples, the process involves using the console to interact with the device, specifying key types (plaintext, wrapped, volatile), and retrieving the keyspec for CPMS. The final step in the examples is to verify that the program can use the wrapped key stored in flash without needing the plaintext key.

	AN1271: Secure Key Storage - Silicon Labs This application note details the Secure Key Storage feature in Silicon Labs' Secure Vault High (SVH) devices, explaining how to securely wrap and store cryptographic keys in non-volatile memory. It covers key generation, import, usage, and advantages over other storage methods, including TrustZone integration.
	Silicon Labs IoT Security Features Guide Comprehensive guide to Silicon Labs' IoT security features, covering fundamentals, Series 2 device security, secure debug, TrustZone, and anti-tamper protection. Learn how to build secure IoT devices with Silicon Labs technology.
	Silicon Labs Gecko Bootloader User's Guide: Implementation, Configuration, and Operation Explore the Silicon Labs Gecko Bootloader for EFM32 and EFR32 microcontrollers. This guide details implementation, configuration options, security features, and operational procedures for firmware upgrades.
	Silicon Labs Gecko Bootloader User Guide: Firmware Updates and Security Comprehensive guide to Silicon Labs' Gecko Bootloader, covering firmware updates, secure boot, configuration, and development for embedded systems using GSDK and Simplicity Studio.
	EFR32xG25 Wireless Gecko Reference Manual This reference manual provides comprehensive details on the EFR32xG25 Wireless Gecko System-on-Chip (SoC) from Silicon Labs. It covers features, architecture, and specifications for sub-GHz Wi-SUN applications, including smart metering, street lighting, and distribution automation. The document details the high-performance sub-GHz radio, security features, and integrated power amplifier.
	Gecko Bootloader User Guide - Silicon Labs Comprehensive guide to the Gecko Bootloader from Silicon Labs, covering fundamentals, development, security features, and application integration for Series 3 and higher devices.
	Silicon Labs MG26 and PG26 Wireless SoCs and MCUs: Features and Specifications Explore the Silicon Labs MG26 and PG26 families, high-performance wireless SoCs and general-purpose MCUs featuring large memory, advanced AI/ML acceleration, robust security, and multiprotocol support for IoT applications.
	EFR32MG24 Wireless SoC Family: High-Performance IoT Connectivity Discover the Silicon Labs EFR32MG24 Wireless SoC family, engineered for advanced mesh IoT connectivity. Featuring a high-performance ARM Cortex-M33 core, integrated AI/ML acceleration, and robust Secure Vault technology, these SoCs deliver exceptional power efficiency and security for applications like smart home, lighting, and building automation, supporting Matter, OpenThread, and Zigbee protocols.