Revision as of 19:42, 29 March 2023 by Registered User (→ST Lifecycle / Product states = iROT-Provisioned)
|
Coming soon |
1. What is product lifecycle
PRODUCT Lifecycle is used to control the product security configuration. It allows to control the activation of the platform’s security mechanisms.
1.1. New product lifecycle
- We are introducing a new PRODUCT Lifecycle, in order to allow more flexibilities on product manufacturing and maintenance.
- The new PRODUCT Lifecycle considers different phases using the product.
- The considered phases are:
- - development phase, offering all debug allowed to developer.
- - provisioning phase, where main assets area become protected (no more accessible) …
- - final phase, where the product is considered in the field.
- - maintenance phase: field return management.
- During all product life, the solution must guarantee that ROT and user assets are never disclosed.
- This must be true for development, provisioning, final phase, and field return phases.
- The new product Lifecycle propose the below product states :
]
- Remark1: When Trust zone is not proposed, the TZ-Closed does not exist.
- Remark2: This Simplified version does not show the Debug Authentication part (Regressions and Debug reopening). The complete version can be seen in Debug Authentication dedicated section.
- Warning: The Debug Authentication configuration (DA-config) must be provisioned in Provisioning state.
1.2. Up to 3 third parties
- In the development and provisioning phases, the product Lifecycle allows to consider the product being developed by up to 3 third parties.
- Different third parties means that for development and provisioning, we are able to set the product in a state that's allow to protect (isolate) the different parties. This means also 3 different responsibilities, and potentially 3 different Keys (Firmware & data key pairs for install and update).
1.2.1. ST Lifecycle consider 3 Main parts to be installed in the product that could rely on 3 different parties
- The below figure represent the considered product states to cover this 3 parties model.
- In short
- - iROT-Provisioned is used as soon as iROT is provisioned (code and data) .
- - TZ-Closed is used as soon as iROT and Secure (Trust Zone) are provisioned.
- - Closed or Locked is used as soon as the full device is provisioned.
1.3. Device provisioning
- The device provisioning is done in one or several steps.
- This depends on the manufacturing constraints, and on the number of third parties to provision, ….
- • Initial Provisioning
- • Initial setup of the product, that will determine who is controlling its ROT
- • Could be only the [iROT] : in that case the product will be set in iROT-Provisioned
- • Could be [iROT+TrustZone] : in that case the product will be set in TZ-Closed
- • Could be [iROT+TrustZone+Non-Secure]
- • Updates
- • When several Third parties are considered
- • the Initial Provisioning is not complete,
- • then the installed FW oversees New FW & Keys to install
- • When several Third parties are considered
- • Initial Provisioning
1.3.1. ST Lifecycle Development and Provisioning considering up to 3 parties
- The below figure represent the considered distribution models to considering up to 3 parties.
- In short
- - 1 party: All Firmware owned by one entity.
- - 2 parties: All Secure part owned by one part, then Non-Secure application owned by a second part. Means 2 different responsibilities, and potentially key pairs (to manage install and updates).
- - 3 parties: iROT, Secure and Non-Secure appli owned by 3 different parties. Means 3 different responsibilities, and potentially key pairs (to manage install and updates).
1.3.2. ST Lifecycle Initial provisioning (from Open or Provisioning)
- The device can be provisioned in one or several steps. This depends on its usage, on the manufacturing constraints, and on the number of third parties to provision. Overall, we are considering the inital provisioning as starting from blank device.
- The below figure represent the initial provisioning considering the different distribution models.
- Initial setup of the product, that will determine who is controlling its ROT
- Could be only the [iROT]: in that case the product will be set in iROT-Provisioned
- Could be [iROT+TrustZone]: in that case the product will be set in TZ-Closed
- Could be [iROT+TrustZone+Non-Secure]
- We recommend to use SFI (Secure Firmware Install) solution for initial provisioning in untrusted manufacturing.
- We also recommend to protect all key provisioning even if the manufacturing is trusted.
1.3.3. ST Lifecycle To complete the initial provisioning
- When several Third parties are considered the initial provisioning can cover only part of the installation.
- The end of the provisioning can be done based on firmware(s) already installed (at initial provisioning)
- - Secure Firmware Update / Secure Key Provisioning
- - In one or 2 steps
- The end of the provisioning can be done based on firmware(s) already installed (at initial provisioning)
1.4. ST Lifecycle / Product states
1.4.1. ST Lifecycle / Product states = Open
1.4.2. ST Lifecycle / Product states = Provisioning
1.4.3. ST Lifecycle / Product states = iROT-Provisioned
1.4.4. ST Lifecycle / Product states = TZ-Closed
File:Security:ProductLifecyle-TZEN1-Simplified-TZ-Closed-details.png
1.4.5. ST Lifecycle / Product states = Closed/Locked
File:Security:ProductLifecyle-TZEN1-Simplified-ClosedLocked-details.png
