External Provisioning/Programming Solutions for SAM L11 Microcontrollers Powered by Secure Thingz

We are surrounded by a myriad of Internet of Things (IoT) devices that are connected through a variety of infrastructures. This makes them more vulnerable to attacks than ever before. As the threat level continues to increase, embedded developers need to prioritize the implementation of security in their IoT applications. One approach used to secure applications is to develop/design secrets or keys that create a unique secure identity for each device. These keys are programmed/provisioned into a secure location on a microcontroller (MCU) by a secure programming provider.

To simplify the implementation of security in your product, Microchip has partnered with Secure Thingz to enable the SAM L11 family of MCUs to be provisioned at a secure external programming center. The external programming center will provide you with a provisioning kit that includes a very simple graphical software tool to enable you to securely encrypt your cryptographic keys and firmware to secure the application. After you complete the provisioning kit, the programming center will then securely provision the SAM L11 MCUs to create a secure identity that can be used as a foundation for securing your application. This identity can be used for applications such as IP protection, cloud attestation, supply chain management, secure updates and more.

Who is Secure Thingz?

Secure Thingz, Inc. is the global domain expert in device security, embedded systems, and lifecycle management. Since 2018, the company is part of IAR Systems, the future-proof supplier of Embedded Workbench® software tools for embedded development. Secure Thingz is focused on delivering advanced security solutions into the emerging industrial Internet of Things (IIoT), critical infrastructure, automotive and other markets. Their Secure Deploy™ architecture has been developed to solve the major security issues challenging the IoT.

Secure Thingz has partnered with distributors (Avnet, Arrow, and Future) who offer secure programming facilities at many locations worldwide. When you use the security tools designed by Secure Thingz, you can have the confidence that your secret information, such as keys and configuration data, can be securely injected into SAM L11 MCUs without being seen by any of the participants in your supply chain.

What is Secure Deploy?

The SAM L11 family is fully integrated with Secure Thingz’ Secure Deploy architecture that is used to provision SAM L11 MCUs at secure external programming centers. The Secure Deploy architecture has been designed to enhance and simplify security implementations and enable the protection of critical Intellectual Property (IP) throughout your product’s creation, manufacture, and management. It features:

• Simple management of critical IP within the development process
• Secure key management targeted for development, manufacturing, and applications
• Elimination of over-production and counterfeiting through constrained device programming

What Does the Combination of a SAM L11 MCU and Secure Deploy Offer?

The key component in an embedded IoT device is a power-efficient MCU. The SAM L11 MCU offers advanced security features as well as ultra-low-power capabilities for battery-powered and other connected designs. The Secure Deploy (SD) manufacturing system enables you to generate and manage your secure content (key pairs, signature keys, and certificates) and securely deploy this content to a programming facility to be programmed into your SAM L11 devices. Using a secure programming center eliminates the need for you to have your own infrastructure and provides you with important provisioning services for small to extremely large volumes of up to hundreds of thousands of units.

How Can You Get Started with External Secure Provisioning of the SAM L11 MCU?

As this diagram illustrates, you will follow these two basic steps:

1. Design/development of keys and certificates: Personalize your keys and certificates using the Secure Wrapping Tool that comes with the provisioning kit provided by your selected programming partner. The basic framework is securely encrypted, signed and then sent to the programming facility.
2. Secure programming: The secure programming facility will receive your key framework and will securely provision the blank SAM L11 MCUs with your keys and use the input from the Secure Wrapping Tool (part of the provisioning kit) to securely provision keys/certificates into the SAM L11. Even if you use an unsecured link to send the file to the programming facility, this file can only be decrypted by the Hardware Security Module (HSM) at the programmer partner’s facility. After the keys and application are programmed into the SAM L11 MCUs, the debug access levels are set to ensure that the keys cannot be hacked by most typical digital/network attacks.

Other Tools Offered by Secure Thingz and IAR Systems

Embedded Trust/C-Trust Security Development Environment

Embedded Trust is a security development environment providing streamlined security development in IAR Embedded Workbench®. It includes these features:

• Integrated identity and certificate management
• Scalable Secure Boot Manager
• Secure deployment with integrated manufacturing mastering and encrypted support
• Release management with versioning and update infrastructure