Simplified FDO Manufacturing Flow with TPMs _ Liam at Infineon.pdf
FIDOAlliance
315 views
17 slides
May 20, 2024
Slide 1 of 17
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
About This Presentation
FIDO Taipei Workshop: Securing the Edge with FDO
Slide Content
1restricted
Liam Cheng
April 2024
Simplified FDO manufacturing flow
with TPMs
Liam Cheng
April 2024
Simplified FDO manufacturing flow
with TPMs
2Copyright © Infineon Technologies AG 2024. All rights reserved.restricted04.2024
Infineon is a global leader in power systems and IoT
2
Market position
Automotive
#1
TechInsights,
March 2023
1
As of 30 September 2023
Power
#1
Omdia,
September 2023
Security
#1
ABI Research,
October 2023
employees
1
~58,600
in automotive, power management,
energy efficient technologies and IoT
Global leader
Infineon is a global leader in power systems and IoT
2
Market position
Automotive
#1
TechInsights,
March 2023
1
As of 30 September 2023
Power
#1
Omdia,
September 2023
Security
#1
ABI Research,
October 2023
employees
1
~58,600
in automotive, power management,
energy efficient technologies and IoT
Global leader
3Copyright © Infineon Technologies AG 2024. All rights reserved.restricted04.2024
We build trust in a connected world
Security controller
Security controller,
sofware & host
software
Security controller,
software & host
software
OPTIGA
TPM
OPTIGA TPM
OPTIGA Trust
eSIM
V2X
Security controller &
software
OPTIGA
Authenticate
Seamless secured transactions Verifying identities
Securing the IoT Fighting Counterfeits
We build trust in a connected world
Security controller
Security controller,
sofware & host
software
Security controller,
software & host
software
OPTIGA
TPM
OPTIGA TPM
OPTIGA Trust
eSIM
V2X
Security controller &
software
OPTIGA
Authenticate
Seamless secured transactions Verifying identities
Securing the IoT Fighting Counterfeits
4Copyright © Infineon Technologies AG 2024. All rights reserved.restricted04.2024
The Trusted Platform Module (TPM)
“The safe for your platform”
›Reduced implementation costs
›Minimized integration risk
›Proven security
›Tamper-resistant hardware
›Key and authentication protect
›Used in computing for over 20 years
›Widely adopted by new use cases
›Security of hardware and software
independently evaluated
Security chip standardized by
Trusted Computing Group
(TCG)
Widely used in board
applications
Designed to resist logical and
physical attacks
Certified by third-party
(Common Criteria/ FIPS)
TPM
“The for
your platform"
The Trusted Platform Module (TPM)
“The safe for your platform”
›Reduced implementation costs
›Minimized integration risk
›Proven security
›Tamper-resistant hardware
›Key and authentication protect
›Used in computing for over 20 years
›Widely adopted by new use cases
›Security of hardware and software
independently evaluated
Security chip standardized by
Trusted Computing Group
(TCG)
Widely used in board
applications
Designed to resist logical and
physical attacks
Certified by third-party
(Common Criteria/ FIPS)
TPM
“The for
your platform"
5Copyright © Infineon Technologies AG 2024. All rights reserved.restricted04.2024
Laptop Server Network Interface Card Switches Firewall
5G access pointStorage area network Enterprise router
Google Mesh Router Surveillance Camera EV Charging Station Printer
IoT gateway Wireless Access point
Fleet management
Existing products with OPTIGA TPM 2.0
Laptop Server Network Interface Card Switches Firewall
5G access pointStorage area network Enterprise router
Google Mesh Router Surveillance Camera EV Charging Station Printer
IoT gateway Wireless Access point
Fleet management
Existing products with OPTIGA TPM 2.0
6Copyright © Infineon Technologies AG 2024. All rights reserved.restricted04.2024
‒TPM, a hardware module that provides secure
credential storage and trusted implementations of
cryptography, combines well with FDO.
‒TPMs can store credentials for FDO securely, and it
provides the basic asymmetric cryptography for
FDO’s authentication.
‒FDO, in turn, can work with TPMs to provision
application keys and certificates into TPM, allowing
customers to have private key materials with chains
of trust matching their organizational requirements.
‒TPMs can potentially also be used to store FDO
factory credentials, allowing devices to adopt FDO
without a change to the manufacturing line.
TPM and FDO
https://fidoalliance.org/wp-content/uploads/2022/12/IoT-Application-
Provisioning-for-Security-Using-FDO-and-TPM-White-Paper.pdf
‒TPM, a hardware module that provides secure
credential storage and trusted implementations of
cryptography, combines well with FDO.
‒TPMs can store credentials for FDO securely, and it
provides the basic asymmetric cryptography for
FDO’s authentication.
‒FDO, in turn, can work with TPMs to provision
application keys and certificates into TPM, allowing
customers to have private key materials with chains
of trust matching their organizational requirements.
‒TPMs can potentially also be used to store FDO
factory credentials, allowing devices to adopt FDO
without a change to the manufacturing line.
TPM and FDO
https://fidoalliance.org/wp-content/uploads/2022/12/IoT-Application-
Provisioning-for-Security-Using-FDO-and-TPM-White-Paper.pdf
7Copyright © Infineon Technologies AG 2024. All rights reserved.restricted04.2024
Specification for FDO credential storage in a TPM
https://fidoalliance.org/specs/FDO/securing-fdo-in-tpm-v1.0-rd-20231010/securing-fdo-in-tpm-v1.0-rd-20231010.pdf
Specification for FDO credential storage in a TPM
https://fidoalliance.org/specs/FDO/securing-fdo-in-tpm-v1.0-rd-20231010/securing-fdo-in-tpm-v1.0-rd-20231010.pdf
8Copyright © Infineon Technologies AG 2024. All rights reserved.restricted04.2024
How FDO works
Device Manufacturer
3
Load Ownership
Voucher (OV) to
Cloud
Device in box shipped
to installation location
1
Ownership
Voucher (OV)
FDO
Manufacturing
tool
FDO Client, Credentials
path to RV server
a.FDO agent & FDO credentials
places in device.
b.Ownership Voucher (OV)
created
87
a.Mutual authentication
takes place
b.Secure channel is
established
c.Onboarding takes place
using FSIM’s
Device given network
connectivity and powers up
Target Cloud
??????
Application Data / Control
??????
Cloud Managed,
Device data flows
FDO owner
5
Device contacts RV
and is re-directed to
Cloud
6
Rendezvous
server (RV)
4
Register OV
with
Rendezvous
Server
FDO Client &
credentials
2
Onboarding Data
??????
How FDO works
Device Manufacturer
3
Load Ownership
Voucher (OV) to
Cloud
Device in box shipped
to installation location
1
Ownership
Voucher (OV)
FDO
Manufacturing
tool
FDO Client, Credentials
path to RV server
a.FDO agent & FDO credentials
places in device.
b.Ownership Voucher (OV)
created
87
a.Mutual authentication
takes place
b.Secure channel is
established
c.Onboarding takes place
using FSIM’s
Device given network
connectivity and powers up
Target Cloud
??????
Application Data / Control
??????
Cloud Managed,
Device data flows
FDO owner
5
Device contacts RV
and is re-directed to
Cloud
6
Rendezvous
server (RV)
4
Register OV
with
Rendezvous
Server
FDO Client &
credentials
2
Onboarding Data
??????
9Copyright © Infineon Technologies AG 2024. All rights reserved.restricted04.2024
Standard TPM programming model
2. Distributor
1.TPMs shipped to OEM
1. OEM
1.Orders FDO TPMs from
Distributor
4. OEM
1.Creates OV with
manufacturing tool
2.Programs TPM and sends
OV to End User
3.Assembles Device with
TPM
4.Ships Device to installer
e.g. SI, end user etc.
3. End User
1.Orders FDO enabled
Devices
2.Provides their public key
to OEM
6. Installer
1.Installs devices
2.Runs FDO
3.Device onboards to End
User platform
5. End User
1.Registers OV with target
platform/RV server.
Standard TPM programming model
2. Distributor
1.TPMs shipped to OEM
1. OEM
1.Orders FDO TPMs from
Distributor
4. OEM
1.Creates OV with
manufacturing tool
2.Programs TPM and sends
OV to End User
3.Assembles Device with
TPM
4.Ships Device to installer
e.g. SI, end user etc.
3. End User
1.Orders FDO enabled
Devices
2.Provides their public key
to OEM
6. Installer
1.Installs devices
2.Runs FDO
3.Device onboards to End
User platform
5. End User
1.Registers OV with target
platform/RV server.
10Copyright © Infineon Technologies AG 2024. All rights reserved.restricted04.2024
Pre-programmed TPM concept
•To simplify the OEM manufacturing flow, Infineon in conjunction with Avnet have
created a pre-programmed TPM concept for FDO.
•In this approach, Avnet would pre-program the TPMs with FDO credentials and
then ship the TPM to the OEM for installation.
•The Ownership Voucher (OV) can be stored in the TPM or can be sent as a
database file to the OEM
TPM
FDO credential
Ownership
Voucher
ODM board or final device
Pre-programmed TPMs
shipped to ODM or
OEM
TPM
FDO
credential
Ownership
Voucher
TPMs
Pre-programmed by
Avnet
OS with FDO
Client
OV is extracted, signed
and shipped
Pre-programmed TPM concept
•To simplify the OEM manufacturing flow, Infineon in conjunction with Avnet have
created a pre-programmed TPM concept for FDO.
•In this approach, Avnet would pre-program the TPMs with FDO credentials and
then ship the TPM to the OEM for installation.
•The Ownership Voucher (OV) can be stored in the TPM or can be sent as a
database file to the OEM
TPM
FDO credential
Ownership
Voucher
ODM board or final device
Pre-programmed TPMs
shipped to ODM or
OEM
TPM
FDO
credential
Ownership
Voucher
TPMs
Pre-programmed by
Avnet
OS with FDO
Client
OV is extracted, signed
and shipped
Avnet TPM personalization services
●The OPTIGA
TM
TPM is a turnkey security solution
●Avnet offers an industry first custom programming service for security devices.
●This personalization service makes it easier for customers to integrate embedded
custom security into their products independent of their security experience or volumes.
●The OPTIGA
TM
TPM is a turnkey security solution
●Avnet offers an industry first custom programming service for security devices.
●This personalization service makes it easier for customers to integrate embedded
custom security into their products independent of their security experience or volumes.
12Copyright © Infineon Technologies AG 2024. All rights reserved.restricted04.2024
TPM flow using embedded OV approach
2. Distributor
1.OV created and signed
with OEM key
2.TPM configured and
shipped to OEM with
embedded OV
1. OEM
1.Orders FDO enabled
TPMs from Distributor
2.Provides their public key
to Distributor
4. OEM
1.Extracts OV from TPM
2.Signs OV with End User
key and sends OV to End
User
3.Assembles Device
4.Ships Device to installer
e.g. SI, end user etc.
3. End User
1.Orders FDO enabled
Devices
2.Provides their public key
to OEM
6. Installer
1.Installs devices
2.Runs FDO
3.Device onboards to End
User platform
5. End User
1.Registers OV with target
platform/RV server.
TPM flow using embedded OV approach
2. Distributor
1.OV created and signed
with OEM key
2.TPM configured and
shipped to OEM with
embedded OV
1. OEM
1.Orders FDO enabled
TPMs from Distributor
2.Provides their public key
to Distributor
4. OEM
1.Extracts OV from TPM
2.Signs OV with End User
key and sends OV to End
User
3.Assembles Device
4.Ships Device to installer
e.g. SI, end user etc.
3. End User
1.Orders FDO enabled
Devices
2.Provides their public key
to OEM
6. Installer
1.Installs devices
2.Runs FDO
3.Device onboards to End
User platform
5. End User
1.Registers OV with target
platform/RV server.
13Copyright © Infineon Technologies AG 2024. All rights reserved.restricted04.2024
TPM flow using OV database
2. Distributor
1.OV created and signed
with OEM key
2.TPM configured and
shipped to OEM
3.OVs signed and sent as a
database to OEM
1. OEM
1.Orders FDO enabled
TPMs from Distributor
2.Provides their public key
to Distributor
4. OEM
1.OV taken from database
2.Signs OVs with End User
key and sends OVs to
End User
3.Assembles Device
4.Ships Device to installer
e.g. SI, end user etc.
3. End User
1.Orders FDO enabled
Devices
2.Provides their public key
to OEM
6. Installer
1.Installs devices
2.Runs FDO
3.Device onboards to End
User platform
5. End User
1.Registers OV with target
platform/RV server.
TPM flow using OV database
2. Distributor
1.OV created and signed
with OEM key
2.TPM configured and
shipped to OEM
3.OVs signed and sent as a
database to OEM
1. OEM
1.Orders FDO enabled
TPMs from Distributor
2.Provides their public key
to Distributor
4. OEM
1.OV taken from database
2.Signs OVs with End User
key and sends OVs to
End User
3.Assembles Device
4.Ships Device to installer
e.g. SI, end user etc.
3. End User
1.Orders FDO enabled
Devices
2.Provides their public key
to OEM
6. Installer
1.Installs devices
2.Runs FDO
3.Device onboards to End
User platform
5. End User
1.Registers OV with target
platform/RV server.
14Copyright © Infineon Technologies AG 2024. All rights reserved.restricted04.2024
Advantages of pre-programmed TPM
●Simplifies flow for OEMs
○No need to sign OV in ‘real-time’ on production line
■OVs are extracted and then can be signed off line
○OEM does not need to integrate and run manufacturing tool as part of their manufacturing flow
○Approach works well for low and higher volumes
●Supports non-embedded OV model
○Distributor can send a database of signed OVs to the OEM which can then be signed over to
End User off line.
Advantages of pre-programmed TPM
●Simplifies flow for OEMs
○No need to sign OV in ‘real-time’ on production line
■OVs are extracted and then can be signed off line
○OEM does not need to integrate and run manufacturing tool as part of their manufacturing flow
○Approach works well for low and higher volumes
●Supports non-embedded OV model
○Distributor can send a database of signed OVs to the OEM which can then be signed over to
End User off line.
15Copyright © Infineon Technologies AG 2024. All rights reserved.restricted04.2024
Summary
●OPTIGA
TM
TPMs are a highly effective and secure way of storing FDO
credentials
●Infineon and Avnet have created a pre-programmed TPM concept for FDO
that they believe can simplify FDO adoption.
●OEM/ODM feedback on the concept is greatly welcomed
●A specification for TPM use with FDO, co-written by Infineon, is available on
the FIDO Alliance website.
○https://fidoalliance.org/specs/FDO/securing-fdo-in-tpm-v1.0-rd-20231010/securing-fdo-in-tpm-
v1.0-rd-20231010.pdf
Summary
●OPTIGA
TM
TPMs are a highly effective and secure way of storing FDO
credentials
●Infineon and Avnet have created a pre-programmed TPM concept for FDO
that they believe can simplify FDO adoption.
●OEM/ODM feedback on the concept is greatly welcomed
●A specification for TPM use with FDO, co-written by Infineon, is available on
the FIDO Alliance website.
○https://fidoalliance.org/specs/FDO/securing-fdo-in-tpm-v1.0-rd-20231010/securing-fdo-in-tpm-
v1.0-rd-20231010.pdf
16Copyright © Infineon Technologies AG 2024. All rights reserved.restricted04.2024
Infineon Security Partner Network (ISPN)
Infineon Security Partner Network (ISPN)
17
Tags
Categories
GeneralDownload
Download Slideshow Get the original presentation fileQuick Actions
Statistics
- Views 315
- Slides 17
- Age 572 days
Related Slideshows
22
Pray For The Peace Of Jerusalem and You Will Prosper
RodolfoMoralesMarcuc
39 views
26
Don_t_Waste_Your_Life_God.....powerpoint
chalobrido8
42 views
31
VILLASUR_FACTORS_TO_CONSIDER_IN_PLATING_SALAD_10-13.pdf
JaiJai148317
38 views
14
Fertility awareness methods for women in the society
Isaiah47
36 views
35
Chapter 5 Arithmetic Functions Computer Organisation and Architecture
RitikSharma297999
34 views
5
syakira bhasa inggris (1) (1).pptx.......
ourcommunity56
37 views