Tip / Sign in to post questions, reply, level up, and achieve exciting badges. Know more

cross mob

Creating production provisioning assets for PSoC™ 64 MCUs - KBA233832

lock attach
Attachments are accessible only for community members.

Creating production provisioning assets for PSoC™ 64 MCUs - KBA233832

IFX_Publisher1
Community Manager
Community Manager
Community Manager
250 sign-ins First comment on KBA 250 replies posted

Community Translation: PSoC™ 64 MCUの製品プロビジョニング資産を作成する – KBA33832

Version: *A

If you have followed the steps in the “Secure Boot” SDK user guide during development, you have probably been creating your own provisioning packets using the CySecureTools Python package. The CySecureTools package automatically creates the necessary keys and packets to provision your device, simplifying the provisioning process during development.

When you are ready to move to production, you will be responsible for creating several of the objects that CySecureTools previously created during the development provisioning process. These objects are:

  • OEM RoT public/private key pair
  • Provisioning policy
  • rot_auth.JWT
  • prov_req.JWT
  • (Optional) Custom bootloader image and bootloader image JWT
  • Any device certificates
  • Any custom keys
  1. Creating the policy
    The production policy might contain different settings than the development policy file. For example, you may disable the debug access ports and disable re-provisioning in the production policy. To create the production policy, you can either modify a copy of your development policy file, or create an entirely new policy file. In either case, see Section 5 of the “Secure Boot” SDK user guide for details and examples of each field of the policy file. It is important to ensure the relative paths to any keys listed in the policy are correct.

    1.1 Device certificates
    Any device certificates that are needed by the PSoC™ device will be programmed into the device by the HSM. You can include each certificate in X.509 format in the “Chain of trust” field in the policy file. The HSM will then include the certificates in the final provisioning command packet.

  2. Generating JWTs
    Before you create your JWTs, you must ensure that you have your OEM keys, the HSM public key, and any custom keys that the PSoC™ device may need. Additionally, it can be helpful to have a CySecureTools-initialized workspace and project for PSoC™ 64 MCU. If you have followed the “Secure Boot” SDK user guide, your workspace should include the folders “keys”, “packets”, “policy”, and “prebuilt”.
    2.1 rot_auth.JWT
    The rot_auth.JWT contains the OEM and HSM public keys in JSON Web Key (JWK) format. The token is signed by the OEM private key. Creating the JWT is a two-step process as follows:

    Step 1: Create the source JSON file.

    In an empty JSON file, place your OEM public key and the HSM public key. An example JSON file is as follows:

    {

      "type": "OEM_ROT_AUTH",
      "oem_pub_key": {
        "crv": "P-256",
        "kty": "EC",
        "use": "sig",
        "kid": "5",
        "x": "vfb7_jewTxpFVINcXdrZQJBArC5igrN0BLc783FigrM",
        "y": "9rBBUKXzpj1A5K7fxPtEaJdsfo7Jj_wsF7LTZLc-sPM"
      },
      "hsm_pub_key": {
        "crv": "P-256",
        "kty": "EC",
        "use": "sig",
        "kid": "4",
        "x": "sJMsN-2Jo27kc51wVK7xJ2fP9BDkzAc2fZEZMlohHX"
        "y": "MWluzmXgXOvdQQDYX3yy1Tk9QoHL-9DZhswZpY0Xe5U"
      },
      "prod_id": "my_thing"
    }

    Step 2: Convert the JSON to JWT and sign the JWT with your OEM private key.

    CySecureTools provides helpful functions to carry out the conversion to JWT. The json_convert.py attachment to this KBA is a CySecureTools-based Python script that can be used as a reference. The script encodes the provided keys into JWT format and produces a rot_auth_unsigned.jwt file. This file should be signed with your P-256 curve ECDSA private key.

    Run the script:

    1. Copy the script into your file system.
    2. Open a command line interface in the same directory.
    3. Call the script as follows. The JWT will be created in the same directory that the script was run from.

    python json_convert.py -p {RELATIVE_PATH_TO_POLICY_JSON} -t {DEVICE_SERIES} -rj {RELATIVE_PATH_TO_ROT_AUTH_JSON}

    For example:

    python json_convert.py -p policy/policy_single_CM0_CM4_swap.json -t cys06xxa -rj packets/rot_auth.json

    2.2  prov_req.JWT

    The prov_req.JWT is a provisioning request to the HSM. It contains any custom keys to be injected into the device, the product ID (“prod_id” as specified in rot_auth.JWT), and the JSON-formatted provisioning policy. Do the following:
    Step 1: Create this token by first creating a JSON file with the structure noted in the “Secure Boot” SDK user guide Section 5, Provisioning JWT Packet Reference, 5 prov_req.JWT.

    Step 2: Populate the fields with the necessary contents. An example of a complete prov_req.JWT is shown below.

    {
      "debug": {
    ...
      },
      "boot_upgrade": {
    ...
      },
      "prod_id": "my_thing",
      "custom_pub_key": [
    {
      "crv": "P-256",
      "kid": "6",
      "kty": "EC",
      "use": "sig",
      "x": "ouTC_gXC7-rzcLn2IJsdQuokCQNeF6-5Mugq5PPpwgw",
      "y": "SZ04p3z_jyilL8J18zZoxGTcWDoL7XPSBsJ5EZx9MAo"
    },
    {
      "crv": "P-256",
      "kty": "EC",
      "use": "sig",
      "x": "_za6DQEnUxqOm0vK9Pgvt9GHBtFi1XIVrPvfQ5zq90k",
      "y": "mhqW_r-kI0hWvAW_cqQmyaxlRs02bF4w-v4iV8YY-DQ",
      "kid": "8"
    }
      ]
    }

    Step 3: Convert the JSON to JWT and sign the JWT with your OEM private key. You can re-use the json_convert.py attachment to this KBA.

    Run the script:

    1. Copy the script into your file system.
    2. Open a command line interface in the same directory.
    3. Call the script as follows.

    The unsigned JWT will be created in the same directory that the script was run from. This file should be signed with your P-256 curve ECDSA OEM private key.

    python json_convert.py -p {RELATIVE_PATH_TO_POLICY_JSON} -t {DEVICE_SERIES} -rj {RELATIVE_PATH_TO_PROV_REQ_JSON}

    For example:

    python json_convert.py -p policy/policy_single_CM0_CM4_swap.json -t cys06xxa -rj packets/prov_req.json

  3. Custom bootloader and bootloader JWT

    Infineon provides a default bootloader image referred to as the “Cypress bootloader” in the “Secure Boot” SDK user guide. However, you may optionally use a custom bootloader. To do so, you must provide the bootloader image in Intel HEX format as well as a signed JWT containing, among other items, a hash of the image. An example JWT is as follows:

    {
      "image_id": 0,
      "image_hash": [
        118,
        ...
      ],
      "image_file": "CypressBootloader_CM0p.hex",
      "image_address": 270336000,
      "image_size": 48884,
      "image_version": "1.0.0.200",
      "policy_template": "",
      "iat": 1629482796,
      "exp": 1925020800
    }

    You can use CySecureTools to create a bootloader image JWT with a few function calls or in the CLI. For examples of this functionality, see the CySecureTools GitHub repository and navigate to “Create Image Certificate”.

  4. Validating JWT signatures

    After signing your JWT, it can be helpful to validate the signature of the packet. A successful validation ensures that your JWT is signed correctly using the key you provided. A validation script, jwt_verify_signature.py is attached to this KBA. This script uses the Python Jose package to validate the signature of your JWT.

    Run the script:

    1. Copy the script into your file system.
    2. Open a command line interface in the same directory.
    3. Call the script as follows:

    python jwt_verify_signature.py -p {RELATIVE_PATH_TO_PUBLIC_KEY_JSON} -j {RELATIVE_PATH_TO_SIGNED_JWT}

    For example:

    python jwt_verify_signature.py -p keys/oem_state.json -j packets/prov_req.jwt

Attachments
0 Likes
537 Views