SECURE PROVISIONING OF SEMICONDUCTOR CHIPS IN UNTRUSTED MANUFACTURING FACTORIES

摘要

One embodiment of the present invention includes a boot read only memory (ROM) with an embedded, private key provision key (KPK) set that enables secure provisioning of chips. As part of taping-out a chip, the chip provider establishes the KPK set and provides the boot ROM exclusive access to the KPK. For each Original Equipment Manufacturer (OEM), the chip provider assigns and discloses an OEM-specific KPK that is included in the KPK set at a particular KPK index. Upon receiving a secured provisioning image and the associated KPK index, the boot ROM accesses the KPK set to reconstruct the KPK and then decrypts and executes the secured provisioning image. Advantageously, this enables the manufacturing factory to provision the chip without the security risks attributable to conventional provisioning approaches that require disclosing security keys to the manufacturing factory.

主权项

1. A computer-implemented method for enabling secure execution of provisioning images within semiconductor chips, the method comprising:
generating a first semiconductor chip that includes a key provision key (KPK) set, wherein the KPK set includes a first KPK located at a first KPK index and a second KPK located at a second KPK index; configuring the semiconductor chip to, upon receiving the first KPK index in a secure provisioning mode, securely decrypt and execute a first encrypted provisioning image based on the first KPK index without disclosing the first KPK or the second KPK; and sending the first semiconductor chip, the first KPK, and the first KPK index to a first entity, but keeping the second KPK secret from the first entity.