An Introduction to Product Lifecycle Management of MCU Applications
Security must be considered comprehensively for a safe product from the designing, developing, and assembling of the product until it reaches the hands of the users, and perform efficient management; this is called product life cycle management.
In terms of MCU-type products, its product life cycle can be divided into chip vendors, original shipping status (OEM), product deployment status, and return merchandise authorization (RMA) status.
Chip vendor status
MCUs are manufactured at chip factories, then tested and set by the original manufacturer, and then they can be delivered to product manufacturers to perform the development and manufacturing of products.
Take M2354 for example, when the chip was manufactured by the original manufacturer, it has an unchangeable and unique identification number (UID), and a UCID can also be set according to the customers’ needs. The MCU at this time does not include firmware and keys, and operations such as reading, programming, and debugging can be performed for it.
Original shipping (OEM) status
Under the OEM status, the MCU must be able to be used to develop the firmware for the products, and must also be able to allow factories to program the product firmware onto the MCU after firmware development for the product has been completed; therefore, the MCU at this time is in open status and allows reading and programming of internal data, and the developing and debugging of processes. The secure bootup processes based on Root of Trust are all disabled at this time but can be enabled one by one based on the different development stages.
Take M2354 for example, the customers can use NuLink ICE to perform the developing and debugging of firmware at this time; after confirming there are no problems, the keys can be written into the chip. After that, the MCU will enable the Root of Trust mechanism, and force the execution of the secure bootup verification process; all unauthorized firmware will not be allowed to execute. The Debug Protection Mechanism (DPM) can also be enabled to enable the authorization mechanism for the debug function in order to restrict access to the reading, programming, and debugging functions.
Product deployment (Deployed) status
After the firmware for the product has been developed and the production line assembly has been completed, it now enters the product deployment status, and this means that it can be now be delivered to the market for sales, and finally reach the hands of the consumers. At this time, in order to protect the security of user data, all security mechanisms of the product will be enabled; this includes the secure bootup process and the prohibition to the reading, programming, debugging interfaces, etc. All unauthorized operations are not allowed.
However, in order to allow the product to enter the RMA status when necessary in order to meet the fault analysis requirements, the MCU is allowed to enter the RMA status under special permission where the authorization conditions set by the original manufacturer are met.
Return merchandise authorization (RMA) status
When problems occurred for the product and require analysis, operations such as reading, writing, and debugging might need to be performed to the MCU. In order to prevent the leaking of user data because of this, even with the authorization by the original manufacturer to enter the RMA status, to the M2354, when its MCU enters the RMA status, it will force clear all the data in the MCU, and the keys in the chip will also become invalid in order to meet both the requirements of data security for the user and RMA. In addition, debugging under the RMA status is still managed by the DPM, and any unauthorized access is prohibited.
What’s worth noticing is that all statuses under the product life cycle are one-way and irreversible. Take the product life cycle management mechanism of M2354 for example, under Vendor/OEM status, the chip can be read, programmed, and debugged, and can only be changed to the Deployed status. Under the Deployed status, related security mechanisms will be forced enabled, prohibiting all unauthorized access, and it can only be changed to the RMA status. After entering the RMA status, it will force clear all user data and make all keys in the chip invalid before other authorized operations can be performed in order to prevent any possible security vulnerabilities. Once entered RMA status, it means that the chip has entered the end of its life cycle, and the status of the MCU can no longer be changed; it cannot be used on a product again either because the invalid keys inside the MCU will cause all firmware to unable to pass the secure boot certification.
LOCK mechanisms were usually designed for the security design of traditional MCUs; the purpose is to lock the internal memory when the product is shipped in order to prevent the firmware to be stolen to create the so-called pirated versions. Therefore, the security mechanisms only had locked and unlocked statuses. However, a truly completely secure product must have careful planning for the security of the entire product life cycle from the unique identification code at the beginning, the convenience and security during development and debugging, to the security of product launching, all the way until the product is returned to the original manufacturer for analysis and processing; the requirements and security for its use must be ensured for every stage in order to really block the security threats faced at each stage. Therefore, the management of product life cycles is an indispensable function for security MCU products.