FIDO Taipei Workshop: Securing the Edge with FDO

1. 1
restricted
Liam Cheng
April 2024
Simplified FDO manufacturing flow
with TPMs

2. 2
Copyright © Infineon Technologies AG 2024. All rights reserved.
restricted
04.2024
Infineon is a global leader in power systems and IoT
2
Market position
Automotive
#1
TechInsights,
March 2023
1 As of 30 September 2023
Power
#1
Omdia,
September 2023
Security
#1
ABI Research,
October 2023
employees1
~58,600
in automotive, power management,
energy efficient technologies and IoT
Global leader

3. 3
Copyright © Infineon Technologies AG 2024. All rights reserved.
restricted
04.2024
We build trust in a connected world
Security controller
Security controller,
sofware & host
software
Security controller,
software & host
software
OPTIGA
TPM
OPTIGA TPM
OPTIGA Trust
eSIM
V2X
Security controller &
software
OPTIGA
Authenticate
Seamless secured transactions Verifying identities
Securing the IoT Fighting Counterfeits

4. 4
Copyright © Infineon Technologies AG 2024. All rights reserved.
restricted
04.2024
The Trusted Platform Module (TPM)
“The safe for your platform”
› Reduced implementation costs
› Minimized integration risk
› Proven security
› Tamper-resistant hardware
› Key and authentication protect
› Used in computing for over 20 years
› Widely adopted by new use cases
› Security of hardware and software
independently evaluated
Security chip standardized by
Trusted Computing Group
(TCG)
Widely used in board
applications
Designed to resist logical and
physical attacks
Certified by third-party
(Common Criteria/ FIPS)
TPM
“The for
your platform"

5. 5
Copyright © Infineon Technologies AG 2024. All rights reserved.
restricted
04.2024
Laptop Server Network Interface Card Switches Firewall
5G access point
Storage area network Enterprise router
Google Mesh Router Surveillance Camera EV Charging Station Printer
IoT gateway Wireless Access point
Fleet management
Existing products with OPTIGA TPM 2.0

6. 6
Copyright © Infineon Technologies AG 2024. All rights reserved.
restricted
04.2024
‒ TPM, a hardware module that provides secure
credential storage and trusted implementations of
cryptography, combines well with FDO.
‒ TPMs can store credentials for FDO securely, and it
provides the basic asymmetric cryptography for
FDO’s authentication.
‒ FDO, in turn, can work with TPMs to provision
application keys and certificates into TPM, allowing
customers to have private key materials with chains
of trust matching their organizational requirements.
‒ TPMs can potentially also be used to store FDO
factory credentials, allowing devices to adopt FDO
without a change to the manufacturing line.
TPM and FDO
https://fidoalliance.org/wp-content/uploads/2022/12/IoT-Application-
Provisioning-for-Security-Using-FDO-and-TPM-White-Paper.pdf

7. 7
Copyright © Infineon Technologies AG 2024. All rights reserved.
restricted
04.2024
Specification for FDO credential storage in a TPM
https://fidoalliance.org/specs/FDO/securing-fdo-in-tpm-v1.0-rd-20231010/securing-fdo-in-tpm-v1.0-rd-20231010.pdf

8. 8
Copyright © Infineon Technologies AG 2024. All rights reserved.
restricted
04.2024
How FDO works
Device Manufacturer
3
Load Ownership
Voucher (OV) to
Cloud
Device in box shipped
to installation location
1
Ownership
Voucher (OV)
FDO
Manufacturing
tool
FDO Client, Credentials
path to RV server
a. FDO agent & FDO credentials
places in device.
b. Ownership Voucher (OV)
created
8
7
a. Mutual authentication
takes place
b. Secure channel is
established
c. Onboarding takes place
using FSIM’s
Device given network
connectivity and powers up
Target Cloud
🡨
Application
Data
/
Control
🡨
Cloud Managed,
Device data flows
FDO owner
5
Device contacts RV
and is re-directed to
Cloud
6
Rendezvous
server (RV)
4
Register OV
with
Rendezvous
Server
FDO Client &
credentials
2
Onboarding
Data
🡨

9. 9
Copyright © Infineon Technologies AG 2024. All rights reserved.
restricted
04.2024
Standard TPM programming model
2. Distributor
1. TPMs shipped to OEM
1. OEM
1. Orders FDO TPMs from
Distributor
4. OEM
1. Creates OV with
manufacturing tool
2. Programs TPM and sends
OV to End User
3. Assembles Device with
TPM
4. Ships Device to installer
e.g. SI, end user etc.
3. End User
1. Orders FDO enabled
Devices
2. Provides their public key
to OEM
6. Installer
1. Installs devices
2. Runs FDO
3. Device onboards to End
User platform
5. End User
1. Registers OV with target
platform/RV server.

10. 10
Copyright © Infineon Technologies AG 2024. All rights reserved.
restricted
04.2024
Pre-programmed TPM concept
• To simplify the OEM manufacturing flow, Infineon in conjunction with Avnet have
created a pre-programmed TPM concept for FDO.
• In this approach, Avnet would pre-program the TPMs with FDO credentials and
then ship the TPM to the OEM for installation.
• The Ownership Voucher (OV) can be stored in the TPM or can be sent as a
database file to the OEM
TPM
FDO credential
Ownership
Voucher
ODM board or final device
Pre-programmed TPMs
shipped to ODM or
OEM
TPM
FDO
credential
Ownership
Voucher
TPMs
Pre-programmed by
Avnet
OS with FDO
Client
OV is extracted, signed
and shipped

11. Avnet TPM personalization services
● The OPTIGATM TPM is a turnkey security solution
● Avnet offers an industry first custom programming service for security devices.
● This personalization service makes it easier for customers to integrate embedded
custom security into their products independent of their security experience or volumes.

12. 12
Copyright © Infineon Technologies AG 2024. All rights reserved.
restricted
04.2024
TPM flow using embedded OV approach
2. Distributor
1. OV created and signed
with OEM key
2. TPM configured and
shipped to OEM with
embedded OV
1. OEM
1. Orders FDO enabled
TPMs from Distributor
2. Provides their public key
to Distributor
4. OEM
1. Extracts OV from TPM
2. Signs OV with End User
key and sends OV to End
User
3. Assembles Device
4. Ships Device to installer
e.g. SI, end user etc.
3. End User
1. Orders FDO enabled
Devices
2. Provides their public key
to OEM
6. Installer
1. Installs devices
2. Runs FDO
3. Device onboards to End
User platform
5. End User
1. Registers OV with target
platform/RV server.

13. 13
Copyright © Infineon Technologies AG 2024. All rights reserved.
restricted
04.2024
TPM flow using OV database
2. Distributor
1. OV created and signed
with OEM key
2. TPM configured and
shipped to OEM
3. OVs signed and sent as a
database to OEM
1. OEM
1. Orders FDO enabled
TPMs from Distributor
2. Provides their public key
to Distributor
4. OEM
1. OV taken from database
2. Signs OVs with End User
key and sends OVs to
End User
3. Assembles Device
4. Ships Device to installer
e.g. SI, end user etc.
3. End User
1. Orders FDO enabled
Devices
2. Provides their public key
to OEM
6. Installer
1. Installs devices
2. Runs FDO
3. Device onboards to End
User platform
5. End User
1. Registers OV with target
platform/RV server.

14. 14
Copyright © Infineon Technologies AG 2024. All rights reserved.
restricted
04.2024
Advantages of pre-programmed TPM
● Simplifies flow for OEMs
○ No need to sign OV in ‘real-time’ on production line
■ OVs are extracted and then can be signed off line
○ OEM does not need to integrate and run manufacturing tool as part of their manufacturing flow
○ Approach works well for low and higher volumes
● Supports non-embedded OV model
○ Distributor can send a database of signed OVs to the OEM which can then be signed over to
End User off line.

15. 15
Copyright © Infineon Technologies AG 2024. All rights reserved.
restricted
04.2024
Summary
● OPTIGATM TPMs are a highly effective and secure way of storing FDO
credentials
● Infineon and Avnet have created a pre-programmed TPM concept for FDO
that they believe can simplify FDO adoption.
● OEM/ODM feedback on the concept is greatly welcomed
● A specification for TPM use with FDO, co-written by Infineon, is available on
the FIDO Alliance website.
○ https://fidoalliance.org/specs/FDO/securing-fdo-in-tpm-v1.0-rd-20231010/securing-fdo-in-tpm-
v1.0-rd-20231010.pdf

16. 16
Copyright © Infineon Technologies AG 2024. All rights reserved.
restricted
04.2024
Infineon Security Partner Network (ISPN)

17. 17