The product package
The product package (PPKG) is a zip file containing several files. Because of the encryption and signing process used to create it, these files must not be modified in any way as this could lead to the PPKG being rejected by the provisioning system. The files in a standard PPKG are:
Count authorization token ( | A file containing the production count. The file is encrypted and can only be read by the designated Security Appliance. |
Device files ( | A file containing macros and configuration files for an IAR iJet programmer. Used with Secure Deploy – Prototyping. |
Complete product definition (. | A file containing the encrypted product application, injected information, configurations for generated information, and the product template. |
Product Template | A set of instructions and associated metadata that a Security Appliance uses to provision a device during a production run. |
The PPKG is created from the configuration files: the product configuration file, the manufacturing configuration file, and the private information file.
Product template
A product template is a set of instructions and metadata that a Security Appliance use to provision a device. The availability of the product templates depends on your edition of eSecIP. There are three product templates available in OrBIT:
Dynamic_Provisioning
For use with eSecIP Professional.
Dynamic_Provisioning uses a Binary Large Object (BLOB) to store all sensitive information on the device. The information is obfuscated using a security decoder library—the Dynamic Provisioning Data Parser (DP2)—whose source code and supporting cryptographic functions (MBEDTLS) are installed with OrBIT. These files are then added to the product application project and the associated header files to the product application code. The application uses the library’s function calls to access the secured product information provisioned onto the device. The header file dp2_config.h necessary for accessing the obfuscated product information can be generated by OrBIT.
Tip
The application note STZAN0156EN0100 provides an example of how to incorporate the files into a product application. It can be accessed through My Pages at www.iar.com.
Static_Provisioning
For use with eSecIP Standard or eSecIP Professional.
Static_Provisioning differs from Dynamic_Provisioning as it does not require a security decoder library to be linked to the product application. This product template requires you to supply the necessary memory addresses and cryptographic functions for de-obfuscating the obfuscated product information on the device as part of the product’s application. Examples of these functions can be found in the security decoder library source code that is installed with OrBIT.
Basic_Provisioning
Only for use with eSecIP Basic.
Basic_Provisioning is functionally similar to Static_Provisioning, but it supports less information types to be provisioned and it does not obfuscate that information. It is mainly used provide devices with a simple form of device identity and to utilize the Secure IP Transport feature to safely transport sensitive information to production houses. No modifications to the product application is required with this product template