Index for device types (SE/TPM/eSE/eSIM/mini-HSM/PUF), core capabilities (keys, secure storage, crypto, attestation, boot, access control, tamper), interfaces & stacks, compliance, use cases, key specs, TPM essentials, provisioning lifecycle, and design pitfalls with quick pairings.
Device Types
Discrete Secure Element (SE)
I²C/SPI/ISO7816 interfaces with secure CPU/NVM/crypto; device identity, keystore, encryption & signatures.
Trusted Platform Module (TPM 2.0)
TCG spec with PCR measurements, seal/unseal, NV indices and DA protection for measured boot/RA/disk encryption.
Embedded Secure Element (eSE)
Integrated in mobile/IoT SoCs for NFC payments and credential storage (payments/transit/access).
UICC / eUICC (eSIM)
GlobalPlatform/GSMA RSP with SCP session keys for cellular identity and remote configuration.
Security Co-Processor / Mini-HSM
More compute/storage and peripheral hooks; good for gateways/industrial key domains.
PUF-based Secure Element
Derives root keys from PUF; avoids storing plaintext keys.
Capabilities
Key Management
TRNG, key gen/store/rotate/destroy; wrap/unwrap, KDFs and key ladders.
Secure Storage
Authenticated NVM with monotonic counters/anti-rollback and atomic (anti-tearing) writes.
Crypto Engines
AES-GCM/CCM, SHA-2/3, RSA, ECC (P-256/384/ed25519), HMAC/KMAC accelerators.
Attestation & Certificates
X.509 and 802.1AR DevID chains; remote attestation workflows.
Secure / Measured Boot
Signed boot chains (SE) and PCR measurements (TPM) to ensure firmware integrity.
Access Control
PIN/policy sessions, roles and lifecycle states (FAB/TEST/PROD/RMA).
Tamper Resistance
Voltage/clock/temp/light/probe/glitch sensors with erase; SCA/FI countermeasures.
Interfaces & Stacks
Host Interfaces
I²C/SPI/ISO7816 (T=0/T=1), SPI-TPM (TIS over SPI/I²C) and occasionally USB.
Security Standards
GlobalPlatform (SCP03/TEE), TCG TPM2.0, PKCS#11, FIDO2/U2F, Matter DAC/PAI, DLMS security.
NFC / ISO14443 / eSE
EMVCo stacks for payments/transit/access with SE applets.
Cloud Onboarding
802.1AR DevID/CSR and device attestation into cloud certificate issuance & registration.
Compliance & Certifications
Security Certifications
Common Criteria (EAL4+…EAL6+), FIPS 140-3, EMVCo, PCI PTS, SESIP/PSA Certified.
FuSa / Automotive
AEC-Q100 and ASIL documentation in gateway/TCU identity scenarios.
Use Cases
IoT Device Identity & Keystore
TLS client certs, mutual auth and firmware signature verification.
Remote Attestation & Integrity
TPM PCR quotes feeding policy engines for zero-trust admission.
Payments / Transit / Access
eSE/UICC applets, offline data authentication and risk parameters.
Automotive / Industrial Gateway
Secure boot, credential protection and OTA anti-rollback.
Smart Metering
DLMS suites, monotonic energy counters and signed anti-tamper logs.
User Auth Keys (FIDO2/U2F)
Platform or external security keys for phishing-resistant logins.
Key Specs & Selection
Crypto Throughput & Curves
ECC curves/key sizes, signatures-per-second and concurrent session counts.
Secure NVM Size & Endurance
Room for certs/keys/counters; write-cycle and retention specs.
Boot / Attestation Latency
Time for boot authentication and certificate chain checks.
TRNG Quality
On-line health tests and SP 800-90B evaluations.
Tamper Grade
Sensor coverage and SCA/FI resistance levels.
Host Ecosystem
TPM2-TSS/PKCS#11 support, drivers and reference middleware.
Cert & Longevity
CC/FIPS/EMVCo versions, automotive grades and second sourcing.
TPM 2.0 Essentials
PCR & Measurement
Extend boot-stage hashes into PCRs; seal data to platform state.
EK / SRK / AK
EK certificate chains, SRK-wrapped keys and AK for attestation.
NV Indices / Monotonic Counters
Anti-rollback counters with policy bindings.
Policy Sessions
Use PolicyPCR/PolicyAuthorize for fine-grained access control.
Common Use Cases
BitLocker/disk encryption, measured boot, RA (Quote) and cert/CSR protection.
Provisioning & Lifecycle
Key Ceremony
CA/HSM generate roots/intermediates; factory HSM issues device certs/keys.
Personalization
Set lifecycle/lock debug, inject cert chains/policies and log traceable IDs.
OTA & Rotation
Rotate certs/keys; align firmware signing and anti-rollback counters.
RMA / Decommission
Secure erase/deactivation and certificate revocation (CRLs).
Design Hooks & Pitfalls
Anti-Rollback & Counters
Bind firmware/config to monotonic counters; ensure atomic writes.
TRNG Health
TRNG failure breaks all security—enable health tests and entropy monitoring.
SCA / Fault-Injection Countermeasures
Add noise/timing randomness, balance power; erase on voltage/clock/temp/light anomalies.
Certificate Chain & Domain Match
Correct EKU/policies; CN/SAN match service domain; avoid missing intermediates.
Debug Ports
Permanently lock JTAG/SWD/UART pre-production; keep a secure RMA path.
Trusted Time
RA/cert checks need trusted time (secure RTC/timestamps).
Performance & Concurrency
Budget signature throughput/handshake peaks; use session resumption/PSK.
Cross-Platform Middleware
Prefer standard interfaces (TPM2-TSS/PKCS#11/MbedTLS-PSA) to avoid lock-in.
Power & Reset
Stable power-up; avoid glitch resets and half-writes; isolate I²C pull-ups from injection paths.
Supply Chain
Use CC/FIPS/EMVCo-certified parts/lines; plan second source and cross-vendor cert migration.
Quick Pairings
IoT Secure Access
SE (I²C) + 802.1AR DevID + TLS client auth + secure boot + OTA anti-rollback.
Industrial Gateway
TPM2.0 (SPI) + PCR measurements + disk encryption + RA into zero-trust networks.
Payments / Access
eSE + EMVCo/GlobalPlatform applets + NFC + cloud-side risk control.
Automotive Domain Controller
Automotive-grade SE + secure boot + ECU-to-ECU TLS/DTLS + FuSa docs.
Smart Meter
SE + DLMS suite + monotonic counters + anti-tamper logs + AMI integration.
