Matter Secure Manufacturing#

At Silicon Labs, we prioritize security by providing manufacturing solutions that enable customers to ensure that the integrity and security of their Matter devices is kept. This page explores the requirements set by the Connectivity Standards Alliance, which establish the standard for secure Matter IoT device production. Our goal is to contribute to the creation of a safer, more intelligent and connected world.

When manufacturing a Matter product you must follow the Matter Security Requirements defined by the Connectivity Standards Alliance. A number of these requirements are mandatory and others are recommended. We provide the following most relevant requirements to help our customers in their Production Journey.

Matter Manufacturing#

What should your Matter device include?

  • Device Attestation Credential (DAC) and private key unique to your device. This private key must be protected from unauthorized access.

  • Onboarding Payload (Vendor ID (VID), and Product ID (PID) discriminator and passcode)

  • Certification Declaration (CD)

  • Product Attestation Intermediate (PAI)

Note: For more details on the data injected, refer to Device Attestation.

  • DAC Private Key stored as securely as the part will allow:

    • For Secure Vault™ High parts: Private DAC Key is Physical Unclonable Functions (PUF) wrapped which protects it against Remote Logical attacks and Local Physical attacks

    • For Secure Vault™ Mid parts: Private DAC Key is in Flash behind a Trusted Execution Environment (TEE) which protects it from Remote Logical attacks

Matter Commissioning#

  • The certificate chain (Product Attestation Authority (PAA), PAI, and DAC) must be verified to ensure only authentic Matter devices can be commissioned.

  • Matter Onboarding Payload must be checked against the Distributed Compliance Ledger (DCL) and CD to ensure that only authentic Matter devices are commissioned into the network.

Device Communication#

  • Communication between Matter devices must be secured and encrypted using cryptographic keys and a Password-Based Key Derivation Function (PBKDF). See NIST 800-132 for details on PBKDF.

  • Authentication and encryption keys must be generated by a “Deterministic Random Bit Generator” seeded by a True Random Number Generator (TRNG). See NIST 800-90B for details on TRNG.

Other Recommended Security Specifications#

  • Software updates: Devices must support secure OTA firmware updates to allow vulnerabilities to be patched.

  • Debug interfaces should be disabled to only allow authorized access (fusing). For more information on the different functionalities available by Silicon Labs, refer to AN1190: Series 2 Secure Debug.

  • Devices should have a verified boot process based on a root of trust to ensure firmware authenticity. Silicon Labs offers Secure Boot to ensure firmware authenticity. For further information on Secure Boot, refer to AN1218: Series 2 Secure Boot with RTSL.

  • DACs and operational private key confidentiality should be protected from remote attacks.

  • The software should be encrypted at rest to prevent unauthorized access to core IP.

  • Devices should be protected against physical attacks to prevent tampering, side-channel, or debug glitching attacks. AN1247: Anti-Tamper Protection Configuration and Use.

  • Devices should have the capability to perform a factory reset and remove all their security and privacy-related data after commissioning.

Silicon Labs offers services to comply with all the mandatory and recommended security best practices to ensure that your Matter device is Secure. We have partnered with Kudelski to generate and deliver Matter Device Attestation Certificates (DAC) for our Custom Part Manufacturing Service (CPMS). For more information on the security features that CPMS offers, refer to Custom Part Manufacturing Service.