Chain of Trust

EZ BSP establishes an unbroken chain of trust from the hardware root of trust through bootloader, kernel, and application layers — ensuring only cryptographically authenticated software can execute on your device.

COT-Icon-White-Outline1.png

Secure Device Framework

A hardware root of trust architecture in our long-term support EZ BSPs. Built so only your software runs on your devices. Each layer verifies the next before handing over execution.

Secure File Storage Filesystem-level encryption for your core business data
Secure Enclave Isolated enclave that holds private keys and credentials
Signed Linux Kernel & Applications Your software, running on a read-only verified filesystem
Signed Bootloader Minimal secure OS that validates Linux; verified against the Hardware Root of Trust
Processor Hardware Root of Trust Your keys and certificates provisioned at manufacturing — the immutable foundation
What EZ BSP Delivers
  • Industrial-grade secure boot architecture from day one
  • Your part number device secrets, with a full audit trail
  • OTA integrity — your device won't update unless the software is signed by you
  • Meets CRA and rising regulatory requirements
  • Secure Enclave for private key and credential storage

Device Security Across the Customer Journey

From eval-kit prototype to signed production images — and the maintenance loop that keeps the fleet current.

Production-Grade Image Signing

From steps 4 and 6 above

Private keys never touch a build machine. Every image is signed via AWS KMS — the key stays in the managed vault, and every signature is logged in AWS CloudTrail.

1
Build EZ BSP produces a release image
AWS KMS Managed vault · Your private key
signing request ↑ ↓ signed response
2
Sign EZ BSP calls AWS KMS — key stays in the vault
3
Verify Device checks the signature on every boot
4
Ship OTA or factory programming
What EZ BSP Delivers
  • Signing keys not on build machines — Private keys and certificates live in AWS KMS. Developers and build pipelines request signatures — they never see the private material.
  • Reference signing pipeline included — EZ BSP ships helper scripts that wire your build pipeline to AWS KMS. No vault APIs to research or signing service to build from scratch.
  • Ezurio-managed signing, if required — Optional path where Ezurio runs the signing infrastructure on your behalf, for teams without DevSecOps capacity.
  • Audit trail for every signed image — Every signature is logged in AWS CloudTrail — the evidence regulated industries require.

Manufacturing Provisioning

From step 7a above

Your secure boot secrets, tied to your part number and programmed at the factory at production volume. Ezurio handles every step of the provisioning line — so you can ship secure devices without building your own programming infrastructure.

1
Image Handover You release the signed image and fuse bundle to Ezurio
2
Programming Ezurio burns fuses and programs the signed image for your unique part number
Provisioning Infrastructure Your servers · Generates and issues secrets per unit
secrets issued ↓ ↑ unit recorded
3
Additional Provisioning Module reaches out to your servers to generate per-device keys and certificates Optional
4
Test Each unit verified before it leaves the line
What Ezurio Delivers
  • Factory image programming — Ezurio programs signed images onto each SOM on the manufacturing line. No factory programming build-out required on your side.
  • Per-part-number secrets at scale — Every part number gets its own keys and certificates written into the device during production.
  • Throughput-tested for volume — Provisioning runs at full production rates, currently operating at 10K–250K units per part number per year.
  • Audit log per unit — Every device's serial number and provisioning event is logged for full traceability.
Chain of Trust icon

Chain of Trust

  • Device security framework using secure boot with hardware root of trust and secure device storage
  • Production-Grade Image Signing - Secure signing service for generating signed firmware and certificates, backed by AWS
  • Manufacturing Provisioning -Mass programming of hardware root of trust and secure image programming with optional provisioning of customer-specific application keys, certificates, and credentials
Security BSP Releases icon

Security BSP Releases

  • LTS Linux kernel, Yocto, and Buildroot releases out of our normal cycle to address CVEs
  • Ezurio QA re-tests the BSP/hardware combination to preserve features
  • Customer outsources the burden of retesting core BSP functionality
  • Yocto & Buildroot generate SBOMs for use in customer’s CVE scanner or each build system’s built in CVE scanner.
  • Supports EU CRA, EO 14028 & NTIA SBOM compliance
FIPS Cryptographic Modules icon

FIPS Cryptographic Modules

  • FIPS 140-3 Level 1 certified
  • Wi-Fi data-in-transit
  • TLS data-in-transit
  • Currently on 60 Series SOM
  • In design for Carbon AM62L
  • Required for medical, government, defense
Loop

Ready to Get Started? 

Get in touch with our sales and engineering team to find the SOM that best meets your needs, powered by our comprehensive EZ BSP. 

Browse Ezurio SOMs

View Support Documentation

Contact Sales and Support