Chain of Trust
EZ BSP establishes an unbroken chain of trust from the hardware root of trust through bootloader, kernel, and application layers — ensuring only cryptographically authenticated software can execute on your device.
Chain of Trust
Secure Device Framework
A hardware root of trust architecture in our long-term support EZ BSPs. Built so only your software runs on your devices. Each layer verifies the next before handing over execution.
Secure File Storage
Filesystem-level encryption for your core business data
Secure Enclave
Isolated enclave that holds private keys and credentials
Signed Linux Kernel & Applications
Your software, running on a read-only verified filesystem
Signed Bootloader
Minimal secure OS that validates Linux; verified against the Hardware Root of Trust
Processor Hardware Root of Trust
Your keys and certificates provisioned at manufacturing — the immutable foundation
What EZ BSP Delivers
- Industrial-grade secure boot architecture from day one
- Your part number device secrets, with a full audit trail
- OTA integrity — your device won't update unless the software is signed by you
- Meets CRA and rising regulatory requirements
- Secure Enclave for private key and credential storage
Device Security Across the Customer Journey
From eval-kit prototype to signed production images — and the maintenance loop that keeps the fleet current.
1
Evaluate & Design
Early evaluation on unsecured eval-kit hardware; design your carrier hardware.
→
2
Prototype
Carrier hardware and initial software running on unsecured SOM modules.
→
3
Secure Framework Enabled
Enable the secure device framework using dummy secrets on your prototype hardware.
4
Secure Signing Service Set Up
Stand up the secure signing service and generate your production secrets.
→
Now Entering
Maintenance Loop
Maintenance Loop
Steps 5–8 repeat whenever a new software image is needed.
→
5
Build Production Image
Generate your production image, ready for signing.
6
Sign Production Image
Sign the production image using your secure signing service.
→
7a
Manufacturing Provisioning (optional)
Ezurio or your manufacturing partner programs the secure image onto SOMs at the factory.
→
7b
Deploy to Fleet
Upload your signed image to your device-management service for OTA deployment.
8
Evaluate Software for Updates
Assess security advisories and bug fixes that require a new software image.
New image required? Back to step 5 ↑
Production-Grade Image Signing
From steps 4 and 6 above
Private keys never touch a build machine. Every image is signed via AWS KMS — the key stays in the managed vault, and every signature is logged in AWS CloudTrail.
1
Build
EZ BSP produces a release image
→
AWS KMS
Managed vault · Your private key
signing request ↑
↓ signed response
2
Sign
EZ BSP calls AWS KMS — key stays in the vault
→
3
Verify
Device checks the signature on every boot
→
4
Ship
OTA or factory programming
What EZ BSP Delivers
- Signing keys not on build machines — Private keys and certificates live in AWS KMS. Developers and build pipelines request signatures — they never see the private material.
- Reference signing pipeline included — EZ BSP ships helper scripts that wire your build pipeline to AWS KMS. No vault APIs to research or signing service to build from scratch.
- Ezurio-managed signing, if required — Optional path where Ezurio runs the signing infrastructure on your behalf, for teams without DevSecOps capacity.
- Audit trail for every signed image — Every signature is logged in AWS CloudTrail — the evidence regulated industries require.
Manufacturing Provisioning
From step 7a above
Your secure boot secrets, tied to your part number and programmed at the factory at production volume. Ezurio handles every step of the provisioning line — so you can ship secure devices without building your own programming infrastructure.
1
Image Handover
You release the signed image and fuse bundle to Ezurio
→
2
Programming
Ezurio burns fuses and programs the signed image for your unique part number
→
Provisioning Infrastructure
Your servers · Generates and issues secrets per unit
secrets issued ↓
↑ unit recorded
3
Additional Provisioning
Module reaches out to your servers to generate per-device keys and certificates
Optional
→
4
Test
Each unit verified before it leaves the line
What Ezurio Delivers
- Factory image programming — Ezurio programs signed images onto each SOM on the manufacturing line. No factory programming build-out required on your side.
- Per-part-number secrets at scale — Every part number gets its own keys and certificates written into the device during production.
- Throughput-tested for volume — Provisioning runs at full production rates, currently operating at 10K–250K units per part number per year.
- Audit log per unit — Every device's serial number and provisioning event is logged for full traceability.
Chain of Trust
- Device security framework using secure boot with hardware root of trust and secure device storage
- Production-Grade Image Signing - Secure signing service for generating signed firmware and certificates, backed by AWS
- Manufacturing Provisioning -Mass programming of hardware root of trust and secure image programming with optional provisioning of customer-specific application keys, certificates, and credentials
Security BSP Releases
- LTS Linux kernel, Yocto, and Buildroot releases out of our normal cycle to address CVEs
- Ezurio QA re-tests the BSP/hardware combination to preserve features
- Customer outsources the burden of retesting core BSP functionality
- Yocto & Buildroot generate SBOMs for use in customer’s CVE scanner or each build system’s built in CVE scanner.
- Supports EU CRA, EO 14028 & NTIA SBOM compliance
FIPS Cryptographic Modules
- FIPS 140-3 Level 1 certified
- Wi-Fi data-in-transit
- TLS data-in-transit
- Currently on 60 Series SOM
- In design for Carbon AM62L
- Required for medical, government, defense
Ready to Get Started?
Get in touch with our sales and engineering team to find the SOM that best meets your needs, powered by our comprehensive EZ BSP.