This section shows how to mass manufacture your Sidewalk-enabled products for production. You’ll learn about the pre-requisites and tools that are used, and the steps that are performed in manufacturing your devices. It also contains information about the steps that you must perform and the steps that must be performed by the contract manufacturer (CM).
- Required toolkit
- HSMs for Sidewalk signing tool
- Manufacturing workflow overview
To manufacture your Sidewalk devices with AWS IoT Core for Amazon Sidewalk, a collection of tools run on one or more Linux-based machines. The following tools are required for mass manufacturing.
OpenSSL version 1.1.1 or greater. To use OpenSSL, Ed25519 support is required.
Sidewalk signing tool
The Sidewalk signing tool takes a Sidewalk certificate signing request (CSR) as input for each of the required elliptic curves (EC), and returns a signed certificate chain for the specified EC. To get the latest version of the tool, contact the Amazon Sidewalk team.
The signing tool can run on a single machine or distributed in a client-server setup. Running the tool on a single machine can be useful when testing a single line of manufacturing. When you want multiple clients to use a single HSM, you distribute the tool in a client-server setup.
- YubiHSM connector
The YubiHSM connector, yubihsm-connector, is a back-end application that’s required to communicate with the HSM token.
Nginx is a web server that’s required when you’re using the client-server setup. This tool serves as a reverse proxy for the YubiHSM connector. It controls access to the yubihsm-connector, such as mutually authenticated TLS providing a secure connection between the components.
- Provisioning script
The provisioning script,
provision.py, is a manufacturing page generation script. It’s used for creating a manufacturing object, which can be flashed into the device memory.
When manufacturing your Sidewalk devices, each Sidewalk-enabled device that joins the Sidewalk network must be provisioned with a Sidewalk device certificate. The HSM that’s issued for use with the Sidewalk signing tool has these two major components.
- The public portions of the device certificates, or the Sidewalk certificate chain. It consists of four certificates up to the Amazon root, and provides a path of valid certificates, or chain of trust, to the Amazon Root Certificate Authority. After the device certificates have been generated, the public device information must be uploaded to Amazon using control log ingestion.
- The private key (DAK), that will be stored in the device.
For more information, see Device attestation key (
- Printed circuit board assembly (PCBA) with a supported chipset. When testing HSM-based provisioning, you can use a Sidewalk hardware development kit (HDK).
- HSM (hardware security module) specifically created for your Sidewalk product by Amazon. Amazon can provide multiple HSMs per product, if needed. Each HSM is identified by a unique serial number, YubiHSM, that is printed on the side that does not have the USB contacts. For information about purchasing a YubiHSM, see YubiHSM. The number of YubiHSM needed is based on the mode of operation, as described in Step 1: Setting up the host. For more information, see the YubiHSM key section.
- HSM vendor-provided SDK. For more information, see YubiHSM2 releases.
- Sidewalk device profile that’s factory supported and qualified for production. The Sidewalk signing tool requires the APID information from the created profile, and your Amazon-ID.
- Computer or native machine running Linux 18.x or Linux 20.x, or Windows 8 or Windows 10.
- Sidewalk signing tool, which corresponds to the Python script
sidewalk-signing-tool.py. To get the latest version of the tool, contact the Amazon Sidewalk team.
- Python interpreter, which is required by the signing tool and the provisioning script,
The following shows you the steps that are involved in mass manufacturing your Sidewalk devices. You’ll also learn more about the steps that you need to perform and the steps performed by the contract manufacturer (CM) in the manufacturing workflow.
You only need to create a Sidewalk profile and obtain factory support so that it’s qualified for production use. The CM then sets up the required tools on the host machines, and runs the Sidewalk signing tool to obtain the certificates and generate the control logs. The CM also uploads these logs to Amazon Sidewalk using EDI or an SFTP endpoint, after which you receive a CSV file. You’ll then upload this CSV file to an S3 bucket and use AWS IoT Core for Amazon Sidewalk to bulk provision your Sidewalk devices.
For more information, see How Amazon Sidewalk manufacturing works.
The contract manufacturer (CM) sets up the required tools on the host machines for manufacturing your Sidewalk devices. You don’t need to take any action.
You create a prototype device profile and request the Sidewalk team to provide factory support. The CM then generates the CSRs, runs the YubiHSM connector in the background, and uses the Sidewalk signing tool to return the encoded and signed Sidewalk certificate chains.
The CM then uses the signing tools to generate and consolidate the control logs, which is then uploaded to Amazon Sidewalk using EDI or an SFTP point. You’ll then receive an email with a CSV file attached that contains the status information.
You can now upload the CSV file received to an S3 bucket and provide the information to AWS IoT Core for Amazon Sidewalk for bulk provisioning. If AWS IoT Core for Amazon Sidewalk finds a match in the serial numbers between the CSV file and the control logs that it receives from Amazon Sidewalk, the corresponding devices are then provisioned.
The following sections describe each of these steps in additional detail.