Method for provisioning device certificates for electronic processors in untrusted environments

We claim: 1 . A method for provisioning a device certificate for an electronic processor, the method comprising: receiving a flashloader at the electronic processor; validating the flashloader with the electronic processor; and after validating the flashloader receiving an encrypted provisioned key bundle at the electronic processor, decrypting the encrypted provisioned key bundle with the electronic processor using a provisioning key to create a decrypted provisioned key bundle, and executing a provisioning process on the electronic processor using the decrypted provisioned key bundle. 2 . The method of claim 1 , wherein executing the provisioning process on the electronic processor includes: retrieving a certificate authority key from the decrypted provisioned key bundle, generating an unsigned device certificate, and signing the unsigned device certificate with the certificate authority key to create a signed device certificate. 3 . The method of claim 1 , wherein executing the provisioning process on the electronic processor includes extracting a signed device certificate from the decrypted provisioned key bundle. 4 . The method of claim 1 , wherein executing the provisioning process on the electronic processor includes: retrieving a first key from the decrypted provisioned key bundle, generating an unsigned certificate signing request for an unsigned device certificate, signing the unsigned certificate signing request with the first key to create a signed certificate signing request, sending the signed certificate signing request to a server, and receiving a signed device certificate from the server. 5 . The method of claim 1 , wherein the electronic processor is included in an electronic device, wherein the method further comprises authenticating the electronic processor using the device certificate. 6 . The method of claim 1 , wherein after validating the flashloader, the method further comprising: receiving an encrypted bootloader at the electronic processor, decrypting the encrypted bootloader with the electronic processor using the provisioning key to create a decrypted bootloader, and storing the decrypted bootloader in a reprogrammable memory included in the electronic processor. 7 . The method of claim 1 , wherein after validating the flashloader, the method further comprising: receiving an encrypted common encryption key at the electronic processor, decrypting the encrypted common encryption key with the electronic processor using the provisioning key to create a decrypted common encryption key, and storing the decrypted common encryption key in a one-time programmable memory included in the electronic processor. 8 . The method of claim 7 , wherein after validating the flashloader, the method further comprising: receiving an encrypted bootloader at the electronic processor, decrypting the encrypted bootloader with the electronic processor to create a decrypted bootloader, wherein the electronic processor decrypts the encrypted bootloader using at least one selected from a group consisting of the provisioning key and the decrypted common encryption key stored in the one-time programmable memory, and storing the decrypted bootloader in a reprogrammable memory included in the electronic processor. 9 . A method for provisioning a device certificate for an electronic processor, the method comprising: receiving a flashloader at the electronic processor; validating the flashloader with the electronic processor; and after validating the flashloader receiving a double encrypted provisioned key bundle at the electronic processor, retrieving a common encryption key stored in a one-time programmable memory included in the electronic processor, decrypting the double encrypted provisioned key bundle with the electronic processor using the common encryption key and a provisioning key to create a decrypted provisioned key bundle, and executing a provisioning process on the electronic processor using the decrypted provisioned key bundle. 10 . The method of claim 9 , wherein executing the provisioning process on the electronic processor includes: retrieving a certificate authority key from the decrypted provisioned key bundle, generating an unsigned device certificate, and signing the unsigned device certificate with the certificate authority key to create a signed device certificate. 11 . The method of claim 9 , wherein executing the provisioning process on the electronic processor includes extracting a signed device certificate from the decrypted provisioned key bundle. 12 . The method of claim 9 , wherein executing the provisioning process on the electronic processor includes: retrieving a first key from the decrypted provisioned key bundle, generating an unsigned certificate signing request for an unsigned device certificate, signing the unsigned certificate signing request with the first key to create a signed certificate signing request, sending the signed certificate signing request to a server, and receiving a signed device certificate from the server. 13 . The method of claim 9 , wherein the electronic processor is included in an electronic device, where the method further comprises authenticating the electronic processor using the device certificate. 14 . The method of claim 9 , wherein after validating the flashloader, the method further comprising: receiving an encrypted bootloader at the electronic processor, decrypting the encrypted bootloader with the electronic processor using the common encryption key to create a decrypted bootloader, and storing the decrypted bootloader in a reprogrammable memory included in the electronic processor. 15 . The method of claim 9 , wherein after validating the flashloader, the method further comprising receiving a double encrypted bootloader at the electronic processor, decrypting the double encrypted bootloader with the electronic processor using the common encryption key and the provisioning key to create a decrypted bootloader, and storing the decrypted bootloader in a reprogrammable memory included in the electronic processor. 16 . A method for provisioning a device certificate for an electronic processor, the method comprising: receiving a flashloader at the electronic processor; validating the flashloader with the electronic processor; after validating the flashloader receiving an encrypted provisioned key bundle at the electronic processor, retrieving a common encryption key stored in a one-time programmable memory included in the electronic processor, decrypting the encrypted provisioned key bundle with the electronic processor using the common encryption key to create a decrypted provisioned key bundle, and executing a provisioning process on the electronic processor using the decrypted provisioned key bundle. 17 . The method of claim 16 , wherein executing the provisioning process on the electronic processor includes: retrieving a certificate authority key from the decrypted provisioned key bundle, generating an unsigned device certificate, and signing the unsigned device certificate with the certificate authority key to create a signed device certificate. 18 . The method of claim 16 , wherein executing the provisioning process on the electronic processor includes extracting a signed device certificate from the decrypted provisioned key bundle. 19 . The method of claim 16 , wherein executing the provisioning process on the electronic processor includes: