Provisioning of operating systems, data, and programs to xUICC

A single OS load key as the root of trust facilitates secure and flexible management of xUICC software components by encrypting and provisioning xUICC operating system and eSIM profiles, addressing the complexity of existing xUICC management systems.

JP2026521365APending Publication Date: 2026-06-30GIESECKE DEVRIENT MOBILE SECURITY GERMANY GMBH

Patent Information

Authority / Receiving Office
JP · JP
Patent Type
Applications
Current Assignee / Owner
GIESECKE DEVRIENT MOBILE SECURITY GERMANY GMBH
Filing Date
2024-05-17
Publication Date
2026-06-30

AI Technical Summary

Technical Problem

The existing management of xUICC software components, including the operating system and eSIM profiles, is cumbersome due to the complexity of multiple sets of security assets and architectures, making it difficult to achieve flexible, easy, and secure management.

Method used

A method utilizing a single OS load key as the root of trust (RoT) for encrypting and provisioning xUICC operating system, xUICC-specific data, and eSIM profiles, enabling seamless and secure data exchange at various stages of the xUICC lifecycle, including factory provisioning and field use.

Benefits of technology

Enables flexible, simple, and secure management of xUICC software components by ensuring secure data exchange and management operations using a unified encryption key, suitable for various xUICC forms and environments.

✦ Generated by Eureka AI based on patent content.

Smart Images

  • Figure 2026521365000001_ABST
    Figure 2026521365000001_ABST
Patent Text Reader

Abstract

1. A method for provisioning an xUICC which is to host one or more profiles for communication in a mobile communication network, E1) The xUICC provides the OS load key as the root of trust (RoT), E2) A step of loading and installing an xUICC operating system, xUICC OS, encrypted with the OS load key for loading, onto the xUICC, wherein the xUICC OS is designed to enable the reception of one or more eSIM profiles directly or indirectly and installation onto the xUICC; E3) A step of loading and storing xUICC-specific data encrypted with the OS load key for loading into the xUICC, wherein the xUICC-specific data includes at least one GSMA certificate, and authenticates the xUICC having the installed xUICC as authenticated to receive the xUICC eSIM profile and install into the xUICC eSIM profile, E4)* Includes the step of preparing the xUICC for the subsequent download and install step E4), which downloads and installs the eSIM profile encrypted with the OS load key for the download onto the xUICC prepared in steps E1 to E3, A method characterized in that the xUICC operating system xUICC in step E2), the xUICC-specific data in step E3), and the eSIM profile in step E4) are encrypted with the same OS load key provided in step E1).
Need to check novelty before this filing date? Find Prior Art

Description

Technical Field

[0001] The present invention relates to provisioning an operating system and data and programs to an xUICC.

[0002] Background Art Any secure mobile communication device hosts an xUICC, and the xUICC hosts one or more subscriber profiles or SIM profiles or simply profiles. Each eSIM profile is assigned to a mobile communication network, enabling secure communication of the mobile communication device within the mobile communication network to which the eSIM profile is assigned and with other mobile communication devices and background servers of the mobile communication network within a partner network.

[0003] Regarding xUICC, various form factors are known, including a pluggable SIM card or simply pUICC or pSIM, a soldered or otherwise fixedly attached embedded UICC or simply eUICC or eSIM, and an integrated UICC or simply iUICC or iSIM, which is the function of one or more SIM cards directly integrated into the chipset of a mobile communication device. The iSIM can have external NVM that is within the chipset but located outside the iSIM.

[0004] Current xUICC is provisioned with an operating system in a secure manufacturing environment. After the operating system is implemented on the xUICC, one or more profiles are provisioned to and implemented on the xUICC.

[0005] Conventional pUICC (SIM card) has conventionally been provisioned with eSIM profiles in a secure GSMA authentication manufacturing environment compliant with the authentication regulations of the GSM Association, GSMA (GSM = Group Special Mobile).

[0006] The more advanced xUICC can be remotely provisioned over the air OTA from a provisioning server, along with eSIM profiles and updates to eSIM profiles already present in the xUICC.

[0007] Several categories of mobile communication devices are known, including consumer mobile communication devices such as smartphones and smartphone companion devices (e.g., smartwatches), automotive mobile communication devices that may be hosted in vehicles such as cars or trucks, and IoT mobile communication devices that connect things in the Internet of Things (IoT).

[0008] The GSM Association (GSMA) publishes several industry specifications that, while formally non-binding, are considered de facto standards within the industry.

[0009] Most market participants in the field of mobile communications networks, particularly mobile network operators and manufacturers of mobile communications devices, require that xUICC comply with GSMA specifications.

[0010] Reference [1] [SGP.22 v3.0] The SGP.22 GSMA RSP Technical Specification, Version 3.0, draft dated October 19, 2022, describes procedures for provisioning profiles to xUICCs hosted on consumer mobile communications devices and for managing xUICC profiles by enabling, disabling, and deleting profiles, for example.

[0011] References [2][SGP.31]SGP.31 GSMA eSIM IoT Architecture and Requirements Version 1.0, April 19, 2022, and [3][SGP.32]SGP.32 GSMA eSIM IoT Technical Specification (not published as of the filing date of this application) describe procedures for provisioning profiles to an xUICC hosted within an IoT mobile communications device and for managing profiles within the xUICC by enabling, disabling, and deleting profiles, for example.

[0012] Reference [4][SGP.42] SGP.42 Remote Provisioning Architecture in GSMA-Factory Provisioning Technical Specification (not published as of the filing date of this application) describes a procedure for provisioning a profile to an xUICC in an in-factory provisioning configuration, the xUICC being for some or all procedural steps of which it is not yet mounted to its final target mobile communications device, but mounted to a manufacturing machine for provisioning an operating system and / or one or more profiles to the xUICC, and only after some or all steps of provisioning an operating system and / or one or more profiles have been performed, it is mounted to the final target mobile communications device.

[0013] Reference [1][SGP.22 v3.0] SGP.22, chapter 2.4.2 describes the certificates that must be included in entities of the RSP architecture in order to perform RSP operations such as profile download or profile management, particularly enabling, disabling, and deleting profiles. During each RSP operation, the applicable certificate is verified, and if certificate verification fails, the RSP operation is aborted.

[0014] For example, in eUICC by SGP.22, the embedded UICC Control Authority Security Domain ECASD, which is responsible for securely storing the credentials necessary to support the required security domains on eUICC, shall include the UICC private key(s) (SK.EUICC.SIG) for creating digital signatures, the eUICC public key(s) (PK.EUICC.SIG) for eUICC authorization, the eUICC certificate(s) (CERT.EUICC.SIG) for eUICC authorization, the eSIM certificate issuer (CI) RootCA public key(s) (PK.CI.SIG) for verifying off-card entity certificates (e.g., SM-DP+) and certificate revocation lists (CRLs). Further certificates may or should be included.

[0015] Among the profiles are known operational profiles that enable a mobile communications device hosting an xUICC with that operational profile to perform normal communications on a mobile communications network. In addition to operational profiles, there are known restricted or limited profiles, such as provisioning profiles and bootstrap profiles, which enable limited communications on a mobile network, such as communications limited enough to retrieve operational profiles and download them to the xUICC.

[0016] Reference [1] [SGP.22 v3.0] SGP.22, chapter 2.4.5 states that a profile (eSIM profile) may contain or consist of profile components. • One MNO-SD • Supplemental Security Domains (SSD) and CASD Applet • Applications, for example, NFC applications NAA Other elements of the file system • Profile metadata, including profile policy rules.

[0017] The description of SIM profiles in reference [1][SGP.22 v3.0]SGP.22 also applies to eSIM profiles provisioned or managed in the process of one or more of references [2][SGP.31]SGP.31, [3][SGP.32], and [4][SGP.42]SGP.42.

[0018] Generally, an eSIM profile is provisioned to the xUICC in the form of a profile bundle. To provision the eSIM profile to the xUICC, the profile bundle is loaded into the xUICC, and the contents of the profile bundle are installed into the xUICC. In addition to the profile, the profile bundle may include the operating system OS that will be installed on the xUICC before the profile is installed. Furthermore, the profile bundle may include xUICC-specific data for the xUICC, which may include the xUICC identifier, EID, and further xUICC-specific data. After provisioning the desired eSIM profile (and the OS and / or xUICC-specific data, especially the EID, if applicable) to the xUICC, the xUICC is installed on the mobile communication device.

[0019] The contents of a profile bundle can be provisioned into xUICC as separate functional data elements such as the operating system, certificates, and profiles.

[0020] Alternatively, xUICC-specific data, the operating system, and one or more profiles can be provisioned to the xUICC within a single profile bundle.

[0021] Content can be provisioned to xUICC in the sense that a binary large object (BLOB) is provisioned to xUICC. The BLOB is a memory image containing all the necessary functional data elements of the content, which is stored in xUICC and can provide xUICC with the functional data elements of the BLOB that correspond to the functional data elements of the BLOB. The BLOB can be transferred as a whole to one or more scheduled memory locations in xUICC in order to install the functional into xUICC.

[0022] Regarding BLOBs, several options are possible. A BLOB can contain only xUICC-specific data for xUICC, which may include the xUICC's EID. A BLOB can contain only the operating system (OS). A BLOB can contain only the profile. A BLOB can contain xUICC-specific data and the operating system. A BLOB can contain xUICC-specific data for xUICC, which may include the EID, operating system (OS), and profile (or multiple profiles).

[0023] Figure 1 shows the provisioning and management of eSIM profiles in xUICC, including profile provisioning in a factory provisioning scenario using [S1][4][SGP.42]SGP.42, profile management in an IoT remote SIM provisioning RSP scenario via eSIM IoT remote manager eIM using [S2][3][SGP.32]SGP.32, and profile management in an IoT or consumer remote SIM provisioning RSP scenario via SM-DP+ provisioning server using [S3][3][SGP.32]SGP.32.

[0024] Figure 1 [S1] shows an SGP.42 service server and an xUICC communicatively connected to the SGP.42 service server. The SGP.42 service server and the xUICC are located at a chip, module, or device manufacturing site [4] [SGP.42] and are located in an in-factory provisioning (IFPP) setup by SGP.42. The SGP.42 service server provisions a binary large object BLOB to the xUICC.

[0025] As shown in Figure 1, there are multiple options for the BLOB. A BLOB can be provided that contains only xUICC-specific data for the xUICC, which may include the EID of the xUICC. A BLOB that contains only the operating system OS can be provided. A BLOB that contains only a profile can be provided. One, two, or at least three of the BLOBs described can be provisioned to the xUICC as separate BLOBs. A BLOB that contains xUICC-specific data and the operating system can be provided and provisioned to the xUICC. A BLOB that contains the certificate of the xUICC indicated by the EID, the operating system OS, and the profile (or profiles) can be provided and provisioned to the xUICC.

[0026] After an xUICC with one or more eSIM profiles is installed in a mobile communication device, the eSIM profiles can be remotely managed from a profile management server.

[0027] Figure 1 [S2] shows profile management in the IoT remote SIM provisioning RSP scenario according to [3] [SGP.32] SGP.32 via the eSIM IoT remote manager eIM. The xUICC containing the eSIM profile to be managed already exists in the mobile communication device. The eSIM IoT remote manager eIM performs management operations on the eSIM profiles installed in the xUICC, such as activation, deactivation, or deletion of the eSIM profiles.

[0028] Figure 1 [S3] shows profile management in the IoT or consumer remote SIM provisioning RSP scenario according to [3] [SGP.32] SGP.32 via the SM-DP+ provisioning server. The SM-DP+ provisioning server performs management operations on the eSIM profiles installed in the xUICC, such as activation, deactivation, or deletion of the eSIM profiles.

[0029] The EUM (EUM = eUICC manufacturer referenced in [1] [SGP.22 v3.0] SGP.22), the xUICC manufacturer, utilizes unique security assets such as keys, serial numbers, and / or in some cases the manufacturer's certificate of the xUICC to protect the provisioning of the operating system to the xUICC. The EUM security assets such as certificates and keys are different from the GSMA RSP certificates and keys that are used later for profile provisioning. At the time when the operating system is provisioned to the xUICC, the GSMA certificates and keys do not yet exist within the xUICC.

[0030] Furthermore, after the eSIM profile has been provisioned to the xUICC, it may be desirable to perform management operations on the xUICC's operating system (OS). Such management may include loading and installing the entire OS to the xUICC, completing the OS for partially loaded and / or partially installed OSs, activating OSs that have not yet been activated or deactivated, OS updates, OS patching, OS suspension, OS resume, and OS termination.

[0031] To manage the operating system (OS), security assets such as xUICC manufacturer or EUM keys, serial numbers, and / or possibly certificates must be used.

[0032] The existence of two or more sets and architectures of security assets—security assets from the xUICC manufacturer or EUM, and security assets from the GSMA—and potentially even more, along with the complexity of fully scope-managing xUICCs that cover the operating system OS and profiles, makes the process cumbersome.

[0033] It would be desirable to have a flexible, simple, and secure security solution for xUICC that allows for flexible management of xUICC's software components, including the xUICC's operating system OS and eSIM profile (or multiple eSIM profiles).

[0034] Objective of the present invention The objective of the present invention is to provide an xUICC solution that enables flexible, easy, and secure management of xUICC software components, including the xUICC operating system and eSIM profile.

[0035] Summary of the Invention The object of the present invention is achieved by an implantation system having the following features as described in claim 1. Embodiments of the present invention are presented in the dependent claims.

[0036] More specifically, the object of the present invention is achieved by a method for provisioning an xUICC which is to host one or more profiles for communications in a mobile communications network, and the method is E1) In xUICC, the step of providing the OS load key as the root of trust (RoT), E2) A step of loading and installing an xUICC operating system, xUICC OS, encrypted with an OS load key for loading, onto xUICC, wherein xUICC OS is designed to allow one or more eSIM profiles to be received directly or indirectly and installed on xUICC, and E3) A step of loading and storing xUICC-specific data encrypted with an OS load key for loading into xUICC, wherein the xUICC-specific data includes at least one GSMA certificate, and authenticates the xUICC having installed xUICC as authenticated to receive and install xUICC eSIM profiles into xUICC eSIM profiles. E4)* Includes the step of preparing xUICC for subsequent download and installation step E4), which involves downloading and installing the eSIM profile encrypted with the OS load key for download to the xUICC prepared in steps E1-E3.

[0037] This method is characterized in that the xUICC operating system xUICC in step E2), the xUICC-specific data in step E3), and the eSIM profile in step E4) are encrypted with the same OS load key provided in step E1).

[0038] The use of the same OS load key, which functions as the Root of Trust (RoT) for encrypting the xUICC operating system elements in step E2), xUICC-specific data in step E3), and the eSIM profile in step E4), enables seamless and secure provisioning of all elements at different stages of the xUICC lifecycle. This solution allows for flexible selection of various data sources to provision data from data sources to xUICC, such as OS and xUICC-specific data services (which may include certificate data services), IFPP facilities, eIM, SM-DP+, and OTA servers, and enables each data source to securely exchange data with xUICC based on the OS load key as the Root of Trust. The data sources may be located either inside or outside a secure manufacturing environment. In particular, secure data exchange between the data source and xUICC is easily possible even outside a secure manufacturing environment.

[0039] Therefore, the method provides an xUICC solution that enables flexible, simple, and secure management of xUICC software components, including the xUICC operating system and eSIM profile.

[0040] According to some embodiments, each piece of data downloaded to the xUICC in an encrypted form with an OS load key (in particular xUICC-specific data, OS, eSIM profile) is decrypted by the xUICC and then stored or installed in the xUICC. This type of embodiment is particularly preferred for xUICCs having the form factor of a plug-in SIM, pSIM, or embedded SIM, or eSIM, which store each piece of data (in particular xUICC-specific data, OS, eSIM profile) in the xUICC's internal memory, in particular non-volatile memory NVM.

[0041] According to some embodiments, the decrypted data (in particular xUICC-specific data, OS, eSIM profile) is re-encrypted with a different key and then stored or installed in the xUICC. This type of embodiment is particularly preferred for xUICCs having the form factor of an integrated SIM, iSIM, where the respective data (in particular xUICC-specific data, OS, eSIM profile) is stored in the external memory of the xUICC, in particular non-volatile memory NVM, in particular the external memory / NVM of the chipset of the device in which the iUICC is integrated.

[0042] According to several embodiments, each piece of data (in particular xUICC-specific data, OS, eSIM profile) is downloaded to the xUICC in an encrypted form with the OS load key, stored or installed on the xUICC in an encrypted form, and remains encrypted with the OS load key. This type of embodiment is generally suitable for any type of xUICC, including pSIM, eSIM, and iSIM.

[0043] According to some embodiments, the method further includes a download and install step E4) which downloads and installs the eSIM profile prepared in steps E1-E3 to xUICC. Here, for download, the eUICC is encrypted with the OS load key.

[0044] According to some embodiments, xUICC OS is a) Operating xUICC OS having the capability to directly enable the reception and installation of one or more eSIM profiles in xUICC, b) In order to convert a non-working xUICC operating system into a working xUICC operating system OS, one or more OS management steps are required to be performed on the non-working xUICC operating system OS, c)a) A limited operating system OS having limited operational capabilities to enable the download and installation of the xUICC operating system, d)c) as a specific limited operation xUICC operating system OS, boot loader, in particular EUM boot loader, It is one of them.

[0045] According to some embodiments, in step E2) or after step E2), an embedded UICC control authority security domain ECASD by GSMA is installed on xUICC, and in step E3), xUICC-specific data is stored in the embedded UICC control authority security domain ECASD.

[0046] According to some embodiments, xUICC-specific data is -xUICC identifier EID, - The xUICC private key (or multiple private keys) (SK.EUICC.SIG) for creating a digital signature. -xUICC certificate(s)(CERT.EUICC.SIG) for xUICC authorization, including the public key(s)(PK.EUICC.SIG) of xUICC, - The Root CA public key (or multiple public keys) (PK.CI.SIG) of the eSIM certificate issuer (CI) to verify the off-card entity certificate (e.g., SM-DP+), - Certificate Revocation List (CRL) - One or more optional certificates, - The ultralight bootstrap ULB profile is designed to allow the download of at least that portion of the profile during the authentication process between xUICC and the profile server that provides at least a portion of the profile. This includes one, more, or all of the following.

[0047] In particular, xUICC-specific data may include, at a minimum, all required certificate data under any GSMA specification, including SGP.22, and optionally, any optional certificates under such GSMA specifications.

[0048] According to some embodiments, the method is - After step E2) is performed, which loads and installs the xUICC operating system xUICC OS onto xUICC, the xUICC OS is a) working xUICC operating system OS, and the following further steps are performed, namely, ---E5) Steps to update the xUICC OS, including loading and installing the OS update into xUICC, which is encrypted with an OS load key for loading, or / and ---E5) Steps to patch xUICC, including loading an operating system patch encrypted with an OS load key for loading, loading the OS patch and installing it into xUICC, or / or ---E5) Steps to pause, resume, or terminate the xUICC OS, ---E4) Steps to download and install the eSIM profile encrypted with the OS load key for download to xUICC, This further includes performing one or more of the following.

[0049] According to some embodiments, the method is - After step E2) is performed, which loads and installs the xUICC operating system xUICC OS onto xUICC, the xUICC OS is a non-functional xUICC operating system OS, and the following further steps are performed, i.e., ---E4) Steps to download and install the eSIM profile encrypted with the OS load key for download to xUICC, ---E5) A step of performing one or more OS management steps on a non-working xUICC operating system OS to change a non-working xUICC operating system OS into a working xUICC operating system OS, wherein the OS management step is: **If xUICC is inoperable due to being incomplete, completing the xUICC OS involves loading and installing or applying completion data and / or completion commands encrypted with the OS load key to xUICC,** **If the xUICC OS is not working because it is deactivated, the steps to activate the xUICC OS include one or more of the following: activating the OS, including loading and installing or applying activation commands encrypted with activation data, in particular the activation key, and / or the OS load key, This further includes performing one or more of the following.

[0050] According to some embodiments, the method is - After step E2) is performed, which loads and installs the xUICC operating system xUICC OS onto xUICC, xUICC OS is either c) a limited-operation xUICC operating system OS, or d) a boot loader, specifically an EUM boot loader, and the following further steps are taken, i.e., ---Steps to download and install the xUICC operating system encrypted with the OS load key, ---Steps to perform one or more of the following: Download and install the eSIM profile encrypted with the OS load key to xUICC for download. It also includes.

[0051] According to some embodiments, xUICC is - Physical plug-in SIM card, pSIM, - Embedded UICC, eUICC, - Integrated UICC, iUICC It is one of them.

[0052] According to some embodiments, some steps are performed using xUICC in a factory provisioning environment, and some steps are performed using xUICC in a mobile communication device configured for field use.

[0053] According to some embodiments, in step E1), the OS load key is provisioned to xUICC from the OS and xUICC-specific data service facility.

[0054] According to some embodiments, in step E2), the xUICC operating system xUICC OS is -OS and xUICC specific data service facilities, - Factory Personalization IFPP Facility, -eSIM IoT Remote Manager eIM, or DP+, - Over-the-air OTA server xUICC is provisioned from one of the following.

[0055] According to some embodiments, in step E3), xUICC-specific data is -OS and xUICC specific data service facilities, - Factory Personalization IFPP Facility, -eSIM IoT Remote Manager eIM, or DP+, - Over-the-air OTA server xUICC is provisioned from one of the following.

[0056] According to some embodiments, in step E4), the profile is - Factory Personalization IFPP Facility, -eSIM IoT Remote Manager eIM, or DP+, - Over-the-air OTA server xUICC is provisioned from one of the following.

[0057] According to different embodiments, encryption using an OS load key is - Directly encrypted using the OS load key, - Encrypted using an encryption key derived from the OS load key. It will be materialized as one of them.

[0058] An essential feature of the present invention is that a single, identical OS load key, which establishes a root of trust within the chip, is used to provision the chip the operating system, xUICC-specific data such as EID and certificates, as well as data and programs that utilize the operating system. Herein, the OS load key can be used directly for encryption, or a cryptographic key derived from the OS load key that establishes the root of trust can be used for encryption. The same OS load key (either directly or in the form of a key derived from the OS load key) is also used for operating system updates and data and program updates, particularly for operating system updates after data and programs have been provisioned to the chip. Therefore, the present invention enables easy, secure, and flexible provisioning of the xUICC at all stages of its lifecycle.

[0059] In steps E2), E3), and E4), the loading or download may be performed by different types of embodiments.

[0060] According to the first type of embodiment, the loading or download in steps E2), E3), and / or E4) is performed over the air OTA via the wireless communication interface of the mobile communication network.

[0061] According to the second type of embodiment, the load or download in steps E2), E3), and / or E4) is performed locally via a wired communication interface or a short-range wireless interface such as Bluetooth Low Energy BLE, Ultra Wide Band UWB, or Near Field Communication NFC.

[0062] According to a third type of embodiment, the loading or download in steps E2), E3), and / or E4) may be performed in two steps. Herein, in the first step, the download in steps E2), E3), and / or E4) is performed over-the-air (OTA) via a wireless communication interface of a mobile communication network to a companion device that is not the intended recipient of the loaded or downloaded data. In the second step, the companion device transfers the received data to a target device hosting the xUICC, which is the destination of the data, and the transmission in the second step is performed locally via a wired communication interface or a short-range wireless interface such as Bluetooth Low Energy BLE, Ultra Wide Band UWB, or Near Field Communication NFC. The third type of embodiment is particularly suitable for xUICCs hosted in devices with limited connectivity capabilities, such as many simple IoT devices.

[0063] Next, embodiments of the present invention will be described with reference to the accompanying drawings, where throughout the drawings, similar parts are referred to by the same reference numerals and represent the following: [Brief explanation of the drawing]

[0064] [Figure 1]This figure shows the provisioning and management of xUICC profiles, including IFP profile provisioning via [S1][4][SGP.42]SGP.42, IoT remote SIM management via [2][SGP.31]SGP.31 and [3][SGP.32]SGP.32 through eIM, and remote SIM management via [2][SGP.31]SGP.31 and [3][SGP.32]SGP.32 or [1][SGP.22 v3.0] via SM-DP+. [Figure 2] Based on the setup shown in Figure 1, this is an xUICC solution according to a first embodiment of the present invention, also known as xUICC manufacturing at an OEM, which enables flexible, simple, and secure management of xUICC software components, including the xUICC operating system and profiles. [Figure 3] A second embodiment of the present invention, based on the setup in Figure 1, is an xUICC solution that enables flexible, simple, and secure management of xUICC software components, including the xUICC operating system and profiles, and is also referred to as iUICC manufacturing late binding. [Figure 4] A third embodiment of the present invention, based on the setup in Figure 1, is an xUICC solution that enables flexible, simple, and secure management of xUICC software components, including the xUICC operating system and profiles, and is also referred to as iUICC Manufacturing Over-the-Air.

[0065] Modes for carrying out the invention Figures 2, 3, and 4 illustrate three different types of xUICC solutions, based on the setup of Figure 1, that enable flexible, simple, and secure management of xUICC software components, including the xUICC operating system and profiles, according to three types of embodiments of the present invention. xUICC provides an xUICC identifier EID.

[0066] All three types of embodiments involve the following functional steps, namely: To provide the OS load key to E1-xUICC as the root of trust (RoT), Loading and installing the xUICC operating system xUICC OS, encrypted with the OS load key, onto E2-xUICC. E3 - Loading and installing xUICC-specific data, which may include an EUM bootloader or an ultralight bootloader ULB in some embodiments. Download and install the eSIM profile encrypted with the OS load key on the E4-xUICC. xUICC management encrypted with E5-OS load key, Includes entities built to perform the following actions.

[0067] All three types of embodiments include the following elements:

[0068] The online EUM service 100 is configured to physically enable the exchange of data and commands encrypted with an OS load key between different entities over a communication network.

[0069] For example, a general-purpose secure personalization entity GSP 200 is configured to provide security for communications over a communication network between entities located in different secure manufacturing environments by establishing secure communication channels between different secure manufacturing environments.

[0070] xUICC Manufacturer is located in a safe manufacturing environment, and steps E1, E2, E3, i.e., To provide the OS load key to E1-xUICC as the root of trust (RoT), Loading and installing the xUICC operating system xUICC OS, encrypted with the OS load key, onto E2-xUICC. E3 - Loading and installing xUICC-specific data, which may include an EUM bootloader or an ultralight bootloader ULB in some embodiments. Operating system OS and xUICC-specific data and identity data services, OS, certificate / identity services, 300, configured to run.

[0071] Located in the secure manufacturing environment of the profile provider, steps E2, E3, and E4, namely, Load and install the xUICC OS, an xUICC operating system encrypted with the OS load key, onto the E2-xUICC. E3 - In some embodiments, loading and installing xUICC-specific data may include an EUM bootloader or an ultralight bootloader ULB. Download and install the eSIM profile encrypted with the E4-OS load key to xUICC. Factory provisioning servers, IFPP servers, 400, and SGP.42 compliant IFPP servers, such as SGP.42 SM-DP+ servers, are configured to perform the following:

[0072] IoT provisioning servers 500, in particular SGP.32 compliant IoT provisioning servers such as SGP.32 SM-DP+ servers, can complete steps E4 and E5, i.e., Download and install the eSIM profile encrypted with the E4-OS load key to xUICC. xUICC management encrypted with E5-OS load key, It is configured to execute.

[0073] Figure 2: Services for xUICC manufacturing at OEM Figure 2 shows an xUICC solution, based on the setup of Figure 1, that enables flexible, simple, and secure management of the xUICC software components, including the xUICC operating system and profiles, according to a first embodiment of the present invention, also referred to as xUICC manufacturing at an OEM.

[0074] OS Load Key (RoT), E1: In a secure chipset manufacturing environment, the OS load key is provisioned from the OS, Certificate / ID Service 300 to xUICC to establish a root of trust in xUICC corresponding to step type E1.

[0075] Certificate / EID, E3: In the OEM's secure manufacturing environment, indicated by the dashed box, the xUICC-specific data certificate / EID, which includes the xUICC's EID and can be encrypted with the OS load key, is provisioned to the xUICC from the OS, Certificate / ID Service 300, corresponding to step type E3.

[0076] xUICC OS, E2: In the OEM's secure manufacturing environment, the xUICC operating system, encrypted with the OS load key, is provisioned to the xUICC from the OS, certificate / ID service 300, and implemented on the xUICC, which corresponds to the type E2 step of establishing the chipset firmware in this specification.

[0077] Certificate / EID, E3: Following the provisioning of the xUICC operating system (step type E2), a further GSMA xUICC-specific data certificate / EID, which includes the xUICC's EID and can be encrypted with the OS load key, is provisioned to the xUICC from the OS, Certificate / ID Services, 300, corresponding to the further step of type E3.

[0078] Factory Personalization IFPP, E2, E3, D4: In the OEM's secure manufacturing environment, in particular, the SGP.42 in-factory personalization IFPP facility 400 is provided, which provision one or more blobs encrypted with the OS load key to the xUICC, and provision and install one or more of the xUICC-specific data certificate / EID, operating system OS, and one or more profiles to the xUICC, corresponding to steps E2, E3, and E4.

[0079] BLOB options: The BLOBs can be provided according to the following options: (i) three separate BLOBs encrypted with the OS load key for the xUICC unique data certificate / EID, operating system OS, and one or more profiles; (ii) one common BLOB encrypted with the OS load key for the xUICC unique data certificate / EID and operating system OS, as well as one or more profiles; (iii) one common BLOB encrypted with the OS load key for the xUICC unique data certificate / EID, operating system OS, and one or more profiles.

[0080] OEM implementations of xUICC in devices with modems and IPA: After the OS load key, xUICC-specific data certificate / EID, operating system xUICC OS, and one or more profiles are provisioned to xUICC, xUICC is implemented in an OEM device that includes a modem and IoT Profile Assistant IPA. The IoT Profile Assistant IPA can be used to manage the operating system OS, xUICC-specific data certificate / EID, and profiles installed on xUICC.

[0081] The solution shown in Figure 2 is suitable for different forms of xUICC. In particular, the provisioning of software content to xUICC, especially eUICC or iUICC, is performed independently of the mechanical insertion of the xUICC into devices with LPA or IPA and modems, making it suitable for eUICC and iUICC.

[0082] eIM, DP+, E4: On a device in the field, additional profiles encrypted with the OS load key can be downloaded and installed to xUICC via the SGP.32 eSIM IoT Remote Manager, eIM, 500, or DP+, corresponding to step type E4.

[0083] eIM, DP+, E5, Profile: Furthermore, the SGP.32 eSIM IoT Remote Manager, eIM, or DP+, 500 can send profile management operations encrypted with the OS load key to xUICC in order to perform profile management operations corresponding to step type E5. Profile management can be, in particular, enabling, disabling, or deleting a profile, and the management operations are the commands Profile Enable, Profile Disable, or Profile Delete, respectively, encrypted with the OS load key.

[0084] eIM, DP+, E5, OS: Furthermore, by the SGP.32 eSIM IoT Remote Manager, eIM, or DP+, 500, operating system management operations encrypted with the OS load key can be sent to xUICC to perform management operations on the xUICC operating system xUICC OS corresponding to step type E5. These management operations may, in particular, be updates to the xUICC operating system xUICC OS, encrypted with the OS load key and sent to xUICC.

[0085] eIM, DP+, E5, Certificate / EID: Furthermore, the SGP.32 eSIM IoT Remote Manager, eIM, or DP+, 500 can send xUICC-specific data management operations encrypted with the OS load key to the xUICC to perform management operations on xUICC-specific data corresponding to step type E5. The management operations may, in particular, be updates or revocations of xUICC-specific data, which are encrypted with the OS load key and sent to the xUICC.

[0086] Figure 3: xUICC / iUICC manufacturing "late binding" Figure 3 shows an xUICC solution, based on the setup of Figure 1, that enables flexible, simple, and secure management of xUICC software components, including the xUICC operating system and profiles, according to a second embodiment of the present invention, also known as xUICC / iUICC manufacturing late binding.

[0087] As long as Figure 3 is similar to Figure 2, the elements and features described with reference to Figure 2 are also valid for the embodiment in Figure 3 as appropriate.

[0088] OS Load Key (RoT), E1: In a secure chipset manufacturing environment, the OS load key is provisioned from the OS, Certificate / ID Service 300 to xUICC to establish a root of trust in xUICC corresponding to step type E1.

[0089] In-Factory Personalization (IFPP), E2, E3, E4: Unlike the embodiment in Figure 2, in the embodiment in Figure 3, the operating system xUICC OS and xUICC-specific data certificate / EID are provided to the xUICC only in the later stages of the manufacturing process. Specifically, in the OEM's secure manufacturing environment, an in-factory personalization IFPP facility 400 is provided, in particular by SGP.42, by which one or more blobs encrypted with the OS load key are provisioned to the xUICC, and one or more of the xUICC-specific data certificate / EID, operating system OS, and one or more profiles are provisioned and installed to the xUICC, corresponding to steps of types E2, E3, and E4. One or more blobs are transferred from the in-factory personalization IFPP facility 400 to the xUICC via a late-binding edge box that includes the functionality of the IoT Profile Assistant IPA to enable the secure transmission of the blobs to the xUICC, which has not yet been implemented in the device.

[0090] In the xUICC / iUICC manufacturing "late binding" embodiment shown in Figure 3, only the OS load key, which establishes a trust base for further processing of the xUICC content, is loaded and stored or installed on the xUICC within the chipset manufacturer's manufacturing environment in the early stages of the xUICC manufacturing process. Further steps, including loading and installing the xUICC OS operating system (E2), loading and storing or installing xUICC-specific data (E3), and loading profiles (E4), are performed only in later stages by the in-factory personalization IFPP facility 400.

[0091] OEM implementations of xUICC in devices with modems and IPA: This is done as explained with reference to Figure 2.

[0092] The solution shown in Figure 3 is suitable for different forms of xUICC. In particular, provisioning software content to xUICC, especially eUICC or iUICC, is suitable for eUICC and iUICC because it is performed independently of the mechanical insertion of xUICC into devices with LPA or IPA and modems. In particular, late binding and delayed loading of the operating system xUICC OS, xUICC-specific data certificate / EID, and profile is suitable for integrated UICC and iUICC.

[0093] eIM, DP+, E4: These steps are carried out as described with reference to Figure 2.

[0094] eIM, DP+, E5, profile, OS, certificate / EID: These steps are carried out as described with reference to Figure 2.

[0095] Figure 4: xUICC / iUICC manufacturing "over-the-air" Figure 4 shows an xUICC solution, based on the setup of Figure 1, that enables flexible, simple, and secure management of xUICC software components, including the xUICC operating system and profiles, according to a third embodiment of the present invention, also known as xUICC Manufacturing Over-the-Air.

[0096] To the extent that Figure 4 is similar to Figure 2 and / or Figure 3, the elements and features described with reference to Figure 2 and / or Figure 3 are also valid in the embodiment of Figure 4 as appropriate.

[0097] OS Load Key (RoT), E1: As shown in Figure 4, in a secure chipset manufacturing environment, corresponding to step E1, the OS load key is provisioned to xUICC from the OS, Certificate / ID Service 300, in order to establish the root of trust in xUICC.

[0098] Certificate / EID, E3 and xUICC OS, E2: As shown in Figure 4, in the OEM's secure manufacturing environment indicated by the dashed box, at least an xUICC-specific data certificate / EID encrypted with the OS load key is provisioned to xUICC from the OS, Certificate / ID Service 300.

[0099] According to Option A, only the xUICC-specific data certificate / EID encrypted with the OS load key is provisioned to xUICC from the OS, Certificate / ID Service 300, and provides some initial connectivity that allows devices to later implement xUICC to download the xUICC operating system xUICC OS and profile to xUICC.

[0100] According to Option B, in addition to the xUICC-specific data certificate / EID, a base xUICC operating system called an ultralight bootstrap operating system (ULB OS), encrypted with the OS load key, is provisioned from the xUICC-specific data certificate / EID, encrypted with the OS load key, and provisioned from the OS, Certificate / ID Service 300 to xUICC.

[0101] OEM implementations of xUICC in devices with modems and IPA: After the OS load key, xUICC-specific data certificate / EID, and, in the case of option B, the ULB OS are provisioned to xUICC, xUICC is implemented in the OEM device, including the modem and IoT Profile Assistant IPA. The IoT Profile Assistant IPA allows management of the operating system OS, xUICC-specific data certificate / EID, and profiles installed on xUICC. In option A, the device must provide initial connectivity to download the xUICC OS and profiles. In option B, the initial connectivity to download the fully operational xUICC operating system OS and profiles is provided by the ULB OS previously provisioned to xUICC.

[0102] Over-air, E2, E3, E4: The OTA server is used to provision the following items to xUICC, encrypted with the OS load key: E2: xUICC operating system xUICC OS; E3: further xUICC-specific data; E4: one or more profiles.

[0103] eIM, DP+, E4: These steps are carried out as described with reference to Figure 2.

[0104] eIM, DP+, E5, profile, OS, certificate / EID: These steps are carried out as described with reference to Figure 2.

[0105] Reference code for a functional step or step type: E1 - Provides the OS load key as the Root of Trust (RoT). Loading and installing the xUICC OS, encrypted with the E2-OS load key. Loading and installing xUICC-specific data in several embodiments, including E3-ULB, Download and install the eSIM profile encrypted with the E4-OS load key. xUICC management encrypted with E5-OS load key.

[0106] References [1][SGP.22 v3.0] GSMA RSP Technical Specification Version 3.0, Draft, October 19, 2022 [2][SGP.31]GSMA SGP.31 eSIM IoT Architecture and Requirements Version 1.0, April 19, 2022 [4][SGP.32]GSMA SGP.32 eSIM IoT Technical Specification (Not published as of the filing date of this application) [5][SGP.42] Remote Provisioning Architecture in SSGMA GP.42 Factory Provisioning Technical Specification (Not published as of the filing date of this application)

Claims

1. A method for provisioning xUICC which is to host one or more profiles for communications in a mobile communications network, E1) The step of providing the OS load key as the root of trust (RoT) in the xUICC, E2) A step of loading and installing an xUICC operating system xUICC OS encrypted with the OS load key for loading onto the xUICC, wherein the xUICC OS is designed to enable the direct or indirect reception and installation of one or more eSIM profiles onto the xUICC. E3) A step of loading and storing xUICC-specific data encrypted with the OS load key for loading into the xUICC, wherein the xUICC-specific data includes at least one GSMA certificate, and authenticates the xUICC having the installed xUICC as authenticated to receive the xUICC eSIM profile and install it into the xUICC eSIM profile, E4) The step of preparing the xUICC prepared in steps E1 to E3 for a later download and install step E4), which involves downloading and installing the eSIM profile encrypted with the OS load key for the download to the xUICC prepared in steps E1 to E3. A method characterized in that the xUICC operating system xUICC in step E2), the xUICC-specific data in step E3), and the eSIM profile in step E4) are encrypted with the same OS load key provided in step E1).

2. The method according to claim 1, further comprising the download and install step E4) downloading and installing the eSIM profile encrypted with the OS load key for download to the xUICC prepared in steps E1 to E3.

3. The aforementioned xUICC OS is, a) An operating xUICC operating system OS having the capability to directly receive one or more eSIM profiles and install them into the xUICC. b) A non-operating xUICC operating system that requires one or more OS management steps to be performed on the non-operating xUICC operating system in order to be converted into an operating xUICC operating system as a), c) A limited-operation xUICC operating system OS having limited operational capability to enable the download and installation of the xUICC operating system as a), The method according to claim 1 or 2, wherein the boot loader is one of the following: d) c) a specific limited operation x UICC operating system OS, in particular an EUM boot loader.

4. The method according to any one of claims 1 to 3, wherein in step E2) or after step E2) an embedded UICC control authority security domain ECASD by GSMA is installed on the xUICC, and in step E3) the xUICC-specific data is stored in the embedded UICC control authority security domain ECASD.

5. The aforementioned xUICC-specific data is, The xUICC identifier EID of the aforementioned xUICC, The private key (or multiple private keys) of the aforementioned xUICC for creating a digital signature (SK.EUICC.SIG), The public key(s)(PK.EUICC.SIG) of xUICC, along with the certificate(s)(CERT.EUICC.SIG) of the said xUICC for authorization, The RootCA public key (or multiple public keys) (PK.CI.SIG) of the eSIM certificate issuer (CI) to verify the off-card entity certificate (e.g., SM-DP+). Certificate revocation list (CRL), One or more optional certificates, An ultralight bootstrap ULB profile designed to allow the download of at least a portion of the profile during an authorization procedure between the xUICC and the profile server that provides at least a portion of the profile, The method according to any one of claims 1 to 4, comprising one, more, or all of the above.

6. After step E2) is performed, which involves loading and installing the xUICC operating system xUICC OS onto the xUICC, the xUICC OS is a) operating xUICC operating system OS, and the following further steps are performed, namely, E5) Updating the xUICC OS, including loading and installing the OS update encrypted with the OS load key for loading, to the xUICC, or / or E5) A step of patching the xUICC, including loading an operating system patch encrypted with the OS load key for loading and installing the OS patch on the xUICC, or / or E5) Steps to pause, resume, or terminate the xUICC OS, E4) A step of downloading and installing the eSIM profile encrypted with the OS load key for the download to the xUICC, The method according to any one of claims 1 to 5, further comprising performing one or more of the following:

7. After step E2) is performed, which involves loading and installing the xUICC operating system xUICC OS onto the xUICC, the xUICC OS is a non-operating xUICC operating system OS, and the following further steps are taken: E4) A step of downloading and installing the eSIM profile encrypted with the OS load key for the download to the xUICC, E5) A step of converting a non-operating xUICC operating system OS into an operating xUICC operating system OS by performing one or more OS management steps on the non-operating xUICC operating system OS, wherein the OS management step is: **If the xUICC is inoperable due to being incomplete, completing the xUICC OS includes loading and installing or applying completion data and / or completion commands encrypted with the OS load key to the xUICC.** **If the xUICC OS is not operating because it is deactivated, the steps include one or more of the following: activating the OS, which includes loading and installing activation data, in particular an activation key, or / or applying an activation command encrypted with the OS load key to the xUICC OS, The method according to any one of claims 1 to 5, further comprising performing one or more of the following:

8. After step E2) is performed, which involves loading and installing the xUICC operating system xUICC OS onto the xUICC, the xUICC OS is either c) a limited-operation xUICC operating system OS, or d) a boot loader, particularly an EUM boot loader, and the following further steps are taken, namely: The steps include downloading and installing the xUICC operating system encrypted with the aforementioned OS load key, A step of performing one or more of the steps of downloading and installing the eSIM profile encrypted with the OS load key to the xUICC for the aforementioned download, The method according to any one of claims 1 to 5, further comprising:

9. The aforementioned xUICC is, Physical plug-in SIM card, pSIM, Embedded UICC, eUICC, or embedded SIM, eSIM, Integrated UICC, iUICC, or Integrated SIM, iSIM The method according to any one of claims 1 to 8, which is embodied as one of the following.

10. The method according to any one of claims 1 to 9, wherein some steps are performed using the xUICC in an in-factory provisioning environment, and some steps are performed using the xUICC in a mobile communication device configured for field use.

11. The method according to any one of claims 1 to 10, wherein in step E1), the OS load key is provisioned to the xUICC from the OS and the xUICC-specific data service facility (300).

12. In step E2), the xUICC operating system xUICC OS is: OS and xUICC specific data service facilities (300), Factory Personalization IFPP Facility (400) eSIM IoT Remote Manager eIM, or DP+ (500), Over-the-Air OTA Server The method according to any one of claims 1 to 11, wherein the xUICC is provisioned from any one of the following.

13. In step E3), the xUICC-specific data is OS and xUICC specific data service facilities (300), Factory Personalization IFPP Facility (400) eSIM IoT Remote Manager eIM, or DP+ (500), Over-the-Air OTA Server The method according to any one of claims 1 to 12, wherein the xUICC is provisioned from any one of the following.

14. In step E4), the profile is Factory Personalization IFPP Facility (400) eSIM IoT Remote Manager eIM, or DP+ (500), Over-the-Air OTA Server The method according to any one of claims 1 to 14, wherein the xUICC is provisioned from any one of the following.

15. The encryption using the aforementioned OS load key is Encrypted directly using the aforementioned OS load key, Encrypted using the encryption key derived from the aforementioned OS load key. The method according to any one of claims 1 to 14, which is embodied as one of the following.