A leading European Matter OEM partnered with Snowball OBIS to manufacture over one million devices per month across five ODM factories in three countries — with every private key securely generated and stored inside HSMs.
A leading European Matter OEM with a global retail presence spanning 400+ stores across 50+ markets.
The company operates both as a Matter device manufacturer and a VID-scoped Product Attestation Authority (PAA), managing its own root CA at the top of the Matter device attestation trust chain.
Production footprint:
The customer began commercial Matter production in 2025 and launched its first products in January 2026. Monthly production surpassed one million devices during 2026 and continues to grow, with additional products already in development.
The OEM’s security team defined two non-negotiable requirements:
The principles were straightforward. Implementing them at production scale was not.
The challenge wasn’t only protecting the OEM’s signing infrastructure — it was securing the entire provisioning process across a distributed manufacturing environment:
That combination forced the team to evaluate — and ultimately reject — three standard industry approaches.
The team evaluated three standard approaches. Each worked in some environments. None matched this customer's requirements.
Every silicon vendor used different provisioning formats, workflows, and lead times. The customer's portfolio spanned 21 products across four chip vendors, making operations difficult to standardize and scale.
The model also stopped at the chip factory. Post-production operations — such as credential rotation, reprovisioning, and OEM-controlled attestation workflows — had no practical path forward.
Cloud-based provisioning depended on stable, real-time connectivity during manufacturing. Across factories in Thailand, Vietnam, and China, cross-border network reliability was inconsistent. Any outage could interrupt active production batches across multiple factories simultaneously.
The approach also assumed ODM factory teams could integrate and maintain secure provisioning systems themselves. Most lacked in-house cryptography expertise.
This approach proved operationally unworkable.
Every new product, SoC, or provisioning flow would require the OEM security team to travel onsite and perform new key injection ceremonies. It also meant transferring day-to-day operational control of sensitive key infrastructure to ODM-operated factories.
The result wasn't a one-time deployment cost — it was an ongoing cycle of manual operations, recurring travel, and reduced cryptographic control.
SNOWBALL entered the project through independent recommendations from both an ODM partner and a silicon vendor. What SNOWBALL proposed wasn't simply a better PKI service or a better factory HSM. The problem wasn't a tooling problem — it was an operating model problem.
All three traditional approaches shared the same assumption: the system deciding whether a cryptographic operation is allowed must also execute that operation in the same place.
OnBoard™ IoT Security (OBIS) separates those two responsibilities. The OEM keeps control in the cloud. Factories execute locally.
The platform combines:
The OEM authorizes operations. The factory executes only what has been authorized.
Every factory operation — issuing Matter DACs, provisioning OTA keys, enabling Secure Debug, or programming firmware — requires a signed authorization issued by the OEM.
Each authorization is scoped by:
Factories cannot operate outside those boundaries.
Each factory runs an EdgeHSM appliance built on an EAL5+ secure element.
EdgeHSM verifies every authorization before allowing any provisioning operation. Any request outside the approved scope is rejected automatically.
All sensitive cryptographic material remains inside hardware security boundaries at all times:
No factory operator, ODM partner, or production system ever handles private keys in cleartext.
Once an authorization package is delivered to EdgeHSM, production can continue offline for the approved duration.
Factories do not depend on continuous cloud connectivity during manufacturing.
If cross-border network links fail:
OBIS ships as a complete system.
ODM teams install the provided Factory Service, EdgeHSM, and programming station software bundle rather than building custom provisioning infrastructure themselves.
This is what allowed new factories to come online in days instead of months.
The OEM creates the product in OBIS, configures required cryptographic assets, and defines manufacturing rules — including the maximum production quantity allowed.
The ODM is then invited into the product workspace.
The ODM uploads firmware signed with the OEM-approved secure boot key and configures:
The resulting Product Version becomes a reproducible production snapshot.
The OEM reviews and approves the Product Version, locking it as the authorized manufacturing reference.
The ODM creates production batches tied to a specific factory, quantity, and production window.
Factories can create multiple batches over time, but cumulative production can never exceed the OEM-defined quota.
The encrypted Production Batch is delivered to EdgeHSM.
Programming stations provision devices under EdgeHSM enforcement:
Production and audit records sync back to the cloud portal within minutes.
The OEM security team can monitor production across all factories from a single dashboard.
When a returned unit requires rework, Secure Debug access can be reopened within the authorization scope already approved by the OEM.
EdgeHSM performs the cryptographic operation internally while keeping the authentication keys protected inside hardware boundaries.
No manual key handling or escalation process is required.
No system is free of operational cost. The OEM accepted several practical trade-offs:
