Thank you very kindly for your patience in explaining.
Finally I understand I cannot change it on the STSAFA110S8SPL02. It has already been set.
After careful consideration, I have decided to not pursue HMAC in order to keep my supply chain simple.
Thankfully, I have thought of an alternative solution, which is actually more secure than using an HMAC key (which is stored in my device in local encrypted flash memory, not very securely).
Thank you for all or your help Benjamin. =)
If you are curious, here is my alternative solution: For Context: my mobile app verifies if my hardware product is genuine by challenging the STSAFE module. The problem: My mobile app has no internet connection requirement, so it is difficult for the app to detect if a counterfeit device is forwarding the challenges via the internet to genuine STSAFE modules that a bad actor purchased from me. However, my app does typically have an accurate date & time. By having all apps request many signatures (~1000) at the same moment in time, in the entire entire world, it will DDOS any attacker who is trying to forward requests a few genuine STSAFE modules. An attacker would need to purchase 1 genuine STSAFE module from me per counterfeit device, which would be cost prohibitive. This means, even without an HMAC to restrict signature generation, a single STSAFE will not be able to generate signatures fast enough for more than a few users.
