As September gathers pace, the semiconductor story on post-quantum cryptography (PQC) is broadening from “roadmaps” to tangible building blocks across tool-chains, firmware, and controllers.

What’s new (and useful) right now

• STMicroelectronics ships a PQC firmware pack with NIST-validated primitives. The X-CUBE-PQC library for STM32H563xx adds ML-KEM and ML-DSA with CAVP validation, alongside LMS/XMSS support—aimed at secure boot, updates, and crypto-agility in embedded designs. This is a practical on-ramp for engineering teams that want to prototype PQC now on mainstream Cortex-M33 MCUs.
• Microchip bakes PQC into its embedded controller line for PCs and edge systems. The MEC175xB familyis positioned for CNSA 2.0 transitions, with built-in support for ML-KEM, ML-DSA, and LMS to harden secure boot and firmware verification—useful for OEMs who need silicon-level assurances in platform controllers.
• NXP maps PQC into the hardware root of trust. In its post-quantum security overview, NXP explicitly targets fast secure boot, secure debug/update, and authenticated messaging with PQC anchored in the root of trust—helpful framing for teams planning staged migrations and hybrid deployments.
• Infineon’s certification milestone sets a bar for assurance. Separate from its MCU news, Infineon (with Germany’s BSI) announced the first Common Criteria EAL6 certification for a PQC algorithm implementation (ML-KEM) in a security controller—relevant for sectors that treat formal evaluation as table stakes.

Why it matters

• Secure-boot and update paths are going quantum-ready first. Across vendors, the earliest PQC touchpoints are firmware verification and update flows (LMS/XMSS today; lattice schemes gaining traction), which is exactly where long-lived devices face the highest risk exposure.
• Validation beats aspiration. ST’s CAVP notes and Infineon’s Common Criteria work signal a shift from slideware to artifacts that auditors can actually check.
• Crypto-agility is the common theme. Libraries and controllers are being shaped to run classical + PQC (hybrid) and evolve as NIST profiles and CNSA 2.0 timelines harden in procurement.

What to watch through month-end

• Tooling for key provisioning and hybrid signing that reduces developer friction on first deployments (e.g., LMS today, lattice tomorrow).
• Clearer performance+latency data for PQC secure-boot on resource-constrained MCUs (boot times, memory budgets).
• Any vendor moves timed to late-September events that push PQC from pilots to default options in new silicon spins.

Editor’s note: We’re tracking additional September drops; expect a consolidated end-of-month piece tying these building blocks to CNSA 2.0 adoption paths and sector-specific implications (industrial, energy, automotive).

Specific Sources

• STMicroelectronics X-CUBE-PQC library: ST official product page & documentation – firmware expansion pack for STM32H563xx with NIST-validated ML-KEM, ML-DSA, and support for LMS/XMSS. ST X-CUBE-PQC
• Microchip MEC175xB Embedded Controllers: Press release & product page – PQC-enabled embedded controllers with CNSA 2.0 support (ML-KEM, ML-DSA, LMS). Microchip MEC175xB Product Page
• NXP PQC Root of Trust positioning: NXP security architecture page – outlines PQC in hardware root of trust for secure boot, debug, update, and authenticated communications. NXP Post-Quantum Cryptography Overview
• Infineon & BSI Certification News: Infineon press release – world’s first Common Criteria EAL6 certificate for PQC algorithm (ML-KEM) in a security controller. Infineon News Release