Undocumented PKCS11_TOKEN_INIT_SUPPORT

The PKCS11 standard was created to interact with "smartcards" for user authentication and of those use cases there would be a human attesting to the origination and ownership of the token.

The "security officer" would get a new token and verify that it's was new and untampered with (typically with security packaging) then initialize it and provision it.
The user would buy their own token and do the same verification but initialize it themselves and then request that a system would sign the CSR (verifying the identity of the user via their login)

The import element here is the fact that a human is verifying the origin of the token and performing an operation they trust (because they are doing it themselves). When it comes to using PKCS11 with an embedded secure element there is no way to verify the integrity of the system in an automatic fashion so any workflow involving the PKCS11 token initialization mechanism is intrinsically unsafe and it's only suitable for experimentation.

For production flows for safety one should prevent execution of token initialization functions - at best it results in a denial of service attack since it'll wipe the credentials from the token.

Now related to the implementation of the pkcs11 token initialization in cryptoauthlib besides the above intrinsic security problems, the configuration used for the device is one that is designed to be open so one can experiment with the devices and recover from many configuration mistakes. With the advent of the Trust Platform series of devices from Microchip (especially the ATECC608-TFLXTLS) it is not necessary to configure blank ECC608 devices with an experimental configuration. Please see the following resources:

It is recommended to start with the Trust Platform Design Suite.

MicrochipTech / cryptoauthlib

Undocumented PKCS11_TOKEN_INIT_SUPPORT #312