Programmer’s Guide

During provisioning and manufacturing, SW interacts with the OTP controller mostly through the Direct Access Interface (DAI), which is described below. Afterwards during production, SW is expected to perform only read accesses via the exposed CSRs and CSR windows, since all write access to the partitions has been locked down.

The following sections provide some general guidance, followed by an explanation of the DAI and a detailed OTP memory map. Typical programming sequences are explained at the end of the Programmer’s guide.

General Guidance

Initialization

The OTP controller initializes automatically upon power-up and is fully operational by the time the processor boots. The only initialization steps that SW should perform are:

  1. Check that the OTP controller has successfully initialized by reading STATUS. I.e., make sure that none of the ERROR bits are set, and that the DAI is idle (STATUS.DAI_IDLE).
  2. Set up the periodic background checks:

If needed, one-off integrity and consistency checks can be triggered via CHECK_TRIGGER. If this functionality is not needed, it is recommended to lock down the trigger register via CHECK_TRIGGER_REGWEN.

Later on during the boot process, SW may also choose to block read access to the SW managed partitions via the associated partition lock registers, e.g. CREATOR_SW_CFG_READ_LOCK or OWNER_SW_CFG_READ_LOCK.

Reset Considerations

It is important to note that values in OTP can be corrupted if a reset occurs during a programming operation. This should be of minor concern for SW, however, since all partitions except for the LIFE_CYCLE partition are being provisioned in secure and controlled environments, and not in the field. The LIFE_CYCLE partition is the only partition that is modified in the field - but that partition is entirely owned by the life cycle controller and not by SW.

Programming Already Programmed Regions

OTP words cannot be programmed twice, and doing so may damage the memory array. Hence the OTP controller performs a blank check and returns an error if a write operation is issued to an already programmed location.

Potential Side-Effects on Flash via Life Cycle

It should be noted that the locked status of the partition holding the creator root key (i.e., the value of the SECRET2_DIGEST_0) determines the ID_STATUS of the device, which in turn determines SW accessibility of creator seed material in flash and OTP. That means that creator-seed-related collateral needs to be provisioned to Flash before the OTP digest lockdown mechanism is triggered, since otherwise accessibility to the corresponding flash region is lost. See the life cycle controller documentation for more details.

Direct Access Interface

OTP has to be programmed via the Direct Access Interface, which is comprised of the following CSRs:

CSR NameDescription
DIRECT_ACCESS_WDATA_0Low 32bit word to be written.
DIRECT_ACCESS_WDATA_1High 32bit word to be written.
DIRECT_ACCESS_RDATA_0Low 32bit word that has been read.
DIRECT_ACCESS_RDATA_1High 32bit word that has been read.
DIRECT_ACCESS_ADDRESSbyte address for the access.
DIRECT_ACCESS_CMDCommand register to trigger a read or a write access.
DIRECT_ACCESS_REGWENWrite protection register for DAI.

See further below for a detailed Memory Map of the address space accessible via the DAI.

Readout Sequence

A typical readout sequence looks as follows:

  1. Check whether the DAI is idle by reading the STATUS register.
  2. Write the byte address for the access to DIRECT_ACCESS_ADDRESS. Note that the address is aligned with the access granule, meaning that either 2 or 3 LSBs of the address are ignored, depending on whether the access granule is 32 or 64 bits.
  3. Trigger a read command by writing 0x1 to DIRECT_ACCESS_CMD.
  4. Poll the STATUS until the DAI state goes back to idle. Alternatively, the otp_operation_done interrupt can be enabled up to notify the processor once an access has completed.
  5. If the status register flags a DAI error, additional handling is required (see Error handling).
  6. If the region accessed has a 32bit access granule, the 32bit chunk of read data can be read from DIRECT_ACCESS_RDATA_0. If the region accessed has a 64bit access granule, the 64bit chunk of read data can be read from the DIRECT_ACCESS_RDATA_0 and DIRECT_ACCESS_RDATA_1 registers.
  7. Go back to 1. and repeat until all data has been read.

The hardware will set DIRECT_ACCESS_REGWEN to 0x0 while an operation is pending in order to temporarily lock write access to the CSRs registers.

Programming Sequence

A typical programming sequence looks as follows:

  1. Check whether the DAI is idle by reading the STATUS register.
  2. If the region to be accessed has a 32bit access granule, place a 32bit chunk of data into DIRECT_ACCESS_WDATA_0. If the region to be accessed has a 64bit access granule, both the DIRECT_ACCESS_WDATA_0 and DIRECT_ACCESS_WDATA_1 registers have to be used.
  3. Write the byte address for the access to DIRECT_ACCESS_ADDRESS. Note that the address is aligned with the access granule, meaning that either 2 or 3 LSBs of the address are ignored, depending on whether the access granule is 32 or 64 bits.
  4. Trigger a write command by writing 0x2 to DIRECT_ACCESS_CMD.
  5. Poll the STATUS until the DAI state goes back to idle. Alternatively, the otp_operation_done interrupt can be enabled up to notify the processor once an access has completed.
  6. If the status register flags a DAI error, additional handling is required (see Error handling).
  7. Go back to 1. and repeat until all data has been written.

The hardware will set DIRECT_ACCESS_REGWEN to 0x0 while an operation is pending in order to temporarily lock write access to the CSRs registers.

Note that SW is responsible for keeping track of already programmed OTP word locations during the provisioning phase. It is imperative that SW does not write the same word location twice, since this can lead to ECC inconsistencies, thereby potentially rendering the device useless.

Digest Calculation Sequence

Each partition is configured to have its digest written either by hardware or by software. Depending on this configuration attribute, the digest calculation and writing sequence is different. The following subsections describe the programming sequence for each case.

Partitions with a Hardware-Written Digest

The hardware digest computation for the hardware and secret partitions can be triggered as follows:

  1. Check whether the DAI is idle by reading the STATUS register.
  2. Write the partition base address to DIRECT_ACCESS_ADDRESS.
  3. Trigger a digest calculation command by writing 0x4 to DIRECT_ACCESS_CMD.
  4. Poll the STATUS until the DAI state goes back to idle. Alternatively, the otp_operation_done interrupt can be enabled up to notify the processor once an access has completed.
  5. If the status register flags a DAI error, additional handling is required (see Error handling).

The hardware will set DIRECT_ACCESS_REGWEN to 0x0 while an operation is pending in order to temporarily lock write access to the CSRs registers.

It should also be noted that the effect of locking a partition via the digest only takes effect after the next system reset. To prevent integrity check failures SW must therefore ensure that no more programming operations are issued to the affected partition after initiating the digest calculation sequence.

Partitions with a Software-Written Digest

Partitions for which software computes and writes the digest have a separate DIGEST entry in the DAI address map. Software must write the desired digest value via the DAI to set the digest in the OTP storage and lock the partition. This can be done as follows:

  1. Compute a 64-bit digest over the relevant parts of the partition, and program that value via the DAI, using the address of the corresponding DIGEST entry in the DAI address map.
  2. Read the digest back via the DAI and verify it.

After the next full-system reset, the corresponding digest CSRs (not DAI addresses!) get populated with the digest value. If the partition is digest-locked, it is locked at that point.

Zeroization Sequence

Zeroization is an irreversible operation performed when the contents of the zeroizable partition need to be wiped. The table in the Theory of Operation’s Partition Listing and Description section shows the per-partition zeroizable attribute. Attempting to zeroize a non-zeroizable partition will trigger a non-fatal error. All items in a zeroizable partition can be zeroized, including digests and zeroization markers. A typical zeroization sequence for a partition will zeroize all items in the partition. It is recommended to first zeroize the zeroization marker (the last 64-bit in a partition), followed by zeroizing each item. Zeroizing any item proceeds like this:

  1. Check whether the DAI is idle by reading the STATUS register.
  2. Write the address of the item to be zeroized in the DIRECT_ACCESS_ADDRESS register. Note that zeroization always affects a full access granule (32 or 64 bits).
  3. Trigger a zeroize command by a write to the DIRECT_ACCESS_CMD register setting the ZEROIZE bit to 1, all others to 0.
  4. Poll the STATUS until the DAI state goes back to idle.
  5. If the status register flags a DAI error, additional handling is required (see Error handling).
  6. Read the data from the DIRECT_ACCESS_RDATA_0: it contains the number of bits set after the zeroize command, and it could be somewhat smaller than the access granule size due to stuck-at-0 bits.

As with any write, zeroization of buffered partitions won’t become effective before a device reset. When zeroization is part of a life cycle transition, a reset should wait until the life cycle transition is requested.

Software Integrity Handling

As opposed to buffered partitions, the digest and integrity handling of unbuffered partitions is entirely up to software. The only hardware-assisted feature in unbuffered partitions is the digest lock, which locks write access to an unbuffered partition once a nonzero value has been programmed to the 64bit digest location.

In a similar vein, it should be noted that the system-wide bus-integrity metadata does not travel alongside the data end-to-end in the OTP controller (i.e., the bus-integrity metadata bits are not stored into the OTP memory array). This means that data written to and read from the OTP macro is not protected by the bus integrity feature at all stages. In case of buffered partitions this does not pose a concern since data integrity in these partitions is checked via the hardware assisted digest mechanism. In case of unbuffered partitions however, the data integrity checking is entirely up to software. I.e., if data is read from an unbuffered partition (either through the DAI or CSR windows), software should perform an integrity check on that data.

Error Handling

The agents that can access the OTP macro (DAI, LCI, buffered/unbuffered partitions) expose detailed error codes that can be used to root cause any failure. The error codes are defined in the table below, and the corresponding otp_err_e enum type can be found in the otp_ctrl_pkg. The table also lists which error codes are supported by which agent.

Errors that are not “recoverable” are severe errors that move the corresponding partition or DAI/LCI FSM into a terminal error state, where no more commands can be accepted (a system reset is required to restore functionality in that case). Errors that are “recoverable” are less severe and do not cause the FSM to jump into a terminal error state.

Note that error codes that originate in the physical OTP macro are prefixed with Macro*.

Error CodeEnum NameRecoverableDAILCIUnbufBufDescription
0x0NoError-xxxxNo error has occurred.
0x1MacroErrornoxxxxReturned if the OTP macro command did not complete successfully due to a macro malfunction.
0x2MacroEccCorrErroryesx-xxA correctable ECC error has occurred during a read operation in the OTP macro.
0x3MacroEccUncorrErrornox-x*xAn uncorrectable ECC error has occurred during a read operation in the OTP macro. Note (*): This error is collapsed into MacroEccCorrError if the partition is a vendor test partition. It then becomes a recoverable error.
0x4MacroWriteBlankErroryes / no*xx--This error is returned if a write operation attempted to clear an already programmed bit location. Note (*): This error is recoverable if encountered in the DAI, but unrecoverable if encountered in the LCI.
0x5AccessErroryesx-x-An access error has occurred (e.g. write to write-locked region, or read to a read-locked region).
0x6CheckFailErrorno--xxAn unrecoverable ECC, integrity or consistency error has been detected.
0x7FsmStateErrornoxxxxThe FSM has been glitched into an invalid state, or escalation has been triggered and the FSM has been moved into a terminal error state.

All non-zero error codes listed above trigger an otp_error interrupt. In addition, all unrecoverable OTP Macro* errors (codes 0x1, 0x3) trigger a fatal_macro_error alert, while all remaining unrecoverable errors trigger a fatal_check_error alert.

If software receives an otp_error interrupt, but all error codes read back as 0x0 (NoError), this should be treated as a fatal error condition, and the system should be shut down as soon as possible.

Note that the MacroWriteBlankError will only be generated if the write attempt over already written data fails within the OTP macro after applying any means supported within it to enable a write on existing data, e.g., a bit-reversal option. Also note that while this error is marked as a recoverable error, the affected OTP word may be in an inconsistent state after this error has been returned. This can cause several issues when the word is accessed again (either as part of a regular read operation, as part of the readout at boot, or as part of a background check). It is important that SW ensures that each word is only written once, since this can render the device useless.

Direct Access Memory Map

The table below provides a detailed overview of the items stored in the OTP partitions. Some of the items that are buffered in registers is readable via memory mapped CSRs, and these CSRs are linked in the table below. Items that are not linked can only be accessed via the direct programming interface (if the partition is not locked via the corresponding digest). It should be noted that CREATOR_SW_CFG and OWNER_SW_CFG are accessible through a memory mapped window, and content of these partitions is not buffered. Hence, a read access to those windows will take in the order of 10-20 cycles until the read returns.

Sizes below are specified in multiples of 32bit words.

IndexPartitionSize [B]ZeroizableAccess GranuleItemByte AddressSize [B]
0VENDOR_TEST72yes32bitSCRATCH0x00056
64bitVENDOR_TEST_DIGEST0x0388
64bitVENDOR_TEST_ZER0x0408
1CREATOR_SW_CFG224yes32bitCREATOR_SW_CFG_AST_CFG0x048124
32bitCREATOR_SW_CFG_AST_INIT_SIZE0x0C44
32bitCREATOR_SW_CFG_ROM_SECURE_BOOT_EN0x0C84
32bitCREATOR_SW_CFG_ROM_SIGGEN_EN0x0CC4
32bitCREATOR_SW_CFG_ROM_SIGVERIFY_EN0x0D04
32bitCREATOR_SW_CFG_SIGVERIFY_SPX_EN0x0D44
32bitCREATOR_SW_CFG_RNG_EN0x0D84
32bitCREATOR_SW_CFG_JITTER_EN0x0DC4
32bitCREATOR_SW_CFG_RET_RAM_RESET_MASK0x0E04
32bitCREATOR_SW_CFG_CPUCTRL0x0E44
32bitCREATOR_SW_CFG_RNG_REPCNT_THRESHOLDS0x0E84
32bitCREATOR_SW_CFG_RNG_REPCNTS_THRESHOLDS0x0EC4
32bitCREATOR_SW_CFG_RNG_ADAPTP_HI_THRESHOLDS0x0F04
32bitCREATOR_SW_CFG_RNG_ADAPTP_LO_THRESHOLDS0x0F44
32bitCREATOR_SW_CFG_RNG_BUCKET_THRESHOLDS0x0F84
32bitCREATOR_SW_CFG_RNG_MARKOV_HI_THRESHOLDS0x0FC4
32bitCREATOR_SW_CFG_RNG_MARKOV_LO_THRESHOLDS0x1004
32bitCREATOR_SW_CFG_RNG_EXTHT_HI_THRESHOLDS0x1044
32bitCREATOR_SW_CFG_RNG_EXTHT_LO_THRESHOLDS0x1084
32bitCREATOR_SW_CFG_RNG_ALERT_THRESHOLD0x10C4
32bitCREATOR_SW_CFG_RNG_HEALTH_CONFIG_DIGEST0x1104
32bitCREATOR_SW_CFG_SRAM_KEY_RENEW_AND_INIT_EN0x1144
64bitCREATOR_SW_CFG_DIGEST0x1188
64bitCREATOR_SW_CFG_ZER0x1208
2OWNER_SW_CFG968yes32bitOWNER_SW_CFG_ROM_ERROR_REPORTING0x1284
32bitOWNER_SW_CFG_ROM_ALERT_CLASS_EN0x12C4
32bitOWNER_SW_CFG_ROM_ALERT_ESCALATION0x1304
32bitOWNER_SW_CFG_ROM_ALERT_CLASSIFICATION0x134788
32bitOWNER_SW_CFG_ROM_LOCAL_ALERT_CLASSIFICATION0x44828
32bitOWNER_SW_CFG_ROM_ALERT_ACCUM_THRESH0x46416
32bitOWNER_SW_CFG_ROM_ALERT_TIMEOUT_CYCLES0x47416
32bitOWNER_SW_CFG_ROM_ALERT_PHASE_CYCLES0x48464
32bitOWNER_SW_CFG_ROM_ALERT_DIGEST_PROD0x4C44
32bitOWNER_SW_CFG_ROM_ALERT_DIGEST_PROD_END0x4C84
32bitOWNER_SW_CFG_ROM_ALERT_DIGEST_DEV0x4CC4
32bitOWNER_SW_CFG_ROM_ALERT_DIGEST_RMA0x4D04
32bitOWNER_SW_CFG_ROM_WATCHDOG_BITE_THRESHOLD_CYCLES0x4D44
32bitOWNER_SW_CFG_ROM_KEYMGR_OTP_MEAS_EN0x4D84
32bitOWNER_SW_CFG_ROM_RSTMGR_INFO_EN0x4DC4
64bitOWNER_SW_CFG_DIGEST0x4E08
64bitOWNER_SW_CFG_ZER0x4E88
3OWNERSHIP_SLOT_STATE56yes32bitOWNERSHIP_SLOT_STATE_ROT_OWNER_AUTH0x4F016
32bitOWNERSHIP_SLOT_STATE_PLAT_INTEG_AUTH0x50016
32bitOWNERSHIP_SLOT_STATE_PLAT_OWNER_AUTH0x51016
64bitOWNERSHIP_SLOT_STATE_ZER0x5208
4ROT_CREATOR_IDENTITY800yes32bitROT_CREATOR_IDENTITY_CERT0x528768
32bitROT_CREATOR_IDENTITY_CERT_CMAC0x82816
64bitROT_CREATOR_IDENTITY_DIGEST0x8388
64bitROT_CREATOR_IDENTITY_ZER0x8408
5ROT_OWNER_AUTH_SLOT0360yes32bitROT_OWNER_AUTH_SLOT0_NON_RAW_MFW_CODESIGN_KEY_TYPE0x8484
32bitROT_OWNER_AUTH_SLOT0_NON_RAW_MFW_CODESIGN_KEY_ROLE0x84C4
32bitROT_OWNER_AUTH_SLOT0_NON_RAW_MFW_CODESIGN_KEY0x85064
32bitROT_OWNER_AUTH_SLOT0_ROM2_PATCH_SIGVERIFY_KEY_TYPE0x8904
32bitROT_OWNER_AUTH_SLOT0_ROM2_PATCH_SIGVERIFY_KEY_ROLE0x8944
32bitROT_OWNER_AUTH_SLOT0_ROM2_PATCH_SIGVERIFY_KEY0x89864
32bitROT_OWNER_AUTH_SLOT0_KEYMANIFEST_KEY_TYPE0x8D84
32bitROT_OWNER_AUTH_SLOT0_KEYMANIFEST_KEY_ROLE0x8DC4
32bitROT_OWNER_AUTH_SLOT0_KEYMANIFEST_KEY0x8E064
32bitROT_OWNER_AUTH_SLOT0_KEY_BINDING0x92064
32bitROT_OWNER_AUTH_SLOT0_KEY_SIGNATURE0x96064
64bitROT_OWNER_AUTH_SLOT0_DIGEST0x9A08
64bitROT_OWNER_AUTH_SLOT0_ZER0x9A88
6ROT_OWNER_AUTH_SLOT1304yes32bitROT_OWNER_AUTH_SLOT1_NON_RAW_MFW_CODESIGN_KEY_TYPE0x9B04
32bitROT_OWNER_AUTH_SLOT1_NON_RAW_MFW_CODESIGN_KEY_ROLE0x9B44
32bitROT_OWNER_AUTH_SLOT1_NON_RAW_MFW_CODESIGN_KEY0x9B864
32bitROT_OWNER_AUTH_SLOT1_ROM2_PATCH_SIGVERIFY_KEY_TYPE0x9F84
32bitROT_OWNER_AUTH_SLOT1_ROM2_PATCH_SIGVERIFY_KEY_ROLE0x9FC4
32bitROT_OWNER_AUTH_SLOT1_ROM2_PATCH_SIGVERIFY_KEY0xA0064
32bitROT_OWNER_AUTH_SLOT1_KEYMANIFEST_KEY_TYPE0xA404
32bitROT_OWNER_AUTH_SLOT1_KEYMANIFEST_KEY_ROLE0xA444
32bitROT_OWNER_AUTH_SLOT1_KEYMANIFEST_KEY0xA4864
32bitROT_OWNER_AUTH_SLOT1_UNLOCK4XFER_KEY_TYPE0xA884
32bitROT_OWNER_AUTH_SLOT1_UNLOCK4XFER_KEY_ROLE0xA8C4
32bitROT_OWNER_AUTH_SLOT1_UNLOCK4XFER_KEY0xA9064
64bitROT_OWNER_AUTH_SLOT1_DIGEST0xAD08
64bitROT_OWNER_AUTH_SLOT1_ZER0xAD88
7PLAT_INTEG_AUTH_SLOT0160yes32bitPLAT_INTEG_AUTH_SLOT0_KEYMANIFEST_KEY_TYPE0xAE04
32bitPLAT_INTEG_AUTH_SLOT0_KEYMANIFEST_KEY_ROLE0xAE44
32bitPLAT_INTEG_AUTH_SLOT0_KEYMANIFEST_KEY0xAE864
32bitPLAT_INTEG_AUTH_SLOT0_UNLOCK4XFER_KEY_TYPE0xB284
32bitPLAT_INTEG_AUTH_SLOT0_UNLOCK4XFER_KEY_ROLE0xB2C4
32bitPLAT_INTEG_AUTH_SLOT0_UNLOCK4XFER_KEY0xB3064
64bitPLAT_INTEG_AUTH_SLOT0_DIGEST0xB708
64bitPLAT_INTEG_AUTH_SLOT0_ZER0xB788
8PLAT_INTEG_AUTH_SLOT1160yes32bitPLAT_INTEG_AUTH_SLOT1_KEYMANIFEST_KEY_TYPE0xB804
32bitPLAT_INTEG_AUTH_SLOT1_KEYMANIFEST_KEY_ROLE0xB844
32bitPLAT_INTEG_AUTH_SLOT1_KEYMANIFEST_KEY0xB8864
32bitPLAT_INTEG_AUTH_SLOT1_UNLOCK4XFER_KEY_TYPE0xBC84
32bitPLAT_INTEG_AUTH_SLOT1_UNLOCK4XFER_KEY_ROLE0xBCC4
32bitPLAT_INTEG_AUTH_SLOT1_UNLOCK4XFER_KEY0xBD064
64bitPLAT_INTEG_AUTH_SLOT1_DIGEST0xC108
64bitPLAT_INTEG_AUTH_SLOT1_ZER0xC188
9PLAT_OWNER_AUTH_SLOT0160yes32bitPLAT_OWNER_AUTH_SLOT0_KEYMANIFEST_KEY_TYPE0xC204
32bitPLAT_OWNER_AUTH_SLOT0_KEYMANIFEST_KEY_ROLE0xC244
32bitPLAT_OWNER_AUTH_SLOT0_KEYMANIFEST_KEY0xC2864
32bitPLAT_OWNER_AUTH_SLOT0_UNLOCK4XFER_KEY_TYPE0xC684
32bitPLAT_OWNER_AUTH_SLOT0_UNLOCK4XFER_KEY_ROLE0xC6C4
32bitPLAT_OWNER_AUTH_SLOT0_UNLOCK4XFER_KEY0xC7064
64bitPLAT_OWNER_AUTH_SLOT0_DIGEST0xCB08
64bitPLAT_OWNER_AUTH_SLOT0_ZER0xCB88
10PLAT_OWNER_AUTH_SLOT1160yes32bitPLAT_OWNER_AUTH_SLOT1_KEYMANIFEST_KEY_TYPE0xCC04
32bitPLAT_OWNER_AUTH_SLOT1_KEYMANIFEST_KEY_ROLE0xCC44
32bitPLAT_OWNER_AUTH_SLOT1_KEYMANIFEST_KEY0xCC864
32bitPLAT_OWNER_AUTH_SLOT1_UNLOCK4XFER_KEY_TYPE0xD084
32bitPLAT_OWNER_AUTH_SLOT1_UNLOCK4XFER_KEY_ROLE0xD0C4
32bitPLAT_OWNER_AUTH_SLOT1_UNLOCK4XFER_KEY0xD1064
64bitPLAT_OWNER_AUTH_SLOT1_DIGEST0xD508
64bitPLAT_OWNER_AUTH_SLOT1_ZER0xD588
11PLAT_OWNER_AUTH_SLOT2160yes32bitPLAT_OWNER_AUTH_SLOT2_KEYMANIFEST_KEY_TYPE0xD604
32bitPLAT_OWNER_AUTH_SLOT2_KEYMANIFEST_KEY_ROLE0xD644
32bitPLAT_OWNER_AUTH_SLOT2_KEYMANIFEST_KEY0xD6864
32bitPLAT_OWNER_AUTH_SLOT2_UNLOCK4XFER_KEY_TYPE0xDA84
32bitPLAT_OWNER_AUTH_SLOT2_UNLOCK4XFER_KEY_ROLE0xDAC4
32bitPLAT_OWNER_AUTH_SLOT2_UNLOCK4XFER_KEY0xDB064
64bitPLAT_OWNER_AUTH_SLOT2_DIGEST0xDF08
64bitPLAT_OWNER_AUTH_SLOT2_ZER0xDF88
12PLAT_OWNER_AUTH_SLOT3160yes32bitPLAT_OWNER_AUTH_SLOT3_KEYMANIFEST_KEY_TYPE0xE004
32bitPLAT_OWNER_AUTH_SLOT3_KEYMANIFEST_KEY_ROLE0xE044
32bitPLAT_OWNER_AUTH_SLOT3_KEYMANIFEST_KEY0xE0864
32bitPLAT_OWNER_AUTH_SLOT3_UNLOCK4XFER_KEY_TYPE0xE484
32bitPLAT_OWNER_AUTH_SLOT3_UNLOCK4XFER_KEY_ROLE0xE4C4
32bitPLAT_OWNER_AUTH_SLOT3_UNLOCK4XFER_KEY0xE5064
64bitPLAT_OWNER_AUTH_SLOT3_DIGEST0xE908
64bitPLAT_OWNER_AUTH_SLOT3_ZER0xE988
13EXT_NVM1032yes32bitEXT_NVM_ANTIREPLAY_FRESHNESS_CNT0xEA01024
64bitEXT_NVM_ZER0x12A08
14ROM_PATCH8208yes32bitROM_PATCH_DATA0x12A88192
64bitROM_PATCH_DIGEST0x32A88
64bitROM_PATCH_ZER0x32B08
15SOC_FUSES_CP392no32bitSOC_FUSES_CP1_DATA0x32B8256
32bitSOC_FUSES_CP2_DATA0x33B8128
64bitSOC_FUSES_CP_DIGEST0x34388
16SOC_FUSES_FT4232no32bitSOC_FUSES_FT1_DATA0x3440384
32bitSOC_FUSES_FT2_DATA0x35C03840
64bitSOC_FUSES_FT_DIGEST0x44C08
17SCRATCH_FUSES2400yes32bitSCRATCH_FUSES_DATA0x44C82392
64bitSCRATCH_FUSES_ZER0x4E208
18HW_CFG048yes32bitDEVICE_ID0x4E2832
64bitHW_CFG0_DIGEST0x4E488
64bitHW_CFG0_ZER0x4E508
19HW_CFG124yes32bitEN_CSRNG_SW_APP_READ0x4E581
32bitEN_SRAM_IFETCH0x4E591
64bitHW_CFG1_DIGEST0x4E608
64bitHW_CFG1_ZER0x4E688
20HW_CFG256yes32bitSOC_DBG_STATE0x4E704
32bitMANUF_STATE0x4E7432
64bitHW_CFG2_DIGEST0x4E988
64bitHW_CFG2_ZER0x4EA08
21SECRET048yes64bitTEST_UNLOCK_TOKEN0x4EA816
64bitTEST_EXIT_TOKEN0x4EB816
64bitSECRET0_DIGEST0x4EC88
64bitSECRET0_ZER0x4ED08
22SECRET132yes64bitSRAM_DATA_KEY_SEED0x4ED816
64bitSECRET1_DIGEST0x4EE88
64bitSECRET1_ZER0x4EF08
23SECRET2128yes64bitRMA_TOKEN0x4EF816
64bitCREATOR_ROOT_KEY_SHARE00x4F0832
64bitCREATOR_ROOT_KEY_SHARE10x4F2832
64bitCREATOR_SEED0x4F4832
64bitSECRET2_DIGEST0x4F688
64bitSECRET2_ZER0x4F708
24SECRET348yes64bitOWNER_SEED0x4F7832
64bitSECRET3_DIGEST0x4F988
64bitSECRET3_ZER0x4FA08
25LIFE_CYCLE88no32bitLC_TRANSITION_CNT0x4FA848
32bitLC_STATE0x4FD840

Note that since the content in the SECRET* partitions are scrambled using a 64bit PRESENT cipher, read and write access through the DAI needs to occur at a 64bit granularity. Also, all digests (no matter whether they are SW or HW digests) have an access granule of 64bit.

The table below lists digests locations, and the corresponding locked partitions.

Digest NameAffected PartitionCalculated by HW
VENDOR_TEST_DIGESTVENDOR_TESTno
CREATOR_SW_CFG_DIGESTCREATOR_SW_CFGno
OWNER_SW_CFG_DIGESTOWNER_SW_CFGno
ROT_CREATOR_IDENTITY_DIGESTROT_CREATOR_IDENTITYno
ROT_OWNER_AUTH_SLOT0_DIGESTROT_OWNER_AUTH_SLOT0no
ROT_OWNER_AUTH_SLOT1_DIGESTROT_OWNER_AUTH_SLOT1no
PLAT_INTEG_AUTH_SLOT0_DIGESTPLAT_INTEG_AUTH_SLOT0no
PLAT_INTEG_AUTH_SLOT1_DIGESTPLAT_INTEG_AUTH_SLOT1no
PLAT_OWNER_AUTH_SLOT0_DIGESTPLAT_OWNER_AUTH_SLOT0no
PLAT_OWNER_AUTH_SLOT1_DIGESTPLAT_OWNER_AUTH_SLOT1no
PLAT_OWNER_AUTH_SLOT2_DIGESTPLAT_OWNER_AUTH_SLOT2no
PLAT_OWNER_AUTH_SLOT3_DIGESTPLAT_OWNER_AUTH_SLOT3no
ROM_PATCH_DIGESTROM_PATCHno
SOC_FUSES_CP_DIGESTSOC_FUSES_CPno
SOC_FUSES_FT_DIGESTSOC_FUSES_FTno
HW_CFG0_DIGESTHW_CFG0yes
HW_CFG1_DIGESTHW_CFG1yes
HW_CFG2_DIGESTHW_CFG2yes
SECRET0_DIGESTSECRET0yes
SECRET1_DIGESTSECRET1yes
SECRET2_DIGESTSECRET2yes
SECRET3_DIGESTSECRET3yes

Write access to the affected partition will be locked if the digest has a nonzero value.

For the software partition digests, it is entirely up to software to decide on the digest algorithm to be used. Hardware will determine the lock condition only based on whether a non-zero value is present at that location or not.

For the hardware partitions, hardware calculates this digest and uses it for background verification. Digest calculation can be triggered via the DAI.

Finally, it should be noted that the RMA_TOKEN and CREATOR_ROOT_KEY_SHARE0 / CREATOR_ROOT_KEY_SHARE1 items can only be programmed when the device is in the DEV, PROD, PROD_END and RMA stages. Please consult the life cycle controller documentation documentation for more information.

OTP Field Descriptions

The table below describes what each field in the OTP partitions is used for.

PartitionItemSize [B]Description
CREATOR_SW_CFGCREATOR_SW_CFG_AST_CFG124AST configuration data. These values get blindly copied to the AST CSRs during ROM execution.
CREATOR_SW_CFG_AST_INIT_SIZE4Controls how many 32-bit words from the CREATOR_SW_CFG_AST_CFG item get copied to the AST CSRs during ROM execution.
CREATOR_SW_CFG_ROM_SECURE_BOOT_EN4Secure boot chicken bit. Secure boot is enabled iff this is set to kMultiBitBool32True. OTBN is not loaded with any code for any other values.
CREATOR_SW_CFG_ROM_SIGGEN_EN4Signature generation chicken bit. Asset signatures are generated iff both this item and CREATOR_SW_CFG_ROM_SECURE_BOOT_EN are set to kMultiBitBool32True.
CREATOR_SW_CFG_ROM_SIGVERIFY_EN4Signature verification chicken bit. Asset signatures are verified iff this item, the CREATOR_SW_CFG_ROM_SECURE_BOOT_EN and the CREATOR_SW_CFG_ROM_SIGGEN_EN ones are all set to kMultiBitBool32True.
CREATOR_SW_CFG_SIGVERIFY_SPX_EN4Controls whether or not SPHINCS+ signature verification will be executed when the ROM attempts to boot the ROM_EXT. A value of kSigverifySpxDisabledOtp disables SPHINCS+ signature verification, while all other values enable it. Note, SPHINCS+ signature verification is always disabled in TEST_UNLOCKED* LC states.
CREATOR_SW_CFG_RNG_EN4Whether or not to enable use of hardware generated entropy (from the entropy complex via EDN) in the rnd_uint32 function. A value of kHardenedBoolTrue enables the use of hardware generated entropy, while all other values disable.
CREATOR_SW_CFG_JITTER_EN4Whether or not to enable clock jitter. A value of kMultiBitBool4False disables, while all other values enable.
CREATOR_SW_CFG_RET_RAM_RESET_MASK4Reset reason mask used to initialize (by overwriting with random data) retention SRAM during ROM execution. A value of 0 only initializes retention SRAM on power-on-resets.See rstmgr RESET_INFO CSR documentation for more details.
CREATOR_SW_CFG_CPUCTRL4Value to write to the Ibex CPUCTRL CSR during ROM execution. This field controls settings such as ICACHE enablement. See Ibex documentation for more information.
CREATOR_SW_CFG_RNG_REPCNT_THRESHOLDS4
CREATOR_SW_CFG_RNG_REPCNTS_THRESHOLDS4
CREATOR_SW_CFG_RNG_ADAPTP_HI_THRESHOLDS4
CREATOR_SW_CFG_RNG_ADAPTP_LO_THRESHOLDS4
CREATOR_SW_CFG_RNG_BUCKET_THRESHOLDS4
CREATOR_SW_CFG_RNG_MARKOV_HI_THRESHOLDS4
CREATOR_SW_CFG_RNG_MARKOV_LO_THRESHOLDS4
CREATOR_SW_CFG_RNG_EXTHT_HI_THRESHOLDS4
CREATOR_SW_CFG_RNG_EXTHT_LO_THRESHOLDS4
CREATOR_SW_CFG_RNG_ALERT_THRESHOLD4
CREATOR_SW_CFG_RNG_HEALTH_CONFIG_DIGEST4
CREATOR_SW_CFG_SRAM_KEY_RENEW_AND_INIT_EN4Whether or not the ROM should request SRAM to be rescrambled with a new key on every boot. This includes renewing the scrambling key and then initializing SRAM with pseudo-random data. kHardenedBoolFalse disables, while all other values enable.
CREATOR_SW_CFG_ZER8
OWNER_SW_CFGOWNER_SW_CFG_ROM_ERROR_REPORTING4The shutdown error reporting verbosity used by the ROM. Should be configured to one of several shutdown_error_redact_t values. See sw/device/silicon_creator/lib/shutdown.h for more details.
OWNER_SW_CFG_ROM_ALERT_CLASS_EN4A four byte packed field, where each byte controls whether or not the ROM enables each alert class (A through D) of the alert_handler. The byte-sized sub-fields are arranged from D to A, MSB to LSB. Each byte should be set to an alert_enable_t value accordingly. See the alert_handler documentation for more details.
OWNER_SW_CFG_ROM_ALERT_ESCALATION4A four byte packed field, where each byte controls the escalation configuration for each alert class (A through D) of the alert_handler configured by the ROM. The byte-sized sub-fields are arranged from D to A, MSB to LSB. Each byte should be set to an alert_escalate_t value accordingly. See the alert_handler documentation for more details.
OWNER_SW_CFG_ROM_ALERT_CLASSIFICATION788The alert classifications (A through D) for each alert source of the alert_handler to be configured by the ROM. The field consists of a contiguous 320-byte block, or 80 32-bit words. The four bytes in each word encode the configuration of a single alert source across four lifecycle states, in order from LSB to MSB: PROD, PROD_END, DEV, and RMA. Each byte should be set to an alert_class_t value accordingly. The order of the 197 32-bit words, from LSB to MSB can be found in the DRAGONFLY_ALERTS list in hw/top_dragonfly/data/autogen/defs.bzl. See the alert_handler documentation for more details.
OWNER_SW_CFG_ROM_LOCAL_ALERT_CLASSIFICATION28Same as the OWNER_SW_CFG_ROM_ALERT_CLASSIFICATION field, except these configuration correspond to the local alert sources found in the DRAGONFLY_LOC_ALERTS list in rules/const.bzl`.
OWNER_SW_CFG_ROM_ALERT_ACCUM_THRESH16The alert accumulation threshold values for each alert class (A through D) of the alert_handler to be configured by the ROM. This field consists of four 32-bit words encoding the accumulation thresholds for each alert class A through D arranged LSW to MSW. See the alert_handler documentation for more details.
OWNER_SW_CFG_ROM_ALERT_TIMEOUT_CYCLES16Same as the OWNER_SW_CFG_ROM_ALERT_ACCUM_THRESH field, except each value corresponds to the interrupt timeout configuration of an alert class.
OWNER_SW_CFG_ROM_ALERT_PHASE_CYCLES64The alert escalation phase durations, measured in clock cycles, the ROM will configure the four alert phases for each alert class of the alert_handler. This field consists of a contiguous 64-byte block, or an array of four 128-bit fields. Each 128-bit sub-field encodes four 32-bit words that contain the alert phase cycle count configurations for alert escalation phases 0 to 3, from LSW to MSW. Each 128-bit sub-field is contains all configurations for a single alert class, arranged from class A to D, from LS to MS. For example, the cycle durations of each escalation phase in this field should be configured as such, from LSB to MSB: <classA,phase0>…<classA,phase3>…<classD,phase0>… <classD,phase3>. See the alert_handler documentation for more details.
OWNER_SW_CFG_ROM_ALERT_DIGEST_PROD4The expected CRC32 digest over all of the alert_handler configurations set up by the ROM for a device operating in the PROD LC state. The ROM reads this field and checks it against a digest it computes over the alert_handler configuration it programmed. This field is expected to be automatically computed by the otp_alert_digest() Bazel rule. See the alert_config_crc32() function in the SiliconCreator alert_handler driver for more details on what configurations are included in this digest.
OWNER_SW_CFG_ROM_ALERT_DIGEST_PROD_END4Same as the OWNER_SW_CFG_ROM_ALERT_DIGEST_PROD field, except the expected digest is for chips operating in the PROD_END LC state.
OWNER_SW_CFG_ROM_ALERT_DIGEST_DEV4Same as the OWNER_SW_CFG_ROM_ALERT_DIGEST_PROD field, except the expected digest is for chips operating in the DEV LC state.
OWNER_SW_CFG_ROM_ALERT_DIGEST_RMA4Same as the OWNER_SW_CFG_ROM_ALERT_DIGEST_PROD field, except the expected digest is for chips operating in the RMA LC state.
OWNER_SW_CFG_ROM_WATCHDOG_BITE_THRESHOLD_CYCLES4Watchdog timer bite threshold (in cycles) configured by the ROM.
OWNER_SW_CFG_ROM_KEYMGR_OTP_MEAS_EN4Whether or not to configure the attestation SW binding CSRs of the keymgr with the value of the measurement of the OTP CreatorSwCfg, OwnerSwCfg, and secure boot key integrity digest. A value of kHardenedBoolTrue uses the ROM computed OTP measurements.
OWNER_SW_CFG_ROM_RSTMGR_INFO_EN4A two byte packed word that indicates the expected rstmgr alert and CPU info dump enable states, configured in the rstmgr’s ALERT_INFO_CTRL and CPU_INFO_CTRL CSRs respectively. The expected format of this fields is {0,0,kHardenedBool*,kHardenedBool*}, read MSB to LSB, where the left most kHardenedBool* entry indicates the expected enablement state of the ALERT_INFO_CTRL, and the right most indicates the enablement state of the CPU_INFO_CTRL. Since the ROM expects both to be disabled upon handing over execution control to the ROM_EXT, this entire OTP field should be left unprovisioned, or set to all 0.
OWNER_SW_CFG_ZER8
OWNERSHIP_SLOT_STATEOWNERSHIP_SLOT_STATE_ROT_OWNER_AUTH16RoT Owner Ownership transfer state management OWNERSHIP_ST_RAW: ownership not yet claimed (factory default) OWNERSHIP_ST_LOCKED0: first ownership slot claimed OWNERSHIP_ST_RELEASED0: first ownership slot released (assets have been cleared, ready to xfer) OWNERSHIP_ST_LOCKED1: second ownership slot claimed OWNERSHIP_ST_SCRAPPED: scrap state - terminal
OWNERSHIP_SLOT_STATE_PLAT_INTEG_AUTH16Platform Integrator Ownership transfer state management OWNERSHIP_ST_RAW: ownership not yet claimed (factory default) OWNERSHIP_ST_LOCKED0: first ownership slot claimed OWNERSHIP_ST_RELEASED0: first ownership slot released (assets have been cleared, ready to xfer) OWNERSHIP_ST_LOCKED1: second ownership slot claimed OWNERSHIP_ST_SCRAPPED: scrap state - terminal
OWNERSHIP_SLOT_STATE_PLAT_OWNER_AUTH16Platform Owner Ownership transfer state management OWNERSHIP_ST_RAW: ownership not yet claimed (factory default) OWNERSHIP_ST_LOCKED0: first ownership slot claimed OWNERSHIP_ST_RELEASED0: first ownership slot released (assets have been cleared, ready to xfer) OWNERSHIP_ST_LOCKED1: second ownership slot claimed OWNERSHIP_ST_RELEASED1: second ownership slot released (assets have been cleared, ready to xfer) OWNERSHIP_ST_LOCKED2: third ownership slot claimed OWNERSHIP_ST_RELEASED2: third ownership slot released (assets have been cleared, ready to xfer) OWNERSHIP_ST_LOCKED3: fourth ownership slot claimed OWNERSHIP_ST_SCRAPPED: scrap state - terminal
OWNERSHIP_SLOT_STATE_ZER8
ROT_CREATOR_IDENTITYROT_CREATOR_IDENTITY_CERT768RoT Device Identity Certificate endorsed by the Silicon Creator stable PKI (off device). It is expected to be provisioned at Factory Testing (FT) stage when LC = DEV or PROD. Provisioning happens through a secured channel between the DUT and the HSM, i.e. the key is protected against supply-chain and manufacturing attacks.
ROT_CREATOR_IDENTITY_CERT_CMAC16A Cipher-based MAC for the RoT Device Identity Certificate.
ROT_CREATOR_IDENTITY_ZER8
ROT_OWNER_AUTH_SLOT0ROT_OWNER_AUTH_SLOT0_NON_RAW_MFW_CODESIGN_KEY_TYPE4Key usage type. One of the following 32-bit values defined by the sigverify API: - kSigverifyKeyTypeTest for manufacturing, testing and RMA keys. Keys of this type can be used only in TEST_UNLOCKED* and RMA life cycle states. - kSigverifyKeyTypeProd for production keys. Keys of this type can be used in all operational life cycle states, i.e. states in which CPU execution is enabled. - kSigverifyKeyTypeDev for development keys. Keys of this type can be used only in the DEV life cycle state.
ROT_OWNER_AUTH_SLOT0_NON_RAW_MFW_CODESIGN_KEY_ROLE4Key role that describes the kind of assets a key could sign. This must be set to the kSigverifyKeyRoleBootstrapFirmwareSigning 32-bit value as defined by the sigverify API.
ROT_OWNER_AUTH_SLOT0_NON_RAW_MFW_CODESIGN_KEY64Public Key used to verify manufacturing and debug firmware images. Key Type: ECC NIST-P256 Curve. It is expected to be provisioned at Final Test (FT) stage when LC = TEST_UNLOCKED. Together with the ROM2_PATCH_SIGVERIFY_KEY and KEYMANIFEST_KEY keys, and their associated device ID and metadata (stored in resp. KEY_DEVICE_ID and KEY_METADATA), this key is signed with a Silicon Creator endorsed ECDSA P-256 key in order to protect it from supply-chain and manufacturing attacks.
ROT_OWNER_AUTH_SLOT0_ROM2_PATCH_SIGVERIFY_KEY_TYPE4Key usage type. One of the following 32-bit values defined by the sigverify API: - kSigverifyKeyTypeTest for manufacturing, testing and RMA keys. Keys of this type can be used only in TEST_UNLOCKED* and RMA life cycle states. - kSigverifyKeyTypeProd for production keys. Keys of this type can be used in all operational life cycle states, i.e. states in which CPU execution is enabled. - kSigverifyKeyTypeDev for development keys. Keys of this type can be used only in the DEV life cycle state.
ROT_OWNER_AUTH_SLOT0_ROM2_PATCH_SIGVERIFY_KEY_ROLE4Key role that describes the kind of assets a key could sign. This must be set to the kSigverifyKeyRoleRomPatchSigning 32-bit value as defined by the sigverify API.
ROT_OWNER_AUTH_SLOT0_ROM2_PATCH_SIGVERIFY_KEY64Public Key used to verify the ROM2 OTP based patch. Key Type: ECC NIST-P256 Curve. It is expected to be provisioned at Final Test (FT) stage when LC = TEST_UNLOCKED. Together with the NON_RAW_MFW_CODESIGN_KEY and KEYMANIFEST_KEY keys, and their associated device ID and metadata (stored in resp. KEY_DEVICE_ID and KEY_METADATA), this key is signed with a Silicon Creator endorsed ECDSA P-256 key in order to protect it from supply-chain and manufacturing attacks.
ROT_OWNER_AUTH_SLOT0_KEYMANIFEST_KEY_TYPE4Key usage type. One of the following 32-bit values defined by the sigverify API: - kSigverifyKeyTypeTest for manufacturing, testing and RMA keys. Keys of this type can be used only in TEST_UNLOCKED* and RMA life cycle states. - kSigverifyKeyTypeProd for production keys. Keys of this type can be used in all operational life cycle states, i.e. states in which CPU execution is enabled. - kSigverifyKeyTypeDev for development keys. Keys of this type can be used only in the DEV life cycle state.
ROT_OWNER_AUTH_SLOT0_KEYMANIFEST_KEY_ROLE4Key role that describes the kind of assets a key could sign. This must be set to the kSigverifyKeyRoleKeyBundleSigning 32-bit value as defined by the sigverify API.
ROT_OWNER_AUTH_SLOT0_KEYMANIFEST_KEY64Public Key used to verify the RoT Creator (a.k.a. Silicon Creator) Key Manifest. Key Type: ECC NIST-P256 Curve. Together with the ROM2_PATCH_SIGVERIFY_KEY and NON_RAW_MFW_CODESIGN_KEY keys, and their associated device ID and metadata (stored in resp. KEY_DEVICE_ID and KEY_METADATA), this key is signed with a Silicon Creator endorsed ECDSA P-256 key in order to protect it from supply-chain and manufacturing attacks.
ROT_OWNER_AUTH_SLOT0_KEY_BINDING64A key binding value used to bind the ROT_OWNER_AUTH_SLOT0 keys to a SKU. This item must store a SKU specific payload known at FT, like for example a fused product identitfier or a ROM constant. The base ROM must verify the authenticity of the ROT_OWNER_AUTH_SLOT0 first and then match the KEY_BINDING via an inline ROM check before it uses the keys provisioned in this partition.
ROT_OWNER_AUTH_SLOT0_KEY_SIGNATURE64ECDSA P-256 signature of the NON_RAW_MFW_CODESIGN_KEY, ROM2_PATCH_SIGVERIFY_KEY, KEYMANIFEST_KEY, KEY_BINDING items in this partition. As those three keys are expected to be provisioned at Final Test (FT) stage when LC = TEST_UNLOCKED, this signatures aims at protecting them from supply-chain and manufacturing attacks. ROM images must include the corresponding signing key in order to verify all three signatures.
ROT_OWNER_AUTH_SLOT0_ZER8
ROT_OWNER_AUTH_SLOT1ROT_OWNER_AUTH_SLOT1_NON_RAW_MFW_CODESIGN_KEY_TYPE4Key usage type. One of the following 32-bit values defined by the sigverify API: - kSigverifyKeyTypeTest for manufacturing, testing and RMA keys. Keys of this type can be used only in TEST_UNLOCKED* and RMA life cycle states. - kSigverifyKeyTypeProd for production keys. Keys of this type can be used in all operational life cycle states, i.e. states in which CPU execution is enabled. - kSigverifyKeyTypeDev for development keys. Keys of this type can be used only in the DEV life cycle state.
ROT_OWNER_AUTH_SLOT1_NON_RAW_MFW_CODESIGN_KEY_ROLE4Key role that describes the kind of assets a key could sign. This must be set to the kSigverifyKeyRoleBootstrapFirmwareSigning 32-bit value as defined by the sigverify API.
ROT_OWNER_AUTH_SLOT1_NON_RAW_MFW_CODESIGN_KEY64Public Key used to verify manufacturing and debug firmware images. Key Type: ECC NIST-P256 Curve. It is expected to be provisioned at Final Test (FT) stage when LC = TEST_UNLOCKED. Together with the ROM2_PATCH_SIGVERIFY_KEY and KEYMANIFEST_KEY keys, and their associated device ID and metadata (stored in resp. KEY_DEVICE_ID and KEY_METADATA), this key is signed with a Silicon Creator endorsed ECDSA P-256 key in order to protect it from supply-chain and manufacturing attacks.
ROT_OWNER_AUTH_SLOT1_ROM2_PATCH_SIGVERIFY_KEY_TYPE4Key usage type. One of the following 32-bit values defined by the sigverify API: - kSigverifyKeyTypeTest for manufacturing, testing and RMA keys. Keys of this type can be used only in TEST_UNLOCKED* and RMA life cycle states. - kSigverifyKeyTypeProd for production keys. Keys of this type can be used in all operational life cycle states, i.e. states in which CPU execution is enabled. - kSigverifyKeyTypeDev for development keys. Keys of this type can be used only in the DEV life cycle state.
ROT_OWNER_AUTH_SLOT1_ROM2_PATCH_SIGVERIFY_KEY_ROLE4Key role that describes the kind of assets a key could sign. This must be set to the kSigverifyKeyRoleRomPatchSigning 32-bit value as defined by the sigverify API.
ROT_OWNER_AUTH_SLOT1_ROM2_PATCH_SIGVERIFY_KEY64Public Key used to verify the ROM2 OTP based patch. Key Type: ECC NIST-P256 Curve. It is expected to be provisioned at Final Test (FT) stage when LC = TEST_UNLOCKED. Together with the NON_RAW_MFW_CODESIGN_KEY and KEYMANIFEST_KEY keys, and their associated device ID and metadata (stored in resp. KEY_DEVICE_ID and KEY_METADATA), this key is signed with a Silicon Creator endorsed ECDSA P-256 key in order to protect it from supply-chain and manufacturing attacks.
ROT_OWNER_AUTH_SLOT1_KEYMANIFEST_KEY_TYPE4Key usage type. One of the following 32-bit values defined by the sigverify API: - kSigverifyKeyTypeTest for manufacturing, testing and RMA keys. Keys of this type can be used only in TEST_UNLOCKED* and RMA life cycle states. - kSigverifyKeyTypeProd for production keys. Keys of this type can be used in all operational life cycle states, i.e. states in which CPU execution is enabled. - kSigverifyKeyTypeDev for development keys. Keys of this type can be used only in the DEV life cycle state.
ROT_OWNER_AUTH_SLOT1_KEYMANIFEST_KEY_ROLE4Key role that describes the kind of assets a key could sign. This must be set to the kSigverifyKeyRoleKeyBundleSigning 32-bit value as defined by the sigverify API.
ROT_OWNER_AUTH_SLOT1_KEYMANIFEST_KEY64Public Key used to verify the RoT Owner (a.k.a. Silicon Owner) Key Manifest. Key Type: ECC NIST-P256 Curve. It is expected to be provisioned as part of the RoT Owner intra-role ownership transfer process, when LC = PROD. Provisioning happens through an Ownership Claim operation, after the previous RoT Owner completed a Relinquish operation.
ROT_OWNER_AUTH_SLOT1_UNLOCK4XFER_KEY_TYPE4Key usage type. One of the following 32-bit values defined by the sigverify API: - kSigverifyKeyTypeTest for manufacturing, testing and RMA keys. Keys of this type can be used only in TEST_UNLOCKED* and RMA life cycle states. - kSigverifyKeyTypeProd for production keys. Keys of this type can be used in all operational life cycle states, i.e. states in which CPU execution is enabled. - kSigverifyKeyTypeDev for development keys. Keys of this type can be used only in the DEV life cycle state.
ROT_OWNER_AUTH_SLOT1_UNLOCK4XFER_KEY_ROLE4Key role that describes the kind of assets a key could sign. This must be set to the kSigverifyKeyRoleRelinquishOwnership 32-bit value as defined by the sigverify API.
ROT_OWNER_AUTH_SLOT1_UNLOCK4XFER_KEY64Public Key used to verify the RoT Owner Unlock Ownership firmware image. Key Type: ECC NIST-P256 Curve. It is expected to be provisioned as part of the RoT Owner intra-role ownership transfer process, when LC = PROD. Provisioning happens through an Ownership Claim operation, after the previous RoT Owner completed a Relinquish operation.
ROT_OWNER_AUTH_SLOT1_ZER8
PLAT_INTEG_AUTH_SLOT0PLAT_INTEG_AUTH_SLOT0_KEYMANIFEST_KEY_TYPE4Key usage type. One of the following 32-bit values defined by the sigverify API: - kSigverifyKeyTypeTest for manufacturing, testing and RMA keys. Keys of this type can be used only in TEST_UNLOCKED* and RMA life cycle states. - kSigverifyKeyTypeProd for production keys. Keys of this type can be used in all operational life cycle states, i.e. states in which CPU execution is enabled. - kSigverifyKeyTypeDev for development keys. Keys of this type can be used only in the DEV life cycle state.
PLAT_INTEG_AUTH_SLOT0_KEYMANIFEST_KEY_ROLE4Key role that describes the kind of assets a key could sign. This must be set to the kSigverifyKeyRoleKeyBundleSigning 32-bit value as defined by the sigverify API.
PLAT_INTEG_AUTH_SLOT0_KEYMANIFEST_KEY64Public Key used to verify the Platform Integrator Key Manifest. Key Type: ECC NIST-P256 Curve. This should be provisioned during the Platform Integrator Activation process, at the Platform Integrator’s manufacturing facilities. The initial Platform Integrator provisions its Key Manifest public key using the provisioning boot service provided by the current RoT Owner.
PLAT_INTEG_AUTH_SLOT0_UNLOCK4XFER_KEY_TYPE4Key usage type. One of the following 32-bit values defined by the sigverify API: - kSigverifyKeyTypeTest for manufacturing, testing and RMA keys. Keys of this type can be used only in TEST_UNLOCKED* and RMA life cycle states. - kSigverifyKeyTypeProd for production keys. Keys of this type can be used in all operational life cycle states, i.e. states in which CPU execution is enabled. - kSigverifyKeyTypeDev for development keys. Keys of this type can be used only in the DEV life cycle state.
PLAT_INTEG_AUTH_SLOT0_UNLOCK4XFER_KEY_ROLE4Key role that describes the kind of assets a key could sign. This must be set to the kSigverifyKeyRoleRelinquishOwnership 32-bit value as defined by the sigverify API.
PLAT_INTEG_AUTH_SLOT0_UNLOCK4XFER_KEY64Public Key used to verify the Platform Integrator Unlock Ownership firmware image. Key Type: ECC NIST-P256 Curve. This should be provisioned during the Platform Integrator Activation process, at the Platform Integrator’s manufacturing facilities. The initial Platform Integrator provisions its Key Manifest public key using the provisioning boot service provided by the current RoT Owner.
PLAT_INTEG_AUTH_SLOT0_ZER8
PLAT_INTEG_AUTH_SLOT1PLAT_INTEG_AUTH_SLOT1_KEYMANIFEST_KEY_TYPE4Key usage type. One of the following 32-bit values defined by the sigverify API: - kSigverifyKeyTypeTest for manufacturing, testing and RMA keys. Keys of this type can be used only in TEST_UNLOCKED* and RMA life cycle states. - kSigverifyKeyTypeProd for production keys. Keys of this type can be used in all operational life cycle states, i.e. states in which CPU execution is enabled. - kSigverifyKeyTypeDev for development keys. Keys of this type can be used only in the DEV life cycle state.
PLAT_INTEG_AUTH_SLOT1_KEYMANIFEST_KEY_ROLE4Key role that describes the kind of assets a key could sign. This must be set to the kSigverifyKeyRoleKeyBundleSigning 32-bit value as defined by the sigverify API.
PLAT_INTEG_AUTH_SLOT1_KEYMANIFEST_KEY64Public Key used to verify the Platform Integrator Key Manifest. Key Type: ECC NIST-P256 Curve. This should be provisioned during the Platform Integrator intra-role ownership transfer process when the lifecycle state (LC) is PROD. Provisioning occurs via an Ownership Claim operation after the previous Platform Integrator completes a Relinquish operation.
PLAT_INTEG_AUTH_SLOT1_UNLOCK4XFER_KEY_TYPE4Key usage type. One of the following 32-bit values defined by the sigverify API: - kSigverifyKeyTypeTest for manufacturing, testing and RMA keys. Keys of this type can be used only in TEST_UNLOCKED* and RMA life cycle states. - kSigverifyKeyTypeProd for production keys. Keys of this type can be used in all operational life cycle states, i.e. states in which CPU execution is enabled. - kSigverifyKeyTypeDev for development keys. Keys of this type can be used only in the DEV life cycle state.
PLAT_INTEG_AUTH_SLOT1_UNLOCK4XFER_KEY_ROLE4Key role that describes the kind of assets a key could sign. This must be set to the kSigverifyKeyRoleRelinquishOwnership 32-bit value as defined by the sigverify API.
PLAT_INTEG_AUTH_SLOT1_UNLOCK4XFER_KEY64Public Key used to verify the Platform Integrator Unlock Ownership firmware image Key Type: ECC NIST-P256 Curve. This should be provisioned during the Platform Integrator intra-role ownership transfer process when the lifecycle state (LC) is PROD. Provisioning occurs via an Ownership Claim operation after the previous Platform Integrator completes a Relinquish operation.
PLAT_INTEG_AUTH_SLOT1_ZER8
PLAT_OWNER_AUTH_SLOT0PLAT_OWNER_AUTH_SLOT0_KEYMANIFEST_KEY_TYPE4Key usage type. One of the following 32-bit values defined by the sigverify API: - kSigverifyKeyTypeTest for manufacturing, testing and RMA keys. Keys of this type can be used only in TEST_UNLOCKED* and RMA life cycle states. - kSigverifyKeyTypeProd for production keys. Keys of this type can be used in all operational life cycle states, i.e. states in which CPU execution is enabled. - kSigverifyKeyTypeDev for development keys. Keys of this type can be used only in the DEV life cycle state.
PLAT_OWNER_AUTH_SLOT0_KEYMANIFEST_KEY_ROLE4Key role that describes the kind of assets a key could sign. This must be set to the kSigverifyKeyRoleKeyBundleSigning 32-bit value as defined by the sigverify API.
PLAT_OWNER_AUTH_SLOT0_KEYMANIFEST_KEY64Public Key used to verify the Platform Owner Key Manifest. Key Type: ECC NIST-P256 Curve. This should be provisioned during the Platform Owner Activation process, at the Platform Owner’s facilities. The initial Platform Owner provisions its Key Manifest public key using the provisioning boot service provided by the current RoT Owner.
PLAT_OWNER_AUTH_SLOT0_UNLOCK4XFER_KEY_TYPE4Key usage type. One of the following 32-bit values defined by the sigverify API: - kSigverifyKeyTypeTest for manufacturing, testing and RMA keys. Keys of this type can be used only in TEST_UNLOCKED* and RMA life cycle states. - kSigverifyKeyTypeProd for production keys. Keys of this type can be used in all operational life cycle states, i.e. states in which CPU execution is enabled. - kSigverifyKeyTypeDev for development keys. Keys of this type can be used only in the DEV life cycle state.
PLAT_OWNER_AUTH_SLOT0_UNLOCK4XFER_KEY_ROLE4Key role that describes the kind of assets a key could sign. This must be set to the kSigverifyKeyRoleRelinquishOwnership 32-bit value as defined by the sigverify API.
PLAT_OWNER_AUTH_SLOT0_UNLOCK4XFER_KEY64Public Key used to verify the Platform Owner Unlock Ownership firmware image. Key Type: ECC NIST-P256 Curve. This should be provisioned during the Platform Owner Activation process, at the Platform Owner’s facilities. The initial Platform Owner provisions its Key Manifest public key using the provisioning boot service provided by the current RoT Owner.
PLAT_OWNER_AUTH_SLOT0_ZER8
PLAT_OWNER_AUTH_SLOT1PLAT_OWNER_AUTH_SLOT1_KEYMANIFEST_KEY_TYPE4Key usage type. One of the following 32-bit values defined by the sigverify API: - kSigverifyKeyTypeTest for manufacturing, testing and RMA keys. Keys of this type can be used only in TEST_UNLOCKED* and RMA life cycle states. - kSigverifyKeyTypeProd for production keys. Keys of this type can be used in all operational life cycle states, i.e. states in which CPU execution is enabled. - kSigverifyKeyTypeDev for development keys. Keys of this type can be used only in the DEV life cycle state.
PLAT_OWNER_AUTH_SLOT1_KEYMANIFEST_KEY_ROLE4Key role that describes the kind of assets a key could sign. This must be set to the kSigverifyKeyRoleKeyBundleSigning 32-bit value as defined by the sigverify API.
PLAT_OWNER_AUTH_SLOT1_KEYMANIFEST_KEY64Public Key used to verify the Platform Owner Key Manifest. Key Type: ECC NIST-P256 Curve. This should be provisioned during the Platform Owner intra-role ownership transfer process when the lifecycle state (LC) is PROD. Provisioning occurs via an Ownership Claim operation after the previous Platform Owner completes a Relinquish operation.
PLAT_OWNER_AUTH_SLOT1_UNLOCK4XFER_KEY_TYPE4Key usage type. One of the following 32-bit values defined by the sigverify API: - kSigverifyKeyTypeTest for manufacturing, testing and RMA keys. Keys of this type can be used only in TEST_UNLOCKED* and RMA life cycle states. - kSigverifyKeyTypeProd for production keys. Keys of this type can be used in all operational life cycle states, i.e. states in which CPU execution is enabled. - kSigverifyKeyTypeDev for development keys. Keys of this type can be used only in the DEV life cycle state.
PLAT_OWNER_AUTH_SLOT1_UNLOCK4XFER_KEY_ROLE4Key role that describes the kind of assets a key could sign. This must be set to the kSigverifyKeyRoleRelinquishOwnership 32-bit value as defined by the sigverify API.
PLAT_OWNER_AUTH_SLOT1_UNLOCK4XFER_KEY64Public Key used to verify the Platform Owner Unlock Ownership firmware image. Key Type: ECC NIST-P256 Curve. This should be provisioned during the Platform Owner intra-role ownership transfer process when the lifecycle state (LC) is PROD. Provisioning occurs via an Ownership Claim operation after the previous Platform Owner completes a Relinquish operation.
PLAT_OWNER_AUTH_SLOT1_ZER8
PLAT_OWNER_AUTH_SLOT2PLAT_OWNER_AUTH_SLOT2_KEYMANIFEST_KEY_TYPE4Key usage type. One of the following 32-bit values defined by the sigverify API: - kSigverifyKeyTypeTest for manufacturing, testing and RMA keys. Keys of this type can be used only in TEST_UNLOCKED* and RMA life cycle states. - kSigverifyKeyTypeProd for production keys. Keys of this type can be used in all operational life cycle states, i.e. states in which CPU execution is enabled. - kSigverifyKeyTypeDev for development keys. Keys of this type can be used only in the DEV life cycle state.
PLAT_OWNER_AUTH_SLOT2_KEYMANIFEST_KEY_ROLE4Key role that describes the kind of assets a key could sign. This must be set to the kSigverifyKeyRoleKeyBundleSigning 32-bit value as defined by the sigverify API.
PLAT_OWNER_AUTH_SLOT2_KEYMANIFEST_KEY64Public Key used to verify the Platform Owner Key Manifest. Key Type: ECC NIST-P256 Curve. This should be provisioned during the Platform Owner intra-role ownership transfer process when the lifecycle state (LC) is PROD. Provisioning occurs via an Ownership Claim operation after the previous Platform Owner completes a Relinquish operation.
PLAT_OWNER_AUTH_SLOT2_UNLOCK4XFER_KEY_TYPE4Key usage type. One of the following 32-bit values defined by the sigverify API: - kSigverifyKeyTypeTest for manufacturing, testing and RMA keys. Keys of this type can be used only in TEST_UNLOCKED* and RMA life cycle states. - kSigverifyKeyTypeProd for production keys. Keys of this type can be used in all operational life cycle states, i.e. states in which CPU execution is enabled. - kSigverifyKeyTypeDev for development keys. Keys of this type can be used only in the DEV life cycle state.
PLAT_OWNER_AUTH_SLOT2_UNLOCK4XFER_KEY_ROLE4Key role that describes the kind of assets a key could sign. This must be set to the kSigverifyKeyRoleRelinquishOwnership 32-bit value as defined by the sigverify API.
PLAT_OWNER_AUTH_SLOT2_UNLOCK4XFER_KEY64Public Key used to verify the Platform Owner Unlock Ownership firmware image. Key Type: ECC NIST-P256 Curve. This should be provisioned during the Platform Owner intra-role ownership transfer process when the lifecycle state (LC) is PROD. Provisioning occurs via an Ownership Claim operation after the previous Platform Owner completes a Relinquish operation.
PLAT_OWNER_AUTH_SLOT2_ZER8
PLAT_OWNER_AUTH_SLOT3PLAT_OWNER_AUTH_SLOT3_KEYMANIFEST_KEY_TYPE4Key usage type. One of the following 32-bit values defined by the sigverify API: - kSigverifyKeyTypeTest for manufacturing, testing and RMA keys. Keys of this type can be used only in TEST_UNLOCKED* and RMA life cycle states. - kSigverifyKeyTypeProd for production keys. Keys of this type can be used in all operational life cycle states, i.e. states in which CPU execution is enabled. - kSigverifyKeyTypeDev for development keys. Keys of this type can be used only in the DEV life cycle state.
PLAT_OWNER_AUTH_SLOT3_KEYMANIFEST_KEY_ROLE4Key role that describes the kind of assets a key could sign. This must be set to the kSigverifyKeyRoleKeyBundleSigning 32-bit value as defined by the sigverify API.
PLAT_OWNER_AUTH_SLOT3_KEYMANIFEST_KEY64Public Key used to verify the Platform Owner Key Manifest. Key Type: ECC NIST-P256 Curve. This should be provisioned during the Platform Owner intra-role ownership transfer process when the lifecycle state (LC) is PROD. Provisioning occurs via an Ownership Claim operation after the previous Platform Owner completes a Relinquish operation.
PLAT_OWNER_AUTH_SLOT3_UNLOCK4XFER_KEY_TYPE4Key usage type. One of the following 32-bit values defined by the sigverify API: - kSigverifyKeyTypeTest for manufacturing, testing and RMA keys. Keys of this type can be used only in TEST_UNLOCKED* and RMA life cycle states. - kSigverifyKeyTypeProd for production keys. Keys of this type can be used in all operational life cycle states, i.e. states in which CPU execution is enabled. - kSigverifyKeyTypeDev for development keys. Keys of this type can be used only in the DEV life cycle state.
PLAT_OWNER_AUTH_SLOT3_UNLOCK4XFER_KEY_ROLE4Key role that describes the kind of assets a key could sign. This must be set to the kSigverifyKeyRoleRelinquishOwnership 32-bit value as defined by the sigverify API.
PLAT_OWNER_AUTH_SLOT3_UNLOCK4XFER_KEY64Public Key used to verify the Platform Owner Unlock Ownership firmware image. Key Type: ECC NIST-P256 Curve. This should be provisioned during the Platform Owner intra-role ownership transfer process when the lifecycle state (LC) is PROD. Provisioning occurs via an Ownership Claim operation after the previous Platform Owner completes a Relinquish operation.
PLAT_OWNER_AUTH_SLOT3_ZER8
EXT_NVMEXT_NVM_ANTIREPLAY_FRESHNESS_CNT1024Fully SW managed partition 1 bit (double bit allocated for redundancy - i.e. 2 physical bits for every logical bit) per day assuming 10 year product lifecycle, allocating 8192 bits of freshness protection. Implemented as thermometer encoding. Redundant bit programming & logical OR-ing managed by software. Cannot be ECC protected since different bits in a fuse row are programmed at different times.
EXT_NVM_ZER8
ROM_PATCHROM_PATCH_DATA8192Fully SW managed partition. ROM patch section for signed ROM patches. Each patch contains a header, a signature, the patch match/redirect configuration and the actual patch code. Please refer to the Dragonfly ROM boot & patching specification for more details.
ROM_PATCH_ZER8
SOC_FUSES_CPSOC_FUSES_CP1_DATA256
SOC_FUSES_CP2_DATA128
SOC_FUSES_FTSOC_FUSES_FT1_DATA384
SOC_FUSES_FT2_DATA3840
SCRATCH_FUSESSCRATCH_FUSES_DATA2392Fully SW managed partition. Unstructured, single item partition for any RoT firmware (runtime, bootstrap, manufacturing) to use and organize freely.
SCRATCH_FUSES_ZER8
HW_CFG0DEVICE_ID32Unique device identifier that is always exposed through the lifecycle JTAG tap. See documentation on Device Identifiers.
HW_CFG0_ZER8
HW_CFG1EN_CSRNG_SW_APP_READ1Enablement of CSRNG software application interface. A kMultiBitBool8True value enables, while all other values disable. Enablement is required to extract output from CSRNG via software.
EN_SRAM_IFETCH1Enablement of execute from SRAM switch in the sram_ctrl (see EXEC CSR). A kMultiBitBool8True value enables, while all other values disable.
HW_CFG1_ZER8
HW_CFG2SOC_DBG_STATE4Multi-bit enable value for the SOC debug authorization. SOC_DBG_STATE will be written twice in a device lifetime. The values to be written are engineered in the same way as the LC_CTRL state encoding words: the ECC encoding remains valid even after writing the second value on top of the first. The constants can be found in the lc_ctrl_state_pkg.sv package. The programming order has to adhere to: SOC_DBG_RAW -> SOC_DBG_PRE_PROD -> SOC_DBG_PROD. Encoding: SOC_DBG_RAW: this value is all-zeroes and will be the NOP state; the LC controller will take precedence. SOC_DBG_PRE_PROD: this is where the ROT will be in PROD state but SOC will be in the pre-production unlock state SOC_DBG_PROD: this is the state where the SOC moves to production, and the challenge-response based authentication protocol is required to unlock SOC debug features
MANUF_STATE32Field to capture the manufacturing state.
HW_CFG2_ZER8

Examples

Provisioning Items

The following represents a typical provisioning sequence for items in all partitions (except for the LIFE_CYCLE partition, which is not software-programmable):

  1. Program the item in 32bit or 64bit chunks via the DAI.
  2. Read back and verify the item via the DAI.
  3. If the item is exposed via CSRs or a CSR window, perform a full-system reset and verify whether those fields are correctly populated.

Note that any unrecoverable errors during the programming steps, or mismatches during the readback and verification steps indicate that the device might be malfunctioning (possibly due to fabrication defects) and hence the device may have to be scrapped. This is however rare and should not happen after fabrication testing.

Locking Partitions

Once a partition has been fully populated, write access to that partition has to be permanently locked. For the HW_CFG* and SECRET* partitions, this can be achieved as follows:

  1. Trigger a digest calculation via the DAI.
  2. Read back and verify the digest location via the DAI.
  3. Perform a full-system reset and verify that the corresponding CSRs exposing the 64bit digest have been populated (HW_CFG_DIGEST_0, SECRET0_DIGEST_0, SECRET1_DIGEST_0 or SECRET2_DIGEST_0).

It should be noted that locking only takes effect after a system reset since the affected partitions first have to re-sense the digest values. Hence, it is critical that SW ensures that no more data is written to the partition to be locked after triggering the hardware digest calculation. Otherwise, the device will likely be rendered inoperable as this can lead to permanent digest mismatch errors after system reboot.

For the CREATOR_SW_CFG and OWNER_SW_CFG partitions, the process is similar, but computation and programming of the digest is entirely up to software:

  1. Compute a 64bit digest over the relevant parts of the partition, and program that value to CREATOR_SW_CFG_DIGEST_0 or OWNER_SW_CFG_DIGEST_0 via the DAI. Note that digest accesses through the DAI have an access granule of 64bit.
  2. Read back and verify the digest location via the DAI.
  3. Perform a full-system reset and verify that the corresponding digest CSRs CREATOR_SW_CFG_DIGEST_0 or OWNER_SW_CFG_DIGEST_0 have been populated with the correct 64bit value.

Note that any unrecoverable errors during the programming steps, or mismatches during the read-back and verification steps indicate that the device might be malfunctioning (possibly due to fabrication defects) and hence the device may have to be scrapped. This is however rare and should not happen after fabrication testing.

Device Interface Functions (DIFs)

Additional Notes

OTP IP Assumptions

It is assumed the OTP IP employed in production has reasonable physical defense characteristics. Specifically which defensive features will likely be use case dependent, but at a minimum they should have the properties below. Note some properties are worded with “SHALL” and others with “SHOULD”. “SHALL” refers to features that must be present, while “SHOULD” refers to features that are ideal, but optional.

  • The contents shall not be observable via optical microscopy (for example anti-fuse technology).
  • The IP lifetime shall not be limited by the amount of read cycles performed.
  • If the IP contains field programmability (internal charge pumps and LDOs), there shall be mechanisms in place to selectively disable this function based on device context.
  • If the IP contains redundant columns, rows, pages or banks for yield improvement, it shall provide a mechanism to lock down arbitrary manipulation of page / bank swapping during run-time.
  • The IP shall be clear on what bits must be manipulated by the user, what bits are automatically manipulated by hardware (for example ECC or redundancy) and what areas the user can influence.
  • The IP shall be compatible, through the use of a proprietary wrapper or shim, with an open-source friendly IO interface.
  • The IP should functionally support the programming of already programmed bits without information leakage.
  • The IP should offer SCA resistance:
    • For example, the content may be stored differentially.
    • For example, the sensing exhibits similar power signatures no matter if the stored bit is 0 or 1.
  • The IP interface shall be memory-like if beyond a certain size.
  • When a particular location is read, a fixed width output is returned; similar when a particular location is programmed, a fixed width input is supplied.
  • The IP does not output all stored bits in parallel.
  • The contents should be electrically hidden. For example, it should be difficult for an attacker to energize the fuse array and observe how the charge leaks.
  • The IP should route critical nets at lower metal levels to avoid probing.
  • The IP should contain native detectors for fault injection attacks.
  • The IP should contain mechanisms to guard against interrupted programming - either through malicious intent or unexpected power loss and glitched address lines.
  • The IP should contain mechanisms for error corrections (single bit errors).
    • For example ECC or redundant bits voting / or-ing.
    • As error correction mechanisms are technology dependent, that information should not be exposed to the open-source controller, instead the controller should simply receive information on whether a read / program was successful.
  • The IP should have self-test functionality to assess the health of the storage and analog structures.
  • The IP may contain native PUF-like functionality.