| Raef Coles | a5e540a | 2022-11-24 15:46:51 +0000 | [diff] [blame^] | 1 | RSS provisioning |
| 2 | ================ |
| 3 | |
| 4 | The LifeCycle Manager controls access to the RSS OTP, and includes a |
| 5 | state-machine that controls Lifecycle-state transitions. The LCM is derived from |
| 6 | the OTP management and state machine components of the CryptoCell-3XX series |
| 7 | accelerators, and will be familiar to those who have worked with them. |
| 8 | |
| 9 | When the chip hasn't been provisioned, the OTP is blank, which means the LCM is |
| 10 | in "Virgin" Test/Production mode "TP mode" state. The first step for |
| 11 | provisioning must be to set the LCM to either test-chip mode "TCI" or |
| 12 | production-chip mode "PCI". In TCI mode the RTL key is masked to avoid |
| 13 | disclosure, several OTP fields are changed from write-only to read-write, to aid |
| 14 | in debugging, and debugging is not limited in secure provisioning mode. |
| 15 | |
| 16 | Once the TP mode has been set, the chip is then is Chip Manufacturer |
| 17 | provisioning state "CM". This mode is intended for the provisioning of the HUK, |
| 18 | GUK, CM provisioning key, CM code-encryption key, the root-of-trust public key |
| 19 | and the CM config. To provision these fields, The firmware must first receive a |
| 20 | provisioning bundle via a side-band channel (UART or debug interface). This |
| 21 | bundle either contains just the keys, or more usually the keys and also |
| 22 | provisioning code. The chip must then enter secure provisioning mode by setting |
| 23 | the SP_ENABLE register. This causes a reset (but does not clear the RSS SRAMs), |
| 24 | and allows access to the RTL key by exporting it to the KMU. The RSS must then |
| 25 | decrypt and authenticate the bundle using the RTL key. Under TCI mode the RTL |
| 26 | key is zeroed, so encryption and signing must use a zeroed key. Once the CM |
| 27 | provisioning bundle has been unpacked, run if it contains code, and the CM |
| 28 | values have been set. The RSS must be cold-reset. |
| 29 | |
| 30 | After the cold reset, the RSS will then be in Device Manufacturer provisioning |
| 31 | state "DM". This state is designed to provision the DM provisioning key, the DM |
| 32 | code-encryption key and the DM config. The procedure follows the same steps as |
| 33 | the CM provisioning flow, with the exception that the bundle will now be |
| 34 | encrypted and signed using the CM provisioning key. Once the provisioning bundle |
| 35 | has been unpacked/run, the RSS must be cold-reset. |
| 36 | |
| 37 | After the cold reset, the device will now be in Secure Enable "SE" mode. Debug |
| 38 | may be limited based on the hardware DCU mask for SE state. Provisioning will |
| 39 | not be run on boot. |
| 40 | |
| 41 | -------------- |
| 42 | |
| 43 | *Copyright (c) 2022, Arm Limited. All rights reserved.* |