Hardware Interfaces
Referring to the Comportable guideline for peripheral device functionality, the module lc_ctrl has the following hardware interfaces defined
- Primary Clock:
clk_i - Other Clocks:
clk_kmac_i - Bus Device Interfaces (TL-UL):
tl - Bus Host Interfaces (TL-UL): none
- Peripheral Pins for Chip IO: none
- Interrupts: none
Inter-Module Signals
| Port Name | Package::Struct | Type | Act | Width | Description |
|---|---|---|---|---|---|
| jtag | jtag_pkg::jtag | req_rsp | rsp | 1 | |
| esc_scrap_state0_tx | prim_esc_pkg::esc_tx | uni | rcv | 1 | |
| esc_scrap_state0_rx | prim_esc_pkg::esc_rx | uni | req | 1 | |
| esc_scrap_state1_tx | prim_esc_pkg::esc_tx | uni | rcv | 1 | |
| esc_scrap_state1_rx | prim_esc_pkg::esc_rx | uni | req | 1 | |
| pwr_lc | pwrmgr_pkg::pwr_lc | req_rsp | rsp | 1 | |
| lc_otp_vendor_test | otp_ctrl_pkg::lc_otp_vendor_test | req_rsp | req | 1 | |
| otp_lc_data | otp_ctrl_pkg::otp_lc_data | uni | rcv | 1 | |
| lc_otp_program | otp_ctrl_pkg::lc_otp_program | req_rsp | req | 1 | |
| kmac_data | kmac_pkg::app | req_rsp | req | 1 | |
| lc_dft_en | lc_ctrl_pkg::lc_tx | uni | req | 1 | |
| lc_nvm_debug_en | lc_ctrl_pkg::lc_tx | uni | req | 1 | |
| lc_hw_debug_en | lc_ctrl_pkg::lc_tx | uni | req | 1 | |
| lc_cpu_en | lc_ctrl_pkg::lc_tx | uni | req | 1 | |
| lc_keymgr_en | lc_ctrl_pkg::lc_tx | uni | req | 1 | |
| lc_escalate_en | lc_ctrl_pkg::lc_tx | uni | req | 1 | |
| lc_clk_byp_req | lc_ctrl_pkg::lc_tx | uni | req | 1 | |
| lc_clk_byp_ack | lc_ctrl_pkg::lc_tx | uni | rcv | 1 | |
| lc_flash_rma_req | lc_ctrl_pkg::lc_tx | uni | req | 1 | |
| lc_flash_rma_seed | lc_ctrl_pkg::lc_flash_rma_seed | uni | req | 1 | |
| lc_flash_rma_ack | lc_ctrl_pkg::lc_tx | uni | rcv | 1 | |
| lc_check_byp_en | lc_ctrl_pkg::lc_tx | uni | req | 1 | |
| lc_creator_seed_sw_rw_en | lc_ctrl_pkg::lc_tx | uni | req | 1 | |
| lc_owner_seed_sw_rw_en | lc_ctrl_pkg::lc_tx | uni | req | 1 | |
| lc_iso_part_sw_rd_en | lc_ctrl_pkg::lc_tx | uni | req | 1 | |
| lc_iso_part_sw_wr_en | lc_ctrl_pkg::lc_tx | uni | req | 1 | |
| lc_seed_hw_rd_en | lc_ctrl_pkg::lc_tx | uni | req | 1 | |
| lc_keymgr_div | lc_ctrl_pkg::lc_keymgr_div | uni | req | 1 | |
| otp_device_id | otp_ctrl_pkg::otp_device_id | uni | rcv | 1 | |
| otp_manuf_state | otp_ctrl_pkg::otp_manuf_state | uni | rcv | 1 | |
| hw_rev | lc_ctrl_pkg::lc_hw_rev | uni | req | 1 | |
| strap_en_override | logic | uni | req | 1 | This signal transitions from 0 -> 1 by the lc_ctrl manager after volatile RAW_UNLOCK in order to re-sample the HW straps. The signal stays at 1 until reset. Note that this is only used in test chips when SecVolatileRawUnlockEn = 1. Otherwise this signal is tied off to 0. |
| tl | tlul_pkg::tl | req_rsp | rsp | 1 |
Security Alerts
| Alert Name | Description |
|---|---|
| fatal_prog_error | This alert triggers if an error occurred during an OTP programming operation. |
| fatal_state_error | This alert triggers if an error in the life cycle state or life cycle controller FSM is detected. |
| fatal_bus_integ_error | This fatal alert is triggered when a fatal TL-UL bus integrity fault is detected. |
Security Countermeasures
| Countermeasure ID | Description |
|---|---|
| LC_CTRL.BUS.INTEGRITY | End-to-end bus integrity scheme. |
| LC_CTRL.TRANSITION.CONFIG.REGWEN | The transition interface registers are REGWEN protected. The REGWEN is governed by hardware, and is only set to 1 if the interface mutex has been successfully claimed. Also, the REGWEN is set to 0 while a state transition is in progress in order to prevent any accidental changes to the transition interface CSRs during that phase. |
| LC_CTRL.MANUF.STATE.SPARSE | The manufacturing state vector is sparsely encoded. Although the encoding is randomly chosen, it satisfies specific Hamming weight and Hamming distance thresholds (see lc_ctrl_state_pkg.sv for the statistics). All manufacturing state encodings (except for the RAW state) have been constructed so that all OTP words belonging to the manufacturing state vector have a non-zero value. The individual OTP words are unique and have been engineered so that each word can be incrementally overwritten with another engineered value without causing the ECC bits added by the OTP macro to become inconsistent. |
| LC_CTRL.TRANSITION.CTR.SPARSE | The life cycle transition counter state is sparsely encoded. Although the encoding is randomly chosen, it satisfies specific Hamming weight and Hamming distance thresholds (see lc_ctrl_state_pkg.sv for the statistics). All counter state encodings (except for the 0 state) have been constructed so that all OTP words belonging to the counter state vector have a non-zero value. The individual OTP words are unique and have been engineered so that each word can be incrementally overwritten with another engineered value without causing the ECC bits added by the OTP macro to become inconsistent. |
| LC_CTRL.MANUF.STATE.BKGN_CHK | The manufacturing state vector is continuously decoded and checked, once the life cycle controller has initialized. If any mismatch is detected, local escalation is triggered (MAIN.FSM.LOCAL_ESC). |
| LC_CTRL.TRANSITION.CTR.BKGN_CHK | The life cycle transition counter is continuously decoded and checked, once the life cycle controller has initialized. If any mismatch is detected, local escalation is triggered (MAIN.FSM.LOCAL_ESC). Note that any non-RAW manufacturing state requires the transition counter to be nonzero. Also, the transition counter is used to enforce a limit of maximum 24 state transitions in order to guard against bruteforcing. |
| LC_CTRL.STATE.CONFIG.SPARSE | The decoded manufacturing state uses a replicated enum encoding to fill the 32bit value exposed in the CSRs (both the LC_STATE and TRANSITION_TARGET registers). This is done to 1) ease hardening of firmware code, and 2) to ensure that even the decoded life cycle state vector inside the life cycle controller still has a redundant encoding. |
| LC_CTRL.MAIN.FSM.SPARSE | The main state FSM is sparsely encoded. |
| LC_CTRL.KMAC.FSM.SPARSE | The KMAC interface FSM is sparsely encoded. |
| LC_CTRL.MAIN.FSM.LOCAL_ESC | Upon local escalation due to an invalid state encoding of the life cycle state vector or an invalid KMAC interface FSM state, the main state FSM moves to the InvalidSt state which behaves like a virtual scrap state. |
| LC_CTRL.MAIN.FSM.GLOBAL_ESC | Upon global escalation (triggered by the alert escalation receivers), the main state FSM moves to the EscalateSt state which behaves like a virtual scrap state. |
| LC_CTRL.MAIN.CTRL_FLOW.CONSISTENCY | The control flow of the main FSM is constructed so that the FSM only progresses linearly in one direction. There are no transition arcs that loop back to previous FSM states. |
| LC_CTRL.INTERSIG.MUBI | Life cycle control signals are multibit encoded. |
| LC_CTRL.TOKEN_VALID.CTRL.MUBI | The token valid signals coming from OTP are MUBI encoded. |
| LC_CTRL.TOKEN.DIGEST | Life cycle transition tokens are hashed with cSHAKE128, using a custom ‘LC_CTRL’ prefix. |
| LC_CTRL.TOKEN_MUX.CTRL.REDUN | The life cycle transition token mux is broken into two halves that are steered with separately decoded and buffered MUBI valid signals (see also TOKEN_VALID.CTRL.MUBI). |
| LC_CTRL.TOKEN_VALID.MUX.REDUN | The life cycle transition token valid mux is replicated twice. If a transition is initiated and the two mux index signals are inconsistent or if any of the two valid mux outputs is not set to valid, the transition will fail with a TRANSITION_ERROR. |
Registers
Summary
| Name | Offset | Length | Description |
|---|---|---|---|
lc_ctrl.ALERT_TEST | 0x0 | 4 | Alert Test Register |
lc_ctrl.STATUS | 0x4 | 4 | life cycle status register. Note that all errors are terminal and require a reset cycle. |
lc_ctrl.CLAIM_TRANSITION_IF_REGWEN | 0x8 | 4 | Register write enable for the hardware mutex register. |
lc_ctrl.CLAIM_TRANSITION_IF | 0xc | 4 | Hardware mutex to claim exclusive access to the transition interface. |
lc_ctrl.TRANSITION_REGWEN | 0x10 | 4 | Register write enable for all transition interface registers. |
lc_ctrl.TRANSITION_CMD | 0x14 | 4 | Command register for state transition requests. |
lc_ctrl.TRANSITION_CTRL | 0x18 | 4 | Control register for state transition requests. |
lc_ctrl.TRANSITION_TOKEN_0 | 0x1c | 4 | 128bit token for conditional transitions. |
lc_ctrl.TRANSITION_TOKEN_1 | 0x20 | 4 | 128bit token for conditional transitions. |
lc_ctrl.TRANSITION_TOKEN_2 | 0x24 | 4 | 128bit token for conditional transitions. |
lc_ctrl.TRANSITION_TOKEN_3 | 0x28 | 4 | 128bit token for conditional transitions. |
lc_ctrl.TRANSITION_TARGET | 0x2c | 4 | This register exposes the decoded life cycle state. |
lc_ctrl.OTP_VENDOR_TEST_CTRL | 0x30 | 4 | Test/vendor-specific settings for the OTP macro wrapper. |
lc_ctrl.OTP_VENDOR_TEST_STATUS | 0x34 | 4 | Test/vendor-specific settings for the OTP macro wrapper. |
lc_ctrl.LC_STATE | 0x38 | 4 | This register exposes the decoded life cycle state. |
lc_ctrl.LC_TRANSITION_CNT | 0x3c | 4 | This register exposes the state of the decoded life cycle transition counter. |
lc_ctrl.LC_ID_STATE | 0x40 | 4 | This register exposes the id state of the device. |
lc_ctrl.HW_REVISION0 | 0x44 | 4 | This register holds the SILICON_CREATOR_ID and the PRODUCT_ID. |
lc_ctrl.HW_REVISION1 | 0x48 | 4 | This register holds the REVISION_ID. |
lc_ctrl.DEVICE_ID_0 | 0x4c | 4 | This is the 256bit DEVICE_ID value that is stored in the HW_CFG partition in OTP. |
lc_ctrl.DEVICE_ID_1 | 0x50 | 4 | This is the 256bit DEVICE_ID value that is stored in the HW_CFG partition in OTP. |
lc_ctrl.DEVICE_ID_2 | 0x54 | 4 | This is the 256bit DEVICE_ID value that is stored in the HW_CFG partition in OTP. |
lc_ctrl.DEVICE_ID_3 | 0x58 | 4 | This is the 256bit DEVICE_ID value that is stored in the HW_CFG partition in OTP. |
lc_ctrl.DEVICE_ID_4 | 0x5c | 4 | This is the 256bit DEVICE_ID value that is stored in the HW_CFG partition in OTP. |
lc_ctrl.DEVICE_ID_5 | 0x60 | 4 | This is the 256bit DEVICE_ID value that is stored in the HW_CFG partition in OTP. |
lc_ctrl.DEVICE_ID_6 | 0x64 | 4 | This is the 256bit DEVICE_ID value that is stored in the HW_CFG partition in OTP. |
lc_ctrl.DEVICE_ID_7 | 0x68 | 4 | This is the 256bit DEVICE_ID value that is stored in the HW_CFG partition in OTP. |
lc_ctrl.MANUF_STATE_0 | 0x6c | 4 | This is a 256bit field used for keeping track of the manufacturing state. |
lc_ctrl.MANUF_STATE_1 | 0x70 | 4 | This is a 256bit field used for keeping track of the manufacturing state. |
lc_ctrl.MANUF_STATE_2 | 0x74 | 4 | This is a 256bit field used for keeping track of the manufacturing state. |
lc_ctrl.MANUF_STATE_3 | 0x78 | 4 | This is a 256bit field used for keeping track of the manufacturing state. |
lc_ctrl.MANUF_STATE_4 | 0x7c | 4 | This is a 256bit field used for keeping track of the manufacturing state. |
lc_ctrl.MANUF_STATE_5 | 0x80 | 4 | This is a 256bit field used for keeping track of the manufacturing state. |
lc_ctrl.MANUF_STATE_6 | 0x84 | 4 | This is a 256bit field used for keeping track of the manufacturing state. |
lc_ctrl.MANUF_STATE_7 | 0x88 | 4 | This is a 256bit field used for keeping track of the manufacturing state. |
ALERT_TEST
Alert Test Register
- Offset:
0x0 - Reset default:
0x0 - Reset mask:
0x7
Fields
| Bits | Type | Reset | Name | Description |
|---|---|---|---|---|
| 31:3 | Reserved | |||
| 2 | wo | 0x0 | fatal_bus_integ_error | Write 1 to trigger one alert event of this kind. |
| 1 | wo | 0x0 | fatal_state_error | Write 1 to trigger one alert event of this kind. |
| 0 | wo | 0x0 | fatal_prog_error | Write 1 to trigger one alert event of this kind. |
STATUS
life cycle status register. Note that all errors are terminal and require a reset cycle.
- Offset:
0x4 - Reset default:
0x0 - Reset mask:
0xfff
Fields
| Bits | Type | Reset | Name |
|---|---|---|---|
| 31:12 | Reserved | ||
| 11 | ro | x | OTP_PARTITION_ERROR |
| 10 | ro | x | BUS_INTEG_ERROR |
| 9 | ro | x | STATE_ERROR |
| 8 | ro | x | OTP_ERROR |
| 7 | ro | x | FLASH_RMA_ERROR |
| 6 | ro | x | TOKEN_ERROR |
| 5 | ro | x | TRANSITION_ERROR |
| 4 | ro | x | TRANSITION_COUNT_ERROR |
| 3 | ro | x | TRANSITION_SUCCESSFUL |
| 2 | ro | x | EXT_CLOCK_SWITCHED |
| 1 | ro | x | READY |
| 0 | ro | x | INITIALIZED |
STATUS . OTP_PARTITION_ERROR
This bit is set to 1 if the life cycle partition in OTP is in error state. This bit is intended for production testing during the RAW life cycle state, where the OTP control and status registers are not accessible. This error does not trigger an alert in the life cycle controller.
STATUS . BUS_INTEG_ERROR
This bit is set to 1 if a fatal bus integrity fault is detected. This error triggers a fatal_bus_integ_error alert.
STATUS . STATE_ERROR
This bit is set to 1 if either the controller FSM state or the life cycle state is invalid or has been corrupted as part of a tampering attempt. This error will move the life cycle state automatically to INVALID and raise a fatal_state_error alert.
STATUS . OTP_ERROR
This bit is set to 1 if an error occurred during an OTP programming operation. This error will move the life cycle state automatically to POST_TRANSITION and raise a fatal_prog_error alert.
STATUS . FLASH_RMA_ERROR
This bit is set to 1 if flash failed to correctly respond to an RMA request.
Note that each transition attempt increments the LC_TRANSITION_CNT and
moves the life cycle state into POST_TRANSITION.
STATUS . TOKEN_ERROR
This bit is set to 1 if the token supplied for a conditional transition was invalid.
Note that each transition attempt increments the LC_TRANSITION_CNT and
moves the life cycle state into POST_TRANSITION.
STATUS . TRANSITION_ERROR
This bit is set to 1 if the last transition command requested an invalid state transition
(e.g. DEV -> RAW). Note that each transition attempt increments the LC_TRANSITION_CNT and
moves the life cycle state into POST_TRANSITION.
STATUS . TRANSITION_COUNT_ERROR
This bit is set to 1 if the LC_TRANSITION_CNT has reached its maximum.
If this is the case, no more state transitions can be performed.
Note that each transition attempt increments the LC_TRANSITION_CNT and
moves the life cycle state into POST_TRANSITION.
STATUS . TRANSITION_SUCCESSFUL
This bit is set to 1 if the last life cycle transition request was successful.
Note that each transition attempt increments the LC_TRANSITION_CNT and
moves the life cycle state into POST_TRANSITION.
STATUS . EXT_CLOCK_SWITCHED
This bit is set to 1 if the clock manager has successfully switched to the external clock due to
EXT_CLOCK_EN being set to 1.
STATUS . READY
This bit is set to 1 if the life cycle controller has successfully initialized and is ready to accept a life cycle transition command.
STATUS . INITIALIZED
This bit is set to 1 if the life cycle controller has successfully initialized and the
state exposed in LC_STATE and LC_TRANSITION_CNT is valid.
CLAIM_TRANSITION_IF_REGWEN
Register write enable for the hardware mutex register.
- Offset:
0x8 - Reset default:
0x1 - Reset mask:
0x1
Fields
| Bits | Type | Reset | Name | Description |
|---|---|---|---|---|
| 31:1 | Reserved | |||
| 0 | rw0c | 0x1 | CLAIM_TRANSITION_IF_REGWEN | This bit is managed by software and is set to 1 by default. When cleared to 0, the CLAIM_TRANSITION_IF mutex register cannot be written to anymore. Write 0 to clear this bit. |
CLAIM_TRANSITION_IF
Hardware mutex to claim exclusive access to the transition interface.
- Offset:
0xc - Reset default:
0x69 - Reset mask:
0xff - Register enable:
CLAIM_TRANSITION_IF_REGWEN
Fields
| Bits | Type | Reset | Name |
|---|---|---|---|
| 31:8 | Reserved | ||
| 7:0 | rw | 0x69 | MUTEX |
CLAIM_TRANSITION_IF . MUTEX
In order to have exclusive access to the transition interface, SW must first claim the associated
hardware mutex by writing kMultiBitBool8True to this register.
If the register reads back kMultiBitBool8True, the mutex claim has been successful, and TRANSITION_REGWEN
will be set automatically to 1 by HW.
Write 0 to this register in order to release the HW mutex.
TRANSITION_REGWEN
Register write enable for all transition interface registers.
- Offset:
0x10 - Reset default:
0x0 - Reset mask:
0x1
Fields
| Bits | Type | Reset | Name |
|---|---|---|---|
| 31:1 | Reserved | ||
| 0 | ro | 0x0 | TRANSITION_REGWEN |
TRANSITION_REGWEN . TRANSITION_REGWEN
This bit is hardware-managed and only readable by software.
By default, this bit is set to 0 by hardware.
Once SW has claimed the CLAIM_TRANSITION_IF mutex, this bit will be set to 1.
Note that the life cycle controller sets this bit temporarily to 0 while executing a life cycle state
transition.
TRANSITION_CMD
Command register for state transition requests.
- Offset:
0x14 - Reset default:
0x0 - Reset mask:
0x1 - Register enable:
TRANSITION_REGWEN
Fields
| Bits | Type | Reset | Name |
|---|---|---|---|
| 31:1 | Reserved | ||
| 0 | r0w1c | x | START |
TRANSITION_CMD . START
Writing a 1 to this register initiates the life cycle state transition to the state
specified in TRANSITION_TARGET.
Note that not all transitions are possible, and certain conditional transitions require
an additional TRANSITION_TOKEN_0.
In order to have exclusive access to this register, SW must first claim the associated
hardware mutex via CLAIM_TRANSITION_IF.
TRANSITION_CTRL
Control register for state transition requests.
- Offset:
0x18 - Reset default:
0x0 - Reset mask:
0x3 - Register enable:
TRANSITION_REGWEN
Fields
| Bits | Type | Reset | Name |
|---|---|---|---|
| 31:2 | Reserved | ||
| 1 | rw | x | VOLATILE_RAW_UNLOCK |
| 0 | rw1s | x | EXT_CLOCK_EN |
TRANSITION_CTRL . VOLATILE_RAW_UNLOCK
When set to 1, LC_CTRL performs a volatile lifecycle transition from RAW -> TEST_UNLOCKED0. No state update will be written to OTP, and no reset will be needed after the transition has succeeded. Note that the token to be provided has to be the hashed unlock token, since in this case the token is NOT passed through KMAC before performing the comparison.
After a successful VOLATILE_RAW_UNLOCK transition from RAW -> TEST_UNLOCKED0, the LC_CTRL FSM will go back to the IdleSt and set the STATUS.TRANSITION_SUCCESSFUL bit. The LC_CTRL accepts further transition commands in this state.
IMPORTANT NOTE: this feature is intended for test chips only in order to mitigate the risks of a malfunctioning OTP macro. Production devices will permanently disable this feature at compile time via the SecVolatileRawUnlockEn parameter.
Software can check whether VOLATILE_RAW_UNLOCK is available by writing 1 and reading back the register value. If the register reads back as 1 the mechanism is available, and if it reads back 0 it is not.
TRANSITION_CTRL . EXT_CLOCK_EN
When set to 1, the OTP clock will be switched to an externally supplied clock right away when the device is in a non-PROD life cycle state. The clock mux will remain switched until the next system reset.
TRANSITION_TOKEN
128bit token for conditional transitions.
Make sure to set this to 0 for unconditional transitions.
Note that this register is shared with the life cycle TAP interface.
In order to have exclusive access to this register, SW must first claim the associated
hardware mutex via CLAIM_TRANSITION_IF.
- Reset default:
0x0 - Reset mask:
0xffffffff
Instances
| Name | Offset |
|---|---|
| TRANSITION_TOKEN_0 | 0x1c |
| TRANSITION_TOKEN_1 | 0x20 |
| TRANSITION_TOKEN_2 | 0x24 |
| TRANSITION_TOKEN_3 | 0x28 |
Fields
| Bits | Type | Reset | Name | Description |
|---|---|---|---|---|
| 31:0 | rw | x | TRANSITION_TOKEN |
TRANSITION_TARGET
This register exposes the decoded life cycle state.
- Offset:
0x2c - Reset default:
0x0 - Reset mask:
0x3fffffff - Register enable:
TRANSITION_REGWEN
Fields
| Bits | Type | Reset | Name |
|---|---|---|---|
| 31:30 | Reserved | ||
| 29:0 | rw | x | STATE |
TRANSITION_TARGET . STATE
This field encodes the target life cycle state in a redundant enum format. The 5bit state enum is repeated 6x so that it fills the entire 32bit register. The encoding is straightforward replication: [val, val, val, val, val, val].
Note that this register is shared with the life cycle TAP interface.
In order to have exclusive access to this register, SW must first claim the associated
hardware mutex via CLAIM_TRANSITION_IF.
| Value | Name | Description |
|---|---|---|
| 0x00000000 | RAW | Raw life cycle state after fabrication where all functions are disabled. |
| 0x02108421 | TEST_UNLOCKED0 | Unlocked test state where debug functions are enabled. |
| 0x04210842 | TEST_LOCKED0 | Locked test state where where all functions are disabled. |
| 0x06318c63 | TEST_UNLOCKED1 | Unlocked test state where debug functions are enabled. |
| 0x08421084 | TEST_LOCKED1 | Locked test state where where all functions are disabled. |
| 0x0a5294a5 | TEST_UNLOCKED2 | Unlocked test state where debug functions are enabled. |
| 0x0c6318c6 | TEST_LOCKED2 | Locked test state where debug all functions are disabled. |
| 0x0e739ce7 | TEST_UNLOCKED3 | Unlocked test state where debug functions are enabled. |
| 0x10842108 | TEST_LOCKED3 | Locked test state where debug all functions are disabled. |
| 0x1294a529 | TEST_UNLOCKED4 | Unlocked test state where debug functions are enabled. |
| 0x14a5294a | TEST_LOCKED4 | Locked test state where debug all functions are disabled. |
| 0x16b5ad6b | TEST_UNLOCKED5 | Unlocked test state where debug functions are enabled. |
| 0x18c6318c | TEST_LOCKED5 | Locked test state where debug all functions are disabled. |
| 0x1ad6b5ad | TEST_UNLOCKED6 | Unlocked test state where debug functions are enabled. |
| 0x1ce739ce | TEST_LOCKED6 | Locked test state where debug all functions are disabled. |
| 0x1ef7bdef | TEST_UNLOCKED7 | Unlocked test state where debug functions are enabled. |
| 0x21084210 | DEV | Development life cycle state where limited debug functionality is available. |
| 0x2318c631 | PROD | Production life cycle state. |
| 0x25294a52 | PROD_END | Same as PROD, but transition into RMA is not possible from this state. |
| 0x2739ce73 | RMA | RMA life cycle state. |
| 0x294a5294 | SCRAP | SCRAP life cycle state where all functions are disabled. |
Other values are reserved.
OTP_VENDOR_TEST_CTRL
Test/vendor-specific settings for the OTP macro wrapper. These values are only active during RAW, TEST_* and RMA life cycle states. In all other states, these values will be gated to zero before sending them to the OTP macro wrapper - even if this register is programmed to a non-zero value.
- Offset:
0x30 - Reset default:
0x0 - Reset mask:
0xffffffff - Register enable:
TRANSITION_REGWEN
Fields
| Bits | Type | Reset | Name | Description |
|---|---|---|---|---|
| 31:0 | rw | x | OTP_VENDOR_TEST_CTRL |
OTP_VENDOR_TEST_STATUS
Test/vendor-specific settings for the OTP macro wrapper. These values are only active during RAW, TEST_* and RMA life cycle states. In all other states, these values will read as zero.
- Offset:
0x34 - Reset default:
0x0 - Reset mask:
0xffffffff
Fields
| Bits | Type | Reset | Name | Description |
|---|---|---|---|---|
| 31:0 | ro | x | OTP_VENDOR_TEST_STATUS |
LC_STATE
This register exposes the decoded life cycle state.
- Offset:
0x38 - Reset default:
0x0 - Reset mask:
0x3fffffff
Fields
| Bits | Type | Reset | Name |
|---|---|---|---|
| 31:30 | Reserved | ||
| 29:0 | ro | x | STATE |
LC_STATE . STATE
This field exposes the decoded life cycle state in a redundant enum format. The 5bit state enum is repeated 6x so that it fills the entire 32bit register. The encoding is straightforward replication: [val, val, val, val, val, val].
| Value | Name | Description |
|---|---|---|
| 0x00000000 | RAW | Raw life cycle state after fabrication where all functions are disabled. |
| 0x02108421 | TEST_UNLOCKED0 | Unlocked test state where debug functions are enabled. |
| 0x04210842 | TEST_LOCKED0 | Locked test state where where all functions are disabled. |
| 0x06318c63 | TEST_UNLOCKED1 | Unlocked test state where debug functions are enabled. |
| 0x08421084 | TEST_LOCKED1 | Locked test state where where all functions are disabled. |
| 0x0a5294a5 | TEST_UNLOCKED2 | Unlocked test state where debug functions are enabled. |
| 0x0c6318c6 | TEST_LOCKED2 | Locked test state where debug all functions are disabled. |
| 0x0e739ce7 | TEST_UNLOCKED3 | Unlocked test state where debug functions are enabled. |
| 0x10842108 | TEST_LOCKED3 | Locked test state where debug all functions are disabled. |
| 0x1294a529 | TEST_UNLOCKED4 | Unlocked test state where debug functions are enabled. |
| 0x14a5294a | TEST_LOCKED4 | Locked test state where debug all functions are disabled. |
| 0x16b5ad6b | TEST_UNLOCKED5 | Unlocked test state where debug functions are enabled. |
| 0x18c6318c | TEST_LOCKED5 | Locked test state where debug all functions are disabled. |
| 0x1ad6b5ad | TEST_UNLOCKED6 | Unlocked test state where debug functions are enabled. |
| 0x1ce739ce | TEST_LOCKED6 | Locked test state where debug all functions are disabled. |
| 0x1ef7bdef | TEST_UNLOCKED7 | Unlocked test state where debug functions are enabled. |
| 0x21084210 | DEV | Development life cycle state where limited debug functionality is available. |
| 0x2318c631 | PROD | Production life cycle state. |
| 0x25294a52 | PROD_END | Same as PROD, but transition into RMA is not possible from this state. |
| 0x2739ce73 | RMA | RMA life cycle state. |
| 0x294a5294 | SCRAP | SCRAP life cycle state where all functions are disabled. |
| 0x2b5ad6b5 | POST_TRANSITION | This state is temporary and behaves the same way as SCRAP. |
| 0x2d6b5ad6 | ESCALATE | This state is temporary and behaves the same way as SCRAP. |
| 0x2f7bdef7 | INVALID | This state is reported when the life cycle state encoding is invalid. This state is temporary and behaves the same way as SCRAP. |
Other values are reserved.
LC_TRANSITION_CNT
This register exposes the state of the decoded life cycle transition counter.
- Offset:
0x3c - Reset default:
0x0 - Reset mask:
0x1f
Fields
| Bits | Type | Reset | Name |
|---|---|---|---|
| 31:5 | Reserved | ||
| 4:0 | ro | x | CNT |
LC_TRANSITION_CNT . CNT
Number of total life cycle state transition attempts.
The life cycle controller allows up to 24 transition attempts.
If this counter is equal to 24, the LC_STATE is considered
to be invalid and will read as SCRAP.
If the counter state is invalid, or the life cycle controller is in the post-transition state, the counter will have the value 31 (i.e., all counter bits will be set).
LC_ID_STATE
This register exposes the id state of the device.
- Offset:
0x40 - Reset default:
0x0 - Reset mask:
0xffffffff
Fields
| Bits | Type | Reset | Name |
|---|---|---|---|
| 31:0 | ro | x | STATE |
LC_ID_STATE . STATE
This field exposes the id state in redundant enum format. The 2bit id state enum is repeated 16x so that it fills the entire 32bit register. The encoding is straightforward replication: [val, val, … val].“
| Value | Name | Description |
|---|---|---|
| 0x00000000 | BLANK | The device has not yet been personalized. |
| 0x11111111 | PERSONALIZED | The device has been personalized. |
| 0x22222222 | INVALID | The state is not valid. |
Other values are reserved.
HW_REVISION0
This register holds the SILICON_CREATOR_ID and the PRODUCT_ID.
- Offset:
0x44 - Reset default:
0x0 - Reset mask:
0xffffffff
Fields
| Bits | Type | Reset | Name |
|---|---|---|---|
| 31:16 | ro | x | SILICON_CREATOR_ID |
| 15:0 | ro | x | PRODUCT_ID |
HW_REVISION0 . SILICON_CREATOR_ID
ID of the silicon creator. Assigned by the OpenTitan project. Zero is an invalid value. The encoding must follow the following range constraints:
0x0000: invalid value 0x0001 - 0x3FFF: reserved for use in the open-source OpenTitan project 0x4000 - 0x7FFF: reserved for real integrations of OpenTitan 0x8000 - 0xFFFF: reserved for future use
HW_REVISION0 . PRODUCT_ID
Used to identify a class of devices. Assigned by the Silicon Creator. Zero is an invalid value. The encoding must follow the following range constraints:
0x0000: invalid value 0x0001 - 0x3FFF: reserved for discrete chip products 0x4000 - 0x7FFF: reserved for integrated IP products 0x8000 - 0xFFFF: reserved for future use
HW_REVISION1
This register holds the REVISION_ID.
- Offset:
0x48 - Reset default:
0x0 - Reset mask:
0xffffffff
Fields
| Bits | Type | Reset | Name |
|---|---|---|---|
| 31:8 | ro | 0x0 | RESERVED |
| 7:0 | ro | x | REVISION_ID |
HW_REVISION1 . RESERVED
Reserved bits. Set to zero.
HW_REVISION1 . REVISION_ID
Product revision ID. Assigned by the Silicon Creator. The encoding is not specified other than that different tapeouts must be assigned different revision numbers. I.e., each base or metal layer respin must be reflected so that software can rely on it to modify firmware and driver behavior. Zero is an invalid value.
DEVICE_ID
This is the 256bit DEVICE_ID value that is stored in the HW_CFG partition in OTP. If this register reads all-one, the HW_CFG partition has not been initialized yet or is in error state. If this register reads all-zero, this is indicative that the value has not been programmed to OTP yet.
- Reset default:
0x0 - Reset mask:
0xffffffff
Instances
| Name | Offset |
|---|---|
| DEVICE_ID_0 | 0x4c |
| DEVICE_ID_1 | 0x50 |
| DEVICE_ID_2 | 0x54 |
| DEVICE_ID_3 | 0x58 |
| DEVICE_ID_4 | 0x5c |
| DEVICE_ID_5 | 0x60 |
| DEVICE_ID_6 | 0x64 |
| DEVICE_ID_7 | 0x68 |
Fields
| Bits | Type | Reset | Name | Description |
|---|---|---|---|---|
| 31:0 | ro | x | DEVICE_ID |
MANUF_STATE
This is a 256bit field used for keeping track of the manufacturing state.
- Reset default:
0x0 - Reset mask:
0xffffffff
Instances
| Name | Offset |
|---|---|
| MANUF_STATE_0 | 0x6c |
| MANUF_STATE_1 | 0x70 |
| MANUF_STATE_2 | 0x74 |
| MANUF_STATE_3 | 0x78 |
| MANUF_STATE_4 | 0x7c |
| MANUF_STATE_5 | 0x80 |
| MANUF_STATE_6 | 0x84 |
| MANUF_STATE_7 | 0x88 |
Fields
| Bits | Type | Reset | Name | Description |
|---|---|---|---|---|
| 31:0 | ro | x | MANUF_STATE |