OpenTitan Darjeeling (Integrated Admissible Architecture) Datasheet
Overview
OpenTitan Darjeeling is a system-on-a-chip Secure Execution Environment, capable of serving as a root of trust (RoT) for measurement and attestation among other applications, for instantiation within a larger system. It can serve as the SoC root of trust, a platform root of trust, or even be integrated and leveraged for individual chiplet RoTs.
Darjeeling’s block diagram shows the system configuration, including the RISC-V Ibex processor and all of the memories and comportable peripheral IPs. The system is split into a high speed domain (e.g. 1 GHz clock in a recent process node) and a peripheral domain (e.g. 250 MHz). The system has support for light sleep only, since the entire root-of-trust is expected to be always-on in an integrated context.
The SoC integration wrapper contains shared infrastructure that can be adapted based on the integrator’s needs. It contains a control network (CTN) crossbar for attaching shared SoC-level peripherals, as well as a large, shared CTN SRAM.
Communication with the SoC is mainly via the mailboxes, DMA and SoC proxy module. The SoC proxy module serves as a comportable IP frontend for incoming IRQs, reset requests, wake up requests, alerts and the TL-UL egress port into the CTN network. Egress TL-UL requests go through base address translation and range-based access control checks, which provides flexibility and isolation in the CTN space. Code can be executed from both internal memories (ROM partitions 1 and 2, main SRAM) and CTN SRAM.
Debug access is established via the JTAG TAP attached to a debug TL-UL crossbar. Through that, a JTAG mailbox, the RISC-V debug module, the SoC debug controller, and the life cycle controller can be accessed. The JTAG mailbox can be used to implement firmware-driven SoC-level debug authorization. Infrastructure signals such as clocks, resets and the entropy source are provided by the analog sensor top (AST) block, which is connected to the Darjeeling-internal power, clock and reset manager blocks. The sensor control block provides a comportable IP front-end for the AST block that the Ibex processor can interact with.
The following table provides a more detailed summary of the supported features:
OpenTitan Darjeeling Features | |
---|---|
|
|
Discrete Earl Grey Differences
The Darjeeling configuration derived from the OpenTitan’s discrete “Earl Grey” has been extended to meet the requirements for an SoC-integrated RoT. The main processing elements and cryptographic features are significantly similar, while several unneeded IO peripherals in an integrated context have been removed. A set of new IP blocks have been developed to enable integration into a larger SoC:
- An extended key manager block with support for TCG’s DICE Protection Environment (DPE)
- A DMA controller facilitating data exchange between the OpenTitan IP and the SoC
- A mailbox with TL-UL bus interface, configurable shared memory regions, and support for the PCIe Data Object Exchange (DOE) protocol
- A SoC proxy module that serves as a comportable fronted for external interrupts, alerts and the like
- An SoC debug controller, which controls debug and test access to the SoC
- An access control range check module that ensures that Darjeeling can access only authorized addresses in the SoC
- A register-access control list controller that defines role-based access permissions to Darjeeling’s registers