Mask ROM Specification


This document is a high-level overview of the features and responsibilities of the Mask ROM.

This document is not a comprehensive specification. When appropriate, it refers to more complete specifications for various mask ROM responsibilities. These specifications include:

Threat Model


The mask ROM is almost fully self-contained. All of the code in the mask ROM is located in //sw/device/silicon_creator with a few exceptions.

We permit the following exceptions:

  • Base utility functions from //sw/device/lib/base.
  • The top_level memory layout from //hw/top_earlgrey/sw/autogen.
  • Autogenerated register definitions (ie: alert_handler_regs.h, flash_ctrl_regs.h, etc).

Manufacturing Bring-Up

During bring-up while the device is in one of the TEST_UNLOCKED<n> states, certain countermeasures will not be enabled to facilitate testing and bring-up of the chip.


  • The alert handler will not be configured or enabled in TEST_UNLOCKED<n>.
  • TODO: [flash scrambling configuration]


Silicon Creator Keys

The Silicon Creator keys are provisioned when the silicon creator configures and initializes the signing environment. This process is currently being designed and the details are beyond the scope of this document. For now, the publicly available development FPGA keys are used as stand-ins for the silicon creator keys.


These keys are RSA-3072 public keys with exponent 65537 (F4). The PROD keys are valid in all lifecycle states.


These keys are RSA-3072 public keys with exponent 3 or F4. The DEV keys are valid in lifecycle states DEV and RMA.


These keys are RSA-3072 public keys with exponent 3 or F4. The TEST keys are valid in lifecycle states TEST_UNLOCKED<n> and RMA.

Boot Flow

The following sequence of events is executed in order. ID labels are assigned to each step for reference.


  • Clear all machine defined interrupts.
  • Zero all cpu registers.

See the [startup] specification for details.


  • Copy the AST values from the CREATOR_SW_CFG_AST_CFG OTP words to the AST.

See the [startup] specification for details.


  • Turn on the minimum level of entropy required to initialize memory scrambling.
  • Enable SRAM scrambling and initialize SRAM.

See the [startup] specification for details.


  • Initialize the PMP. Basic configuration:
    • R+X for ROM regions.
    • R for FLASH
    • RW for RAM

See the [memory protection] specification for details.


  • Zero .bss and copy .data to RAM.
  • Initialize stack pointer and global pointer.
  • Load the interrupt vector into mtvec.
  • Jump to rom_main.

See the [startup] specification for details.


  • Initialize the watchdog timer to instigate a reset after the number of cycles given in the OWNER_SW_CFG_ROM_WATCHDOG_BITE_THRESHOLD_CYCLES OTP item.


  • Read the reset reason. If power-on reset, init the retention RAM.


  • Initialize the sec_mmio library. Rescan any OTPs read prior to this point to load the expectations into sec_mmio’s register tracking.


  • Initialize the PMP module with values from ROM.ASM-PMP-INIT.

See the [memory protection] specification for details.


  • Initialize the shutdown module with values from OTP.
  • Loads alert configurations and alert class configurations from OTP into the alert handler block.

See the [shutdown] specification for details.


  • Initialize pinmux to allow uart output and reading of the strap pins.

See the [pin configuration] specification for details.


  • Initialize the uart to 115200 bps.


  • Flash initializes its own scrambling parameters in hardware. Make sure the init has finished by waiting for FLASH_CTRL.STATUS.INIT_WIP to be zero.


  • Read the value of the strapping pins.
    • If they indicate bootstrap mode and if bootstrap is permitted (via OTP ROM_BOOTSTRAP_DIS), perform the bootstrap protocol as specified in the [Bootstrap Spec].
    • For all other values, continue booting without bootstrap mode.

See the [bootstrap] specification for details.


  • Initialize the key manager.


  • Read the boot policy from the flash INFO page and retention RAM and determine the parameters which will control booting the ROM_EXT (which side to boot, which side is fallback, temporary side override and any anti-rollback parameters.

See the [bootpolicy] specification for details.


  • Using the boot policy, find and examine the ROM_EXT manifest header.
    • Verify the correctness of the magic number (OTRE in ASCII).
    • Verify the signature over the ROM_EXT as specified in the [Sig-Verify Spec].
      • Verify header fields before signature verification: code boundaries, code start address, anti-rollback parameters, etc.
      • If validation fails, exit main with kErroMaskRomBootFailed, thus entering ROM.SHUTDOWN.
      • If validation succeeds proceed to the next step.

See the [sigverify] specification for details.


  • Diversify the key manager with the software binding tag from the validated manifest.
  • Unlock flash execution in the flash controller and in the PMP with the execution bounds from the manifest.
  • Verify sec_mmio expectations and PMP configuration.
  • Jump to the ROM_EXT.


  • Shutdown the chip according to the [Shutdown Spec].
  • Redact the fault code according to the OTP-defined redaction policy.
  • Print the redacted fault code to the UART.
  • Initiate a shutdown via the alert handler (SW triggerable alert).
  • Perform a best-effort shutdown in the event the alert handler fails to shutdown
    • Disable (virtual-scrap) the crypto blocks (ie: keymanager).
    • Disable access to flash.
    • Reconfigure PMP to disable access to everything but the shutdown infinite loop.
    • Scramble SRAM.
    • Hang (WFI) and wait for watchdog reset.

See the [shutdown] specification for details.