Mask ROM Specification

Overview

This document is a high-level overview of the features and responsibilities of the Mask ROM.

This document is not a comprehensive specification. When appropriate, it refers to more complete specifications for various mask ROM responsibilities. These specifications include:

Dependencies

The mask ROM is almost fully self-contained. All of the code in the mask ROM is located in //sw/device/silicon_creator with a few exceptions.

We permit the following exceptions:

Base utility functions from //sw/device/lib/base.
The top_level memory layout from //hw/top_earlgrey/sw/autogen.
Autogenerated register definitions (ie: alert_handler_regs.h, flash_ctrl_regs.h, etc).

Manufacturing Bring-Up

During bring-up while the device is in one of the TEST_UNLOCKED<n> states, certain countermeasures will not be enabled to facilitate testing and bring-up of the chip.

Notably:

The alert handler will not be configured or enabled in TEST_UNLOCKED<n>.
TODO: [flash scrambling configuration]

The Silicon Creator keys are provisioned when the silicon creator configures and initializes the signing environment. This process is currently being designed and the details are beyond the scope of this document. For now, the publicly available development FPGA keys are used as stand-ins for the silicon creator keys.

Clear all machine defined interrupts.
Zero all cpu registers.

See the [startup] specification for details.

ROM.ASM-AST-INIT

Copy the AST values from the CREATOR_SW_CFG_AST_CFG OTP words to the AST.

See the [startup] specification for details.

ROM.ASM-SRAM-INIT

Turn on the minimum level of entropy required to initialize memory scrambling.
Enable SRAM scrambling and initialize SRAM.

See the [startup] specification for details.

ROM.ASM-PMP-INIT

Initialize the PMP. Basic configuration:
- R+X for ROM regions.
- R for FLASH
- RW for RAM

See the [memory protection] specification for details.

ROM.ASM-CRT-INIT

Zero .bss and copy .data to RAM.
Initialize stack pointer and global pointer.
Load the interrupt vector into mtvec.
Jump to rom_main.

See the [startup] specification for details.

ROM.WATCHDOG-INIT

Initialize the watchdog timer to instigate a reset after the number of cycles given in the OWNER_SW_CFG_ROM_WATCHDOG_BITE_THRESHOLD_CYCLES OTP item.

ROM.RST-REASON-INIT

Read the reset reason. If power-on reset, init the retention RAM.

ROM.SEC-MMIO-INIT

Initialize the sec_mmio library. Rescan any OTPs read prior to this point to load the expectations into sec_mmio’s register tracking.

ROM.PMP-INIT

Initialize the PMP module with values from ROM.ASM-PMP-INIT.

See the [memory protection] specification for details.

ROM.SHUTDOWN-INIT

Initialize the shutdown module with values from OTP.
Loads alert configurations and alert class configurations from OTP into the alert handler block.

See the [shutdown] specification for details.

ROM.PINMUX-INIT

Initialize pinmux to allow uart output and reading of the strap pins.

See the [pin configuration] specification for details.

ROM.UART-INIT

Initialize the uart to 115200 bps.

ROM.FLASH-INIT

Flash initializes its own scrambling parameters in hardware. Make sure the init has finished by waiting for FLASH_CTRL.STATUS.INIT_WIP to be zero.

ROM.BOOTSTRAP-MODE

Read the value of the strapping pins.
- If they indicate bootstrap mode and if bootstrap is permitted (via OTP ROM_BOOTSTRAP_DIS), perform the bootstrap protocol as specified in the [Bootstrap Spec].
- For all other values, continue booting without bootstrap mode.

See the [bootstrap] specification for details.

ROM.KEYMGR-INIT

Initialize the key manager.

ROM.BOOT-POLICY-READ

Read the boot policy from the flash INFO page and retention RAM and determine the parameters which will control booting the ROM_EXT (which side to boot, which side is fallback, temporary side override and any anti-rollback parameters.

See the [bootpolicy] specification for details.

ROM.SIG-VERIFY

Using the boot policy, find and examine the ROM_EXT manifest header.
- Verify the correctness of the magic number (OTRE in ASCII).
- Verify the signature over the ROM_EXT as specified in the [Sig-Verify Spec].
  - Verify header fields before signature verification: code boundaries, code start address, anti-rollback parameters, etc.
  - If validation fails, exit main with kErroMaskRomBootFailed, thus entering ROM.SHUTDOWN.
  - If validation succeeds proceed to the next step.

See the [sigverify] specification for details.

ROM.BOOT-ROM_EXT

Diversify the key manager with the software binding tag from the validated manifest.
Unlock flash execution in the flash controller and in the PMP with the execution bounds from the manifest.
Verify sec_mmio expectations and PMP configuration.
Jump to the ROM_EXT.

ROM.SHUTDOWN

Shutdown the chip according to the [Shutdown Spec].
Redact the fault code according to the OTP-defined redaction policy.
Print the redacted fault code to the UART.
Initiate a shutdown via the alert handler (SW triggerable alert).
Perform a best-effort shutdown in the event the alert handler fails to shutdown
- Disable (virtual-scrap) the crypto blocks (ie: keymanager).
- Disable access to flash.
- Reconfigure PMP to disable access to everything but the shutdown infinite loop.
- Scramble SRAM.
- Hang (WFI) and wait for watchdog reset.

See the [shutdown] specification for details.

Mask ROM Specification

Overview

Threat Model

Dependencies

Manufacturing Bring-Up

Keys

Silicon Creator Keys

ROM.KEYS-SILICON-CREATOR-PROD

ROM.KEYS-SILICON-CREATOR-DEV

ROM.KEYS-SILICON-CREATOR-TEST

Boot Flow

ROM.ASM-RESET-START

ROM.ASM-AST-INIT

ROM.ASM-SRAM-INIT

ROM.ASM-PMP-INIT

ROM.ASM-CRT-INIT

ROM.WATCHDOG-INIT

ROM.RST-REASON-INIT

ROM.SEC-MMIO-INIT

ROM.PMP-INIT

ROM.SHUTDOWN-INIT

ROM.PINMUX-INIT

ROM.UART-INIT

ROM.FLASH-INIT

ROM.BOOTSTRAP-MODE

ROM.KEYMGR-INIT

ROM.BOOT-POLICY-READ

ROM.SIG-VERIFY

ROM.BOOT-ROM_EXT

ROM.SHUTDOWN