Additional Inquiry to issue #1122 "Questions about Zeroization of Secret Partitions"

[taku202107]

bharatpillilli,

I posted an additional inquiry on #1122 after it was closed.
Please provide additional answer to it, or answer the following inquiry on this ticket:

We understood that our interpretation of the spec "it can be read 0 from secret Partition via DAI when Caliptra-SS is under debug mode" is incorrect.
But, please let us clarify the "wire" in the 2nd paragraph of your response.
Are our following understanding correct?:

• The "wire" in your response means the otp_broadcast_o signal.
• This signal has a function of zeroization when transitioning to the SCRAP LC state. (*)

If our understanding is correct, please let us know where there is a code for erase the secrets from the wire in debug mode because we cannot find the code.

We appreciate your response in advance.

[ekarabu]

The "wire" in your response means the otp_broadcast_o signal.

Yes.

If our understanding is correct, please let us know where there is a code for erase the secrets from the wire in debug mode because we cannot find the code.

caliptra-ss/src/fuse_ctrl/rtl/otp_ctrl.sv

Line 1329 in 9a2787d

otp_broadcast_o <= '0;

https://github.com/chipsalliance/caliptra-ss/blob/main/docs/CaliptraSSIntegrationSpecification.md#uds--field-entropy-fips-zeroization-sequence

caliptra-ss/src/fuse_ctrl/rtl/fuse_ctrl_filter.sv

Line 355 in 9a2787d

end else if (fuse_cmd == DaiWrite && cptra_in_debug_mode_i && caliptra_secret_access && write_event)begin

https://github.com/chipsalliance/caliptra-rtl/blob/8885bd850d66a9f1ff45734da38f144a1c37b8df/src/integration/rtl/caliptra_top.sv#L772

[taku202107]

ekarabu,

Thank you for your prompt response.

Please let us know if there are any mistakes in our understanding below:

Caliptra-SS has following specifications for "Zeroization of Secret Partitions".

1. DAI Write requests to secret are discarded by FuseC in debug mode.
2. DAI read requests to secret cause error because we should lock by digest after program.
3. otp_broadcast_o signal from FuseC is zeroized when device is in or going to SCRAP LC state.
   　That is, it is not zeroized in other than SCRAP LC state.
4. otp_broadcast_o signal is only connected to Caliptra Core and the values are stored in the soc_ifc register.
5. The secret values in the soc_ifc register are cleared in below cases, so Caliptra Core cannot read those in debug mode.
   　- other than MANUF LC state and PROD LC state
   　- debug_locked = 0

In conclusion, we understand that it could be said the secret assets are secure as below.
・From No.1 and No.2,
　No one can read secret via DAI because FuseC doesn't handle the requests in debug mode after program.
・From No.3 - No.5,
　otp_broadcast_o signal itself isn't zeroized in debug mode, but it is only connected to Caliptra Core and Caliptra Core has the feature to clear the secret.
　So even Caliptra Core, the only which can get secret assets, cannot read those in debug mode.