docs(chip/security): correct secure-boot-lifecycle-evidence to development-prototype status

The doc claimed 'no firmware authentication or lifecycle enforcement' and
marked lifecycle/OTP/image-auth/rollback as BLOCKED — all now factually
outdated by W2-W9. Update the status and evidence table to point at the real
mask-ROM verifier, e1_lc_ctrl/e1_otp_map RTL, DICE chain, provisioning, and
negative-evidence transcripts (with their gates). Non-Claims still bar any
production/silicon secure-boot or AVB claim. key-ceremony.md is left as a
specification (no real HSM exists — operational/physical dependency).

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

Author: lalalune

packages/chip/docs/security/secure-boot-lifecycle-evidence.md

@@ -1,24 +1,28 @@
 # Secure Boot and Lifecycle Evidence
 
-Status: BLOCKED for production secure boot.
+Status: development secure-boot prototype — host and simulation evidence
+complete; production (silicon) secure boot is not claimed (see Non-Claims).
 
-This repository currently contains a e1-chip identity ROM, not a secure boot
-implementation. The ROM exposes the platform contract words `OPSO`, `CHIP`,
-contract version `1`, and a boot-vector placeholder. It has no firmware
-authentication or lifecycle enforcement.
+The repository now implements the OPNPHN01 secure-boot chain in firmware and
+RTL with reproducible host/simulation evidence: a constant-time mask-ROM
+verifier, a one-hot lifecycle controller, an OTP controller model, a DICE
+measurement chain, ATE provisioning + readback, and negative-evidence
+rejection transcripts. Production secure boot still depends on silicon — the
+OTP macro, the OpenTitan crypto blocks, and on-die entropy — and is not
+asserted from this evidence.
 
 ## Current Evidence
 
 | Surface | Local evidence | Security result |
 |---|---|---|
-| Boot ROM identity words | `rtl/bootrom/e1_bootrom.sv` and platform-contract checks | Contract ROM only; not a trust anchor. |
-| Boot ROM write behavior | `verify/cocotb/test_e1_lifecycle.py` writes ROM offsets and verifies reads stay fixed | Negative evidence that the current ROM is immutable through the MMIO path. |
-| Lifecycle state | No lifecycle RTL, registers, pins, or reset straps | BLOCKED. |
-| eFuse/OTP | No fuse macro, fuse shadow registers, or provisioning flow | BLOCKED. |
-| Root key material | No key hash, public key, certificate chain, or device-unique key source | BLOCKED. |
-| Image authentication | No ROM hash parser, signature verifier, manifest parser, or fail-closed branch | BLOCKED. |
-| Rollback protection | No monotonic counter, version fuse, RPMB, or anti-rollback policy | BLOCKED. |
-| Debug authentication | Package debug bridge is a bring-up bus master; no lifecycle-gated authentication | BLOCKED for production debug lock. |
+| Mask-ROM verifier | `fw/boot-rom/secure/{verify,ed25519_ct,sha256,measure}.c`; host KATs `fw/boot-rom/secure/tests/`; `fw/pmc/src/secure_boot.c` | Constant-time Ed25519 + SHA-256 OPNPHN01 verifier; distinct fail-closed halt code per reject path. |
+| Secure-boot negative evidence | `tests/security/negative/` (`secure-boot-negative-evidence-check`) | Reproducible rejection transcripts: unsigned, tampered payload, wrong key, corrupt header, rollback downgrade, revoked key, lifecycle-below-min, debug-locked unlock denial. |
+| Lifecycle state | `rtl/security/lc/e1_lc_ctrl.sv` + `verify/cocotb/test_e1_lc_ctrl.py` (`security-lifecycle-scope-check`) | One-hot BLANK/DEV/MFG/LOCKED/RMA/SCRAP; permitted-transition enforcement + signed debug-auth; sim-verified. Silicon lifecycle controller integration tracked in rot-integration-check. |
+| eFuse/OTP | `rtl/security/otp/e1_otp_map.sv` + `fw/provisioning/e1_provision.py` (`otp-rtl-check`, `provisioning-readback-check`) | 2-of-3 majority read, write-auth controller, parity-fault halt; provisioning + readback model. Silicon OTP macro BLOCKED. |
+| Root key material / DICE | `fw/dice/cdi.c`; `docs/sw/security/dice-chain.md` (`dice-measurement-chain-check`) | UDS->CDI ladder, DeviceID/Alias key derivation, KAT-validated. UDS silicon entropy (SRAM PUF / keymgr) BLOCKED. |
+| Rollback protection | OTP unary rollback slots in `e1_otp_map.sv` + verifier rollback check | Advance-only monotonic counters; verifier rejects downgrade (negative evidence above). |
+| Debug authentication | `e1_lc_ctrl.sv` signed challenge-response (RoT-verified Ed25519, no XOR) | Lifecycle-gated; LOCKED denies direct debug; sim-verified. RoT crypto binding tracked in rot-integration-check. |
+| RoT integration spine | `rtl/security/rot/e1_rot_top.sv` (`rot-integration-check`) | Ibex + OTP + lifecycle + mailbox + reset-sequencer elaborate and test clean. OpenTitan crypto-block integration BLOCKED (named missing dependency). |
 
 ## Required Evidence Before Any Secure-Boot Claim
 
@@ -50,5 +54,8 @@ these artifacts exist and are locally reproducible:
 
 Do not claim production secure boot, verified boot, device identity,
 hardware-backed key storage, secure debug, anti-rollback, or Android AVB
-enforcement from the current RTL. Those are future requirements, not present
-features.
+enforcement from this host/simulation prototype. The verifier, lifecycle, OTP,
+DICE, and rollback logic above are development evidence only; production secure
+boot requires silicon (the OTP macro, the OpenTitan crypto blocks, and on-die
+entropy) and the manufacturing key ceremony (`key-ceremony.md`). Android AVB
+enforcement is not yet implemented.