Tamper events are interrupts from a tamper monitoring function and user can select different responses to each tamper events.
Figure 1. Tamper Response System
Tamper monitoring system in CIPS generates interrupts when it detects the following events.
- Supply Glitch
- Whenever there is a glitch in power supply happens, then this event will get generated. Glitching the power supply (low or high) can cause insecurely designed state machines to skip states. Glitches are injected at various points in time and vary in pulse widths.
- Temperature Deviation
- When device temperature goes out of specification (high or low) then this event will be generated. This is commonly done in conjunction with a voltage attack. Both low and high temperature cause race conditions that can trip just about any type of circuity.
- Debug (JTAG) toggle detect
- Debug interfaces attack the Silicon devices, most frequently this is the JTAG port but with the growing complexity of devices more advanced debug interfaces are becoming more prominent. This event would be generated when there is a toggle in debug interfaces.
- Custom User (External MIO) event
- This event is generated when Tamper monitoring system detects any interrupt (active-High) on external MIO.
- Tamper Register event
- When you directly trigger the tamper system by writing to its specific register, then this event would be generated.
- Voltage Alarm
- When selected voltage supplies are out of the configured thresholds, this event would be generated.
CIPS has different responses to each of these tamper events, which are described below.
- BBRAM Zeroization
- When a tamper event is detected, it is required that the you can immediately erase the key stored in BBRAM. However, in high grade crypto applications, it is not sufficient to simply delete the key when done or when a tamper event is detected. It is required to be zeroized (erase + verify). CIPS provides this response for all the tamper events.
- Secure Lockdown
- Upon detection of a tamper event, you want the system to go into some form of lockdown state. CIPS provides lockdown response for all the tamper events.
- Secure Lockdown (With IO Tristate)
- Some systems require a more severe response to a tamper event and even secure lockdown is not enough. It such cases it is necessary to also tristate all IO to the device. This makes it impossible for the adversary to gain any level of access to the device after a tamper event. CIPS provides lockdown with IO Tristate response for all the tamper events.
- System Reset
- You may want to only Reset the system, upon receiving the tamper event. CIPS provides System Reset response for all the tamper events.
- System Interrupt
- You may only want to know that the tamper event is occurred. Tamper response system generates an interrupt to system, upon receiving any tamper event.
You can select BBRAM Zeroization or Secure Lockdown or Secure Lockdown (With IO Tristate) or System Reset or System Interrupt for each Tamper Event as response in PCW.
Figure 2. Tamper Events/Response Configuration