Tamper events are selectable and configurable through the CIPS GUI. You can select the tamper response for the tamper event and configure the action using the CIPS configuration GUI. The following table lists the different tamper responses supported by the Tamper Response Register:
Field Name | Bits | Type | Reset Value | Description |
---|---|---|---|---|
BBRAM_ERASE | 4 | RWSO | 0x0 | Zeroize non-volatile BBRAM key in addition to the tamper response specified. |
SEC_LOCKDOWN_1 | 3 | RWSO | 0x0 | Setting this bit causes the ROM to issue a secure lockdown and all I/O will be tristated when the tamper event occurs. Only the action of the most significant bit is taken. |
SEC_LOCKDOWN_0 | 2 | RWSO | 0x0 | Setting this bit causes the ROM to issue a secure lockdown when the tamper event occurs. Only the action of the most significant bit is taken. |
SYS_RESET | 1 | RWSO | 0x0 | Setting this bit causes the ROM to issue a system reset when the tamper event occurs. Only the action of the most significant bit is taken. |
SYS_INTERRUPT | 0 | RWSO | 0x0 | Setting this bit causes the ROM to issue a system interrupt when the tamper event occurs. Only the action of the most significant bit is taken. |
Currently, when a tamper event occurs, the BootROM running on the RCU
executes the action of the most significant bit that is set in the Tamper Response
register. The response is configured as SEC_LOCKDOWN_x
. The BootROM executes the secure lockdown routine to
clear the PMC domain and issue POR. The current limitation is that the BootROM can
only clear the PMC domain when any tamper event occurs and the response is
configured as SEC_LOCKDOWN_x
. Other domains (FPD,
LPD, NoC, PL) are not cleared by the BootROM.
The purpose of the PLM Secure Lockdown support is to execute secure lockdown of other domains when the BootROM issues a system level interrupt for the tamper event. To support the secure lockdown of other domains, the tamper response configuration from CIPS based on the user-selected option should be done as follows:
- The user selects the actual tamper response for the tamper event.
- CIPS configures SYS_INTERRUPT as the response for SEC_LOCKDOWN_x and SYS_INTERRUPT actions.
- CIPS configures the actual response configuration to PMC reserved memory space (RCTA Register Address 0XF201418C) so that the PLM knows which response to execute.
Secure Lockdown Flow
When a tamper event occurs and the Tamper Response register configuration is SYS_INTERRUPT, secure lockdown flow is triggered. It follows this sequence:
- The BootROM running on RCU receives the tamper event as an interrupt.
- The BootROM triggers a system level interrupt so that the PLM running on the PPU receives an interrupt notifying that a security violation was detected.
- The PLM running on the PPU reads the RTCA reserved space (0xF201418C) to determine the response to be executed.
- If the response in the RTCA register is
SEC_LOCKDOWN_x
, the PLM sends instructions to clear other domains. - Once they are cleared, the PLM sets the TAMPER_TRIG register in
the PMC_GLOBAL based on the RTCA register configuration.
This issues RCU IRQ0 to execute the PMC domain clearing routine if the response is configured as
SEC_LOCKDOWN_x
.