PLM Secure Lockdown Flow - 2024.1 English

Versal Adaptive SoC System Software Developers Guide (UG1304)

Document ID
UG1304
Release Date
2024-05-30
Version
2024.1 English

Tamper events are selectable and configurable through the CIPS GUI. You can select the tamper response for the tamper event and configure the action using the CIPS configuration GUI. The following table lists the different tamper responses supported by the Tamper Response Register:

Table 1. Tamper Responses
Field Name Bits Type Reset Value Description
BBRAM_ERASE 4 RWSO 0x0 Zeroize non-volatile BBRAM key in addition to the tamper response specified.
SEC_LOCKDOWN_1 3 RWSO 0x0 Setting this bit causes the ROM to issue a secure lockdown and all I/O will be tristated when the tamper event occurs. Only the action of the most significant bit is taken.
SEC_LOCKDOWN_0 2 RWSO 0x0 Setting this bit causes the ROM to issue a secure lockdown when the tamper event occurs. Only the action of the most significant bit is taken.
SYS_RESET 1 RWSO 0x0 Setting this bit causes the ROM to issue a system reset when the tamper event occurs. Only the action of the most significant bit is taken.
SYS_INTERRUPT 0 RWSO 0x0 Setting this bit causes the ROM to issue a system interrupt when the tamper event occurs. Only the action of the most significant bit is taken.

Currently, when a tamper event occurs, the BootROM running on the RCU executes the action of the most significant bit that is set in the Tamper Response register. The response is configured as SEC_LOCKDOWN_x. The BootROM executes the secure lockdown routine to clear the PMC domain and issue POR. The current limitation is that the BootROM can only clear the PMC domain when any tamper event occurs and the response is configured as SEC_LOCKDOWN_x. Other domains (FPD, LPD, NoC, PL) are not cleared by the BootROM.

The purpose of the PLM Secure Lockdown support is to execute secure lockdown of other domains when the BootROM issues a system level interrupt for the tamper event. To support the secure lockdown of other domains, the tamper response configuration from CIPS based on the user-selected option should be done as follows:

  • The user selects the actual tamper response for the tamper event.
  • CIPS configures SYS_INTERRUPT as the response for SEC_LOCKDOWN_x and SYS_INTERRUPT actions.
  • CIPS configures the actual response configuration to PMC reserved memory space (RCTA Register Address 0XF201418C) so that the PLM knows which response to execute.

Secure Lockdown Flow

When a tamper event occurs and the Tamper Response register configuration is SYS_INTERRUPT, secure lockdown flow is triggered. It follows this sequence:

  1. The BootROM running on RCU receives the tamper event as an interrupt.
  2. The BootROM triggers a system level interrupt so that the PLM running on the PPU receives an interrupt notifying that a security violation was detected.
  3. The PLM running on the PPU reads the RTCA reserved space (0xF201418C) to determine the response to be executed.
  4. If the response in the RTCA register is SEC_LOCKDOWN_x, the PLM sends instructions to clear other domains.
  5. Once they are cleared, the PLM sets the TAMPER_TRIG register in the PMC_GLOBAL based on the RTCA register configuration.

    This issues RCU IRQ0 to execute the PMC domain clearing routine if the response is configured as SEC_LOCKDOWN_x.