Secure Lockdown Support in PLM - 2023.1 English

Versal Adaptive SoC System Software Developers Guide (UG1304)

Document ID
UG1304
Release Date
2023-05-16
Version
2023.1 English

Following are the different scenarios for triggering a secure lockdown in the PLM:

Tamper Event

When a tamper event occurs, the response is configured as SYS_INTERRUPT in the TAMPER_RESP_X register and the actual secure lockdown response is configured in the reserved RTCA location. The sequence is described in PLM Lockdown Flow.

Boot Failures

When a boot failure occurs and the Halt-on-Boot eFuses are programmed, a secure lockdown is triggered in the PLM. If the boot mode is not JTAG and PLM_DEBUG_MODE is not enabled, the PLM checks if the Halt-on-Boot eFuse is programmed:

  • If it is not blown, it executes multiboot.
  • If the eFuse is programmed, it executes secure lockdown with the SEC_LOCKDOWN_0 response same as the BootROM implementation and then triggers TAMPER_RESP_0 to RCU for executing the secure lockdown of the PMC.

Secure Lockdown over IPI

When a host issues the TamperTrigger IPI command to the PLM, a secure lockdown is triggered.

This API is supported by the IPI which has a single payload to mention the tamper response. Valid tamper responses are SEC_LOCKDOWN_0, SEC_LOCKDOWN_1, and SRST. This function validates the tamper response payload argument that is received. If a valid tamper response is received in the command, it executes the received tamper response. Otherwise, it returns a unique error code.

Table 1. Tamper Trigger IPI Command Format
Command Format
Reserved [31:25] = 0x0 Security Flag [24] Length [23:16] =1 PLM=1 CMD_TAMPER_TRIGGER=35
Reserved [31:8] Tamper Response [7:0]

This command triggers the Tamper Response. If successful, the PLM does not send any response as it is handed off to the BootROM running on RCU. Valid tamper responses are:

Table 2. Valid Tamper Responses
Field Name Bits Description
BBRAM_ERASE 4 Zeroize non-volatile BBRAM key in addition to the tamper response specified.
SYS_LOCKDOWN_1 3 Secure lockdown with I/O tristated. If multiple bits are set, only the MSB bit is taken.
SYS_LOCKDOWN_0 2 Secure lockdown without I/O tristated. If multiple bits are set, only MSB bit is taken.
SRST 1 System reset.
Reserved 0 Not valid.