Following are the different scenarios for triggering a secure lockdown in the PLM:
When a tamper event occurs, the response is configured as
SYS_INTERRUPT in the TAMPER_RESP_X register and the
actual secure lockdown response is configured in the reserved RTCA location. The
sequence is described in PLM Lockdown Flow.
When a boot failure occurs and the Halt-on-Boot eFuses are programmed, a
secure lockdown is triggered in the PLM. If the boot mode is not JTAG and
PLM_DEBUG_MODE is not enabled, the PLM checks if the
Halt-on-Boot eFuse is programmed:
- If it is not blown, it executes multiboot.
- If the eFuse is programmed, it executes secure lockdown with the
SEC_LOCKDOWN_0response same as the BootROM implementation and then triggers
TAMPER_RESP_0to RCU for executing the secure lockdown of the PMC.
Secure Lockdown over IPI
When a host issues the
TamperTrigger IPI command to the PLM,
a secure lockdown is triggered.
This API is supported by the IPI which has a single payload to mention the
tamper response. Valid tamper responses are
SRST. This function validates the tamper response payload
argument that is received. If a valid tamper response is received in the command, it
executes the received tamper response. Otherwise, it returns a unique error
|Reserved [31:25] = 0x0||Security Flag ||Length [23:16] =1||PLM=1||CMD_TAMPER_TRIGGER=35|
|Reserved [31:8]||Tamper Response [7:0]|
This command triggers the Tamper Response. If successful, the PLM does not send any response as it is handed off to the BootROM running on RCU. Valid tamper responses are:
|BBRAM_ERASE||4||Zeroize non-volatile BBRAM key in addition to the tamper response specified.|
|SYS_LOCKDOWN_1||3||Secure lockdown with I/O tristated. If multiple bits are set, only the MSB bit is taken.|
|SYS_LOCKDOWN_0||2||Secure lockdown without I/O tristated. If multiple bits are set, only MSB bit is taken.|