Overview

The Earlgrey-PROD.M3 milestone stabilizes the security countermeasures of Earlgrey and its IP blocks for the production tapeout, it adds further I2C features that did not make it into M2, and it fixes a few bugs. After this milestone, the focus shifts to design verification. All hardware IP blocks have been signed off at least at the D2S development stage.

Major changes since Earlgrey-PROD.M2 include:

• Memory scrambling is now implemented with 3 instead of 2 PRINCE cipher half rounds (3 half rounds = 7 effective rounds). This change affects the main and retention SRAMs, the OTBN IMEM and DMEM, and rom_ctrl (#22425, #22948).
• The critical path from TileLink hosts through sram_ctrl to SRAMs and back was shortened by decoupling the TL-UL a_ready from a_valid and other signals on the A channel (#22497, #22588).
• ROM now
  • uses ECDSA P256 instead of RSA (for which OTBN support was removed entirely) for signature verification,
  • loads all (ECC and SPX+) secure boot keys from OTP (as a result we now only build two ROM targets: test ROM and mask ROM),
  • always sets the retention SRAM version field on every boot,
  • always uses 32-bits for SPX+ key pair addresses,
  • expects manifests of major version 2 (#22744).
• Flash_ctrl now allows firmware to deal with multi-bit ECC and ICV errors during firmware selection and verification (#22431) and keeps the fill levels of the mask and data FIFOs in the read pipeline in sync (#22571).
• I2C now includes ACK/NACK control features required for MCTP support (#22551) as well as a bus monitor required for multi-controller support (#22864). Also, race conditions with NACK and transaction boundary handling got fixed, including adding new signals to report errors that end transfers in the ACQ FIFO (#22459, #22460).
• AES now updates its masking PRNG in every clock cycle during data processing to increase the noise floor, which is beneficial for SCA hardening (#22844).
• CSRNG’s command status signaling has been reworked and aligned with EDN to properly signal successful command acknowledgements as well as error responses (#21981), and the supported error conditions have been reworked and extended (#22114, #22488, #22883).
• Keymgr now uses non-deterministic decoy values for KMAC and the sideload ports (#22535).
• Keymgr now aborts into the terminal Invalid state when the Creator Root Key from OTP is invalid during initialization, and it raises an error on any operation in the Invalid state (#22946).
• KMAC now aborts an operation when an invalid sideload key is used, and it handles errors in a more robust way (#22794).
• OTBN’s FI hardening now covers more of its secure wipe logic (#22924).