The register layout and offsets shown in the register table below are identical for both the CSR and JTAG TAP interfaces. Hence the following programming sequences apply to both SW running on the device and SW running on the test appliance that accesses life cycle through the TAP.
-
In order to perform a life cycle transition, SW should first check whether the life cycle controller has successfully initialized and is ready to accept a transition command by making sure that the
STATUS.READY
bit is set to 1, and that all other status and error bits inSTATUS
are set to 0. -
Read the
LC_STATE
andLC_TRANSITION_CNT
registers to determine which life cycle state the device currently is in, and how many transition attempts are still available. -
Claim exclusive access to the transition interface by writing
kMuBi8True
to theCLAIM_TRANSITION_IF
register, and reading it back. If the value read back equals tokMuBi8True
, the hardware mutex has successfully been claimed and SW can proceed to step 4. If the value read back equals to 0, the mutex has already been claimed by the other interface (either CSR or TAP), and SW should try claiming the mutex again. Note that all transition interface registers are protected by the hardware-governedTRANSITION_REGWEN
register, which will only be set to 1 if the mutex has been claimed successfully. -
If required, software can switch to the external clock via the
TRANSITION_CTRL.EXT_CLK_EN
register inRAW
,TEST*
andRMA
life cycle states. This setting is ignored in thePROD*
andDEV
states. -
Write the desired target state to
TRANSITION_TARGET
. For conditional transitions, the corresponding token has to be written toTRANSITION_TOKEN
. For all unconditional transitions, the token registers have to be set to zero. -
An optional, but recommended step is to read back and verify the values written in steps 4. and 5. before proceeding with step 7.
-
Write 1 to the
TRANSITION_CMD.START
register to initiate the life cycle transition. -
Poll the
STATUS
register and wait until eitherSTATUS.TRANSITION_SUCCESSFUL
or any of the error bits is asserted. TheTRANSITION_REGWEN
register will be set to 0 while a transition is in progress in order to prevent any accidental modifications of the transition interface registers during this phase. -
Reset the device so that the new life cycle state becomes effective.
Note that all life cycle state transition increments the LC_TRANSITION_CNT
and moves the life cycle state into the temporary POST_TRANSITION state - even if the transition was unsuccessful.
Hence, step 8. cannot be carried out in case device SW is used to implement the programming sequence above, since the processor is disabled in the POST_TRANSITION life cycle state.
This behavior is however not of concern, since access to the transition interface via the CSRs is considered a convenience feature for bringup in the lab. It is expected that the JTAG TAP interface is used to access the life cycle transition interface in production settings.
Note that this functionality is only available on test chips where the design is compiled with SecVolatileRawUnlockEn = 1. On production silicon this option will be disabled.
-
In order to perform a volatile
RAW
->TEST_UNLOCKED0
life cycle transition, SW should first check whether the life cycle controller has successfully initialized and is ready to accept a transition command by making sure that theSTATUS.READY
bit is set to 1, and that all other status and error bits inSTATUS
are set to 0. -
Read the
LC_STATE
andLC_TRANSITION_CNT
registers and make sure that the device is in theRAW
life cycle state. -
Claim exclusive access to the transition interface by writing
kMuBi8True
to theCLAIM_TRANSITION_IF
register, and reading it back. If the value read back equals tokMuBi8True
, the hardware mutex has successfully been claimed and SW can proceed to step 4. If the value read back equals to 0, the mutex has already been claimed by the other interface (either CSR or TAP), and SW should try claiming the mutex again. Note that all transition interface registers are protected by the hardware-governedTRANSITION_REGWEN
register, which will only be set to 1 if the mutex has been claimed successfully. -
To request a volatile
RAW
->TEST_UNLOCKED0
transition SW should set theTRANSITION_CTRL.VOLATILE_RAW_UNLOCK
to 1. Software can check whether volatile unlock is supported by reading the register after writing 1 to it. If the mechanism is available, the register reads back as 1, otherwise it reads back 0. -
If required, software can switch to the external clock via the
TRANSITION_CTRL.EXT_CLK_EN
register. -
Write
TEST_UNLOCKED0
toTRANSITION_TARGET
. TheTRANSITION_TOKEN
needs to be set to the hashed unlock token value, since the value written will not be passed through KMAC in this case. -
An optional, but recommended step is to read back and verify the values written in steps 4. - 6. before proceeding with step 8.
-
If the goal is to gain access to either of the TAPs that are only available in
TEST_UNLOCKED*
life cycle states, the hardware straps should be applied before proceeding to the next step. The pinmux will resample them if the volatile unlock operation is successful and steer the TAP selection demux accordingly. -
Write 1 to the
TRANSITION_CMD.START
register to initiate the life cycle transition. -
Poll the
STATUS
register and wait until eitherSTATUS.TRANSITION_SUCCESSFUL
or any of the error bits is asserted. TheTRANSITION_REGWEN
register will be set to 0 while a transition is in progress in order to prevent any accidental modifications of the transition interface registers during this phase.
Note that if a volatile RAW
unlock operation has been performed, it is not necessary to reset the chip and the life cycle controller accepts further transition commands.
The LC_TRANSITION_CNT
will not be incremented and the life cycle state will not be moved to the temporary POST_TRANSITION state.