ROT_STATE Constraints

Because of the nature of the ROT_STATE design, there are several constraints that need to be considered:

  • The authentication and verification of firmware executing on the device is a fairly complex process, and as such, slows down the system’s initial boot time.
    • This does not affect wakeup time from sleep modes.
    • Only signed code can be executed by the ROM; if the verification or authentication fails, the ROM enters a failure state.
  • The Secure Boot features are embedded in the ROM and hardware of the system; they can only be changed on a cold reset of the device.
    • Therefore, it is not possible to start a debug session on an active device if the debug certificates have not already been loaded.
    • Life cycle state changes can only occur on a cold reset of the system.
  • The managed life cycle model ensures that once a life cycle transition has been made, it cannot be reversed.
  • The managed life cycle model includes a Return to Manufacture (RMA) state. This requires authorization from all Roots of Trust in the system.
  • Corruption of the LCS configuration data causes the device to revert to a locked state, where there is no access from the debug port and firmware on the device cannot be executed.
    • This is an expected outcome from the security implementation.
    • Management of the life cycle states using the included tools ensures that the configuration data is maintained consistently.