ROM Life Cycle States (LCS) & Operational Modes
The standard Arm CryptoCell-312 secure life cycle model allows for four life cycle states:
- CM - Chip Manufacture
- DM - Device Manufacture
- SE - Secure
The transitions between these states are strictly defined by the life cycle model, and we have maintained this in our system.
In addition to the standard Arm lifecycle states, we have added an additional production state before CM which reflects the possibility of a device coming from manufacture with an unconfigured OTP. In this case, the ROM does not allow application code to be run, but it does allow the device to be configured to enter CM state.
In parallel to the secure life cycle model, we also provide for a non-secure model in which the device is defined to be in Energy-Harvesting (EH) state. In this case, the Root of Trust security features are turned off and security is provided using a security mechanism dependent on valid applications unlocking the device.
A device in Production state can be configured to be in EH state. If this is not explicitly configured, then the device is treated as a secure device.
- A completely unconfigured device is defined to be in Production state.
- In this state, the device can be configured as either a secure device or a non-secure device.
- In this state, no executable code is run on power-up.
- In manufacturing, we expect all devices to be set as non-secure devices.
- A non-secure device has a signature indicating its state in OTP.
- In order to transition from the non-secure state to a secure state, this signature needs to be removed.
- As the signature resides in OTP, it cannot be re-instated once it has been deleted. This provides a oneway transition from non-secure to secure state.
- Once a device is set to secure, there is no mechanism to bring it back to non-secure.
IMPORTANT: If a device is in the Production state, it is possible to go directly to a secure state without transitioning through the non-secure state. In this case, care must be taken to clear the non-secure signature locations, as otherwise it can be possible to revert the device to non-secure. See the RSL15 Security User's Guide for more information on device transitions. |