ROT_STATE Constraints
Because of the nature of the ROT_STATE design, there are several constraints that need to be considered:
- The authentication and verification of firmware executing on the device is a fairly complex process, and as such, slows down the system’s initial boot time.
- This does not affect wakeup time from sleep modes.
- Only signed code can be executed by the ROM; if the verification or authentication fails, the ROM enters a failure state.
- The Secure Boot features are embedded in the ROM and hardware of the system; they can only be changed on a cold reset of the device.
- Therefore, it is not possible to start a debug session on an active device if the debug certificates have not already been loaded.
- Life cycle state changes can only occur on a cold reset of the system.
- The managed life cycle model ensures that once a life cycle transition has been made, it cannot be reversed.
- The managed life cycle model includes a Return to Manufacture (RMA) state. This requires authorization from all Roots of Trust in the system.
- Corruption of the LCS configuration data causes the device to revert to a locked state, where there is no access from the debug port and firmware on the device cannot be executed.
- This is an expected outcome from the security implementation.
- Management of the life cycle states using the included tools ensures that the configuration data is maintained consistently.