54.4.11.1 Private Key Bus
The AES provides secure key transfer that requires a transfer command only, thus avoiding any manipulation of the key by software.
The AES features a set of Private Key internal registers that can be accessed only through the dedicated Private Key bus from the TRNG or OTPC.
The Private Key internal registers cannot be read from any peripheral or from software.
The AES key used by the encryption/decryption engine is either the Private Key internal registers content or the AES_KEYWRx registers loaded via the AES_KEYWRx.
To select the Private Key internal registers as the source of the AES key, AES_EMR.PKRS must be written to ‘1’.
When AES_EMR.PKRS is modified, it is mandatory to perform either a key write or a write in AES_CR.KSWP. The key write is mandatory when a new key value must be used. Writing AES_CR.KSWP to ‘1’ is mandatory if the key has been previously written and selected again after using another key.
If Private Key internal registers and software-loaded keys are already written, selecting one or the other requires only to configure AES_EMR.PKRS prior to writing AES_CR.KSWP=1.
- Write a ‘1’ in AES_EMR.PKRS.
- Trigger the key transfer over the Private Key bus from the TRNG or OTPC key bus host.
- Wait for completion of the transfer signaled in the TRNG or OTPC Status register.
- Check for any access violation in AES_WPSR.PKRPVS.
While AES_EMR.PKWL=0, it is possible to write the Private Key internal registers as many times as required.
As soon as AES_EMR.PKWL=1, the next write sequence on Private Key internal registers is the last one. Any additional write sequence in the Private Key internal registers has no effect, thus providing write-protection of these registers. A hardware reset is the only way to exit from the write-protected state.