8.1.1.1 Cryptography Subsystem Keybus

The keybus is a private bus transferring keys from hosts (TRNG, OTPC) to clients (AES, TDES, TZAESB, OTPC) with no possibility for processor nor software to read the keys.

All clients except TZAEB have only one physical key, which is either secure or non-secure at time t. TZAESB has two keys, one secure and one non-secure.

Generally, for all IPs:
  • Kid = 0, the key is secure.
  • Kid = 1, the key is non-secure.

So, if Kid = 1 and the device is in the TrustZone Secure state, access is refused and a violation flag is set in the write protect status of the client.

The key used by the crypto IPs is provided either by the keybus internal register or by the IPs internal key register (KEYWR). To select the keybus as a source for AES, TDES and TZAEB, the PKRS bit must be set in the MR/EMR register.

At host level, the client destination, key length and key type (secure or non-secure) must be defined before starting the transfer.

The device features a keybus system with two hosts and four clients, connected as shown in the following figure.

Figure 8-1. Cryptography Keybus