15.2.6.3 Bitstream Initialization
(Ask a Question)Non-HSM flow supports the following programming bit stream options:
- Trusted Facility Bitstream
- Initiater Bitstream
- UEK1/UEK2/UEK3 Update Bitstream
15.2.6.3.1 Trusted Facility Bitstream
(Ask a Question)This bitstream type can program Fabric and/or eNVM. It does not program device security. The entire bitstream is encrypted with the KLK encryption key.
15.2.6.3.2 Initiater Bitstream
(Ask a Question)Supports initial programming of Security and other optional components such as Fabric and eNVM. The entire bit stream is encrypted with the KLK encryption key.
After initial programming with user keys, all Microchip factory default key modes, including KLK, DFK, KFP, and KFPE key modes, become disabled. After this step, the device becomes secured, and further updates can be applied in an untrusted environment (see UEK1/2/3 Update Bitstream).
- Per security policy, programming of UEK1 or UEK2 programs the UPK1 or UPK2 passkeys respectively, and lock security segment. As a result, ERASE and VERIFY actions in generated bit stream files or programming jobs contain plain text UPK1/UPK2 values. This is required to unlock security segments for the programming actions when using the non-HSM flow (the HSM- based flow uses encrypted one-time passcodes).
- Factory ECC key modes (KFP, KFPE) are only available for M2S060, M2GL060, M2S090, M2GL090, M2S150, and M2GL150 devices.
15.2.6.3.3 UEK1/2/3 Update Bitstream
(Ask a Question)A device programmed with a Initiater bit stream can later be updated using an Update bit stream. This bit stream can reprogram Fabric and/or eNVM device features only. Device security cannot be updated in this flow.
- If Fabric or eNVM device components targeted by this bit stream are protected by FlashLock or UPK1, the plain text value of UPK1 will be included in the exported bit stream file/programming job when using the non-HSM flow.
- UEK3 is only available for M2S060, M2GL060, M2S090, M2GL090, M2S150, and M2GL150 devices.