54.5.5.3 Enroll Operation

During the Enroll operation, the SRAM startup values are read, an intrinsic PUF key is generated and the corresponding activation code is generated. The activation code must be stored in a non-volatile memory area for future use.

During enrollment, the PUF controller verifies that the PUF SRAM contains qualitative startup data. If that is not the case, enrollment is terminated and the PUF controller responds with an error indication. The (partially) provided activation code must then be discarded.

After successful completion of the Enroll operation, the diagnostic information about the PUF quality is provided in PUF_PSR.

Note: The Enroll operation collects the same diagnostic information as the Test PUF operation.

The activation code is not sensitive (it does not contain any information on the corresponding intrinsic PUF key) and is unique for every device and every enrollment. It can be stored in non-secure memory area.

The activation code and the intrinsic PUF key are linked to a device, and cannot be used on another device. Every time an enrollment is performed, a new intrinsic PUF key is generated together with its activation code.

The intrinsic PUF key always stays inside the PUF controller and is never output to the rest of the system.