5.1.1 Overbuild Protection During Module Maintenance

Note: If the old module is removed or erased from the M-HSM, unfinished programming jobs are not able to proceed.

For any jobs in progress, certain ticket information is stored inside the NVRAM of the HW module, which makes job tickets physically unclonable.

Module maintenance, such as replacement, firmware upgrades, and erase invalidate unfinished jobs. The user must submit a new job to continue manufacturing. However, issuing a new job without having a proof or termination of previous job(s) creates a potential threat of overbuilding. To minimize this risk, before undertaking such module maintenance actions, any active job(s) must be terminated using the complete_prog_job Tcl command (see the Libero SoC/PolarFire FPGA Tcl Command Reference Guide). This job termination command generates a Job End Certifier that can be validated on the U- HSM. This certifier is protected by the HSM and cannot be modified. It provides the user with assurance that further device programming is not possible from the old job. Once the Job End certifier has been validated by the user on the U-HSM, it is safe to issue a new job after maintenance has completed.