6.7.3.4 Zeroization

The devices have a built-in tamper response capability that can zeroize (clear and verify) any or all configuration storage elements as per the user setting. Internal volatile memories such as LSRAMs, uSRAMs, and System Controller RAMs are cleared and verified. Once the zeroization is complete, a zeroization certificate can be retrieved using a JTAG/SPI slave instruction to confirm that the zeroization process is successful. This tamper response is not available when the System Controller Suspend mode is enabled.

When zeroization is initiated, it always runs to completion, even if interrupted by a device reset or loss of power. To achieve this, a Zeroization-In-Progress (ZIP) flag is programmed at the start of zeroization. The ZIP flag is checked during device boot and if set, the zeroization procedure is restarted or resumed. Upon completion of zeroization, the device generates a certificate proving that all the requested data has been omitted. The certificate contains the device serial number, a digest of the zeroized memory and a user nonce. The ZIP flag is cleared after generation of the certificate.

The user can monitor the built-in tamper detection flags or other system events and then decide to trigger one of the two types of built-in zeroization requests and zeroize the device. Zeroization is immune to the security lockdown response, which essentially means that asserting a security lockdown does not prevent zeroization from initiating or completing. Factory locks and user permanent locks are not affected by zeroization.

Zeroization is enabled and configured using the Tamper macro configurator as shown in Figure   3. During device operation, the zeroization action is initiated by asserting the Zeroize input on the Tamper macro HIGH. Zeroization can also be triggered through a JTAG or SPI slave instruction.

The PolarFire family have the following two zeroization modes (ZMODE):

• 1 = Like New—All user data and keys are destroyed. The device is effectively returned to its original factory state, allowing it to be programmed like a new device.
• 3 = Non Recoverable (Default)—All user data, user keys, factory keys, device certificate, and factory data are destroyed. Upon completion of zeroization in the Non Recoverable mode, the only allowed access to the device is retrieval of the zeroization certificate. The device may not otherwise be used again.

The following table lists the status of the various FPGA components during the two zeroization modes.

Regardless of the security settings enabled in the Libero project, default or custom, even without the Tamper macro included, the ZMODE is set to 3.

Libero Default Security: If the Tamper macro is added to a design using default security, then the ZMODE specified within the macro is applied, overwriting the default value.

Custom Security: ZMODE can only be set in the master programming file. If the master programming file does not contain the Tamper macro, the ZMODE is set to 3. Update images can be created with the Tamper macro, however, the ZMODE setting is ignored and remains at the default value set in the Master file. The only method to update the ZMODE settings is with a new master programming file, which includes the Tamper macro.