Provides write access to pages in the sNVM. Data can be stored as encrypted and authenticated ciphertext, authenticated plaintext, and non-authenticated plaintext.
For authenticated plaintext and authenticated ciphertext, a 512-bit sNVM master key (SMK) is the primary key used, with 256-bits allocated for authentication and 256 bits for encryption. SMK is common for all sNVM pages. The 96-bit user-supplied key, USK is used to authenticate the sNVM page content. The USK does not need to be stored on the device, but it must be presented to the sNVM read system service to correctly retrieve the data.
For crypto-enabled options, the System Controller uses AES-256 in synthetic initialization vector (SIV) mode, which supports authenticated encryption. In SIV mode, the initialization vector used for the encryption function is computed from the data, preventing initialization vector misuse, and doubles as the authentication tag. The computed 128-bit initialization vector is stored in the same page as the user data, reducing the available space for user data by 16 bytes compared to the non-authenticated plaintext-only option.
Besides the user-supplied plaintext data, both the device families also submit additional metadata for authentication that effectively provides a “tweak” to the encryption and authentication functions. Some of the data included are the page address and the page write-counter. This means that the ciphertext and the authentication tag are different even if the same data is written to two different sNVM pages, or even if the same data is written to the same page again (since the page-write counter advances).
The USK is used as another element in the “tweak”. Without the same 96-bit USK as was used during the write command, the read command fails authentication, however, the plaintext data is still available in the fabric. The user can choose to set this key differently for each page, or for groups of pages, or the same for all pages—either as a secret key for added security, or to a invalid value such as all zeroes if this feature is not needed.
sNVM modules marked as ROM cannot be overwritten by this service. The service cannot be used to create ROM modules (write-protected pages). ROM is declared when a bitstream is generated, and a page's ROM status can only be changed with a new bitstream, and not at run-time.
| System Service Descriptor Bit Field | Value | Description |
|---|---|---|
| 15:7 | MBOXADDR[10:2] | Mailbox address. See Table 2 and Table 3. |
| 6:0 | 10H | Non-authenticated plaintext service command |
| 11H | Authenticated plaintext service command | |
| 12H | Authenticated ciphertext service command |
The following table lists the Secure NVM Write Service Mailbox Format for Non-authenticated plaintext (10H).
| Offset | Length (bytes) | Parameter | Direction | Description |
|---|---|---|---|---|
| 0 | 1 | SNVMADDR | Input | sNVM address |
| 1 | 3 | RESERVED | Reserved | |
| 4 | 252 | DATA | Input | Data to write to sNVM |
The following table lists the Secure NVM Write Service Mailbox Format for authenticated plaintext (11H) and Authenticated ciphertext (12H).
| Offset | Length (bytes) | Parameter | Direction | Description |
|---|---|---|---|---|
| 0 | 1 | SNVMADDR | Input | sNVM address |
| 1 | 3 | RESERVED | Reserved | |
| 4 | 236 | DATA | Input | Data to write to sNVM |
| 240 | 12 | USK | Input | User Secret Key |