During device operation, the ownership of the User Cryptoprocessor can be switched between MSS and Fabric through a handshake interface. The handshake interface is asynchronous with synchronizers inside the MSS as required. The switching is not dynamic, and the handover requires co-operation between the MSS and Fabric design to ensure a secure handover. Assuming the fabric is initially the master, the ownership switching happens as follows:
- 1.The MSS requests a handover using Table 2.
- 2.The fabric design purges the Crypto core, and release it by asserting CRYPTO_RELEASE_F2M signal.
- 3.The Crypto core is put into reset, and the clock switched to the MSS by the Crypto ownership FSM.
- 4.The Crypto core is released from reset by the Crypto ownership FSM and then, it is available to the MSS
The same occurs in the opposite direction.
In the Shared-MSS mode, the Cryptoprocessor is initially connected to the MSS, and may be requested by the Fabric. In the Shared-Fabric mode, the Cryptoprocessor is initially connected to the Fabric, and may be requested by the MSS. The following table lists the handshake interface ports:
| Port Name | Direction | Description |
|---|---|---|
| CRYPTO_REQUEST_F2M | Fabric to MSS | Fabric request or is using the Cryptoprocessor |
| CRYPTO_MSS_REQUEST_M2F | MSS to Fabric | MSS request or is using the Cryptoprocessor |
| CRYPTO_RELEASE_F2M | Fabric to MSS | Fabric released the Cryptoprocessor |
| CRYPTO_MSS_RELEASE_M2F | MSS to Fabric | MSS released the Cryptoprocessor |
| CRYPTO_OWNER_M2F | MSS to Fabric | Indicates that the Fabric owns the Cryptoprocessor and the fabric interface is enabled |
| CRYPTO_MSS_OWNER_M2F | MSS to Fabric | Indicates that the MSS owns the Cryptoprocessor and the fabric interface is disabled |
All the preceding signals should be considered as asynchronous to the fabric design and appropriate synchronization is used in the fabric design. Within the MSS, the FSM controlling this interface runs of the System Controller clock (80 MHz) and all inputs are synchronized. The following figure shows the Cryptoprocessor ownership FSM.
When the Cryptoprocessor is disabled, then the ownership FSM stays in the reset state. Before handing over ownership, that is, asserting the release signals, it is recommended that the current owner purges the Cryptoprocessor to prevent sensitive data being accidentally released to the other system.
The MSS has no notification that the Fabric is requesting the use of the Cryptoprocessor, the fabric design should also connect its request signal to one of the general purpose F2M (fabric to MSS) interrupt signals so the MSS can be informed about the request and take the required actions to release the Cryptoprocessor to fabric.