User Passcode Keys (UPK1 and UPK2)

The user passcode key 1 (UPK1), also known as the FlashLock passcode, is the primary user passcode that unlocks the majority of non-permanent user-defined locks when matched by the user. The user passcode key 2 (UPK2) is the secondary user passcode protecting the secondary user key segment, which contains UPK2 and UEK2. When the UPK2 is matched, it allows itself or UEK2 to be overwritten. UPK1 and UPK2 can be matched using either the plaintext, the one-time-use passcode protocol, or the one-way passcode protocol (for PolarFire SoC FPGA only).

These passcodes are loaded along with the other user keys using an encrypted bitstream, and are stored in the user key segments of pNVM. Passcodes are never used for encryption. They are used only for escalating privileges during the session when the passcode is matched successfully. The privilege escalation provided by UPK1 or UPK2 stays in effect only until the device is reset or power cycled.

Figure 1. User Passcode Keys—UPK1 and UPK2