Zeroization

The devices have a built-in tamper response capability that can zeroize (clear and verify) any or all configuration storage elements as per the user setting. Internal volatile memories such as LSRAMs, uSRAMs, and System Controller RAMs are cleared and verified. Once the zeroization is complete, a zeroization certificate can be retrieved using a JTAG/SPI slave instruction to confirm that the zeroization process is successful. This tamper response is not available when the System Controller Suspend mode is enabled.

When zeroization is initiated, it always runs to completion, even if interrupted by a device reset or loss of power. To achieve this, a Zeroization-In-Progress (ZIP) flag is programmed at the start of zeroization. The ZIP flag is checked during device boot and if set, the zeroization procedure is restarted or resumed. Upon completion of zeroization, the device generates a certificate proving that all the requested data has been omitted. The certificate contains the device serial number, a digest of the zeroized memory and a user nonce. The ZIP flag is cleared after generation of the certificate.

The user can monitor the built-in tamper detection flags or other system events and then decide to trigger one of the two types of built-in zeroization requests and zeroize the device. Zeroization is immune to the security lockdown response, which essentially means that asserting a security lockdown does not prevent zeroization from initiating or completing. Factory locks and user permanent locks are not affected by zeroization.

Zeroization is enabled and configured using the Tamper macro configurator as shown in Figure 2. During device operation, the zeroization action is initiated by asserting the Zeroize input on the Tamper macro HIGH. Zeroization can also be triggered through a JTAG or SPI slave instruction.

Both device families have the following two zeroization modes (ZMODE):

The following table lists the status of the various FPGA components during the two zeroization modes.

Table 1. Status of Various FPGA Components During the Two Zeroization Modes1
      Factory and User Re-configurable Lock Bit Segment pNVM sNVM eNVM2   
Zeroization Modes Description FPGA Factory Lock segment User Lock segment User Permanent Lock Segment Factory Parameter Segment User Key Factory Key    
Like New Zeroize user data and keys X X X X
Non Recoverable Zeroize everything X X
Notes:
  1. 1. ✓– part of zeroization process and X – not part of zeroization process.
  2. 2.For PolarFire SoC FPGA only.

Regardless of the security settings enabled in the Libero project, default or custom, even without the Tamper macro included, the ZMODE is set to 3.

Libero Default Security: If the Tamper macro is added to a design using default security, then the ZMODE specified within the macro is applied, overwriting the default value.

Custom Security: ZMODE can only be set in the master programming file. If the master programming file does not contain the Tamper macro, the ZMODE is set to 3. Update images can be created with the Tamper macro, however, the ZMODE setting is ignored and remains at the default value set in the Master file. The only method to update the ZMODE settings is with a new master programming file, which includes the Tamper macro.

Notes: