Zeroization Flow

The zeroization procedure in both the device families include several erase and programming operations to reduce any data remnants in the flash array to undetectable levels (a process known as “scrubbing”). When zeroization is initiated, it always runs to completion, even if interrupted by a device reset or loss of power.

After the activation of zeroization request from the fabric, JTAG, or SPI Slave, the system controller programs a Zeroization-In-Progress (ZIP) flag that act as status flags during the zeroization process. The ZIP flag is checked during device boot and, if set, the zeroization procedure is restarted or resumed. The ZIP flag is only cleared after successful completion of the zeroization procedure, which involves both scrubbing of non-volatile memories and verification thereof. The ZIP flag is only cleared if verification is successful. If verification fails, the zeroization procedure is re-executed until verification passes. The zeroization flow is shown in the following figure. Once zeroization is complete, the zeroization certificate (proof of zeroization) can be read from the device through the JTAG or SPI slave interfaces in response to a challenge from the user, proving the response was fresh and not just replayed from another device or time.

Figure 1. Zeroization Flow