I appreciate this is a very generic question, but as I'm at the moment with only a small handful of devices that I play around with, I want to gather as much information as possible before I actually start trying to encrypt the images and devices so that I know how much I can 'push' whilst before I actually get locked out (OTP burn) from accessing or modifying key parts of the device. I hope it's ok to post such a question here, but if you think it is best for me to raise a ticket on the topic instead, please let me know :)
All questions are related to the steps that should be taken on a production line
- 1- When a XMOS (XU316) device is still 'virgin', is there any information that is unique to the SoC that would be recommended to be stored (some UUID, usb serial number or some sort) prior to any flashing?
- 2- If the tool version, v15.3, was used to generate the factory image, once new XTC tool versions are released, should the latest versions be used to generate the upgrade files? Or should we keep using the same version, v15.3?
- 3- How to generate a 'factory image' file that is encrypted with the same keys as the OTP memory? Would it just be:
- xflash --id <id> --target-file target.xn --write-all image-file ?
- or
- xburn --target-file target.xn --lock keyfile -o aes-image.otp ?
- 4- How to generate an 'upgrade image' file that is encrypted with the same keys as the OTP memory? Would it just be:
- xflash a.xe -key keyfile -o image-file ?
- 5- Since the OTP can only be burnt once, how can we write/burn the OTP memory and include the xCore AES module as well as a device-unique ID?
Would this be the command to write to the OTP memory to include the xCore AES Module: xburn --id <id> --lock keyfile --target-file target.xn \
--enable-jtag --disable-master-lock ?
- 6- Can a device have the image flashed encrypted without the OTP memory being blown (and therefore losing access to JTAG and OTP writes)?
- On the documentation we have the following statements, to which I would appreciate some clarification:
- "Once the AES Module is programmed, the OTP security bits are blown" -> To my understanding, this would mean that once we prepare the device to be flashed with a AES encrypted image, the OTP memory will be blown
- "You can activate the AES Module at any time during development or device manufacture. In a development environment, you can activate the module but leave the security bits unset" -> To my understanding, this will still allow JTAG access for xflash, xburn, etc.
- Is the JTAG access only locked/lost once this command is written: xburn --id <id> --target-file target.xn --disable-jtag --enable-master-lock ?
- Is there a way to unlock it?
- On the documentation we have the following statements, to which I would appreciate some clarification:
In terms of the steps that are required in order to have in order to ship out a sample that is secure and updatable, would these be the recommended steps to follow?
- 1- Generate AES keys
- 2- Generate factory image with AES keys
- 3- Program OTP with xCore AES module
- 4- Flash the flash with encrypted factory image + unique device ID
- 5- Ready for user shipping?
Apologies for such a long question and thank you in advance!
