Skip to content

Commit be7a57b

Browse files
calebofearthcalebofearth
authored
[DOC] Add connectivity requirements of trace ports and explain on-die osc requirement (#1165)
* Document security requirements of unvalidated trace ports Added warning about unvalidated RISC-V trace ports and their potential security risks. * Clarify risks of unvalidated RISC-V trace ports Updated wording to clarify the risks associated with unvalidated trace ports and their implications for SoC logic. * Clarify rationale for clock source requirement Added a note about protecting against clock fault injection or clock stretching attacks. * Fix a typo
1 parent b9fe50c commit be7a57b

File tree

1 file changed

+3
-1
lines changed

1 file changed

+3
-1
lines changed

docs/CaliptraIntegrationSpecification.md

Lines changed: 3 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -198,6 +198,7 @@ The table below details the interface required for each SRAM. Driver direction i
198198
| jtag_tdo | 1 | Output | Synchronous to jtag_tck | |
199199

200200
*Table 10: RISC-V Trace interface*
201+
Trace ports have been directly connected from Caliptra's instance of the VeeR-EL2 RISC-V core to the top-level. However, use of these ports has not been validated. Integrators shall leave these ports unconnected. Support for these ports may be added in a future release.
201202
| Signal name | Width | Driver | Synchronous (as viewed from Caliptra’s boundary) | Description |
202203
| :--------- | :--------- | :--------- | :--------- | :--------- |
203204
| trace_rv_i_insn_ip | 32 | Output | Synchronous to clk | Trace signals from Caliptra RV core instance. Refer to VeeR documentation for more details. |
@@ -899,6 +900,7 @@ For additional information, see [Caliptra assets and threats](https://github.com
899900
| CSR HMAC Key | SoC backend flows should not insert CSR signing key flops into the scan chain. | Statement of conformance | Required by Caliptra threat model |
900901
| DFT | Before scan is enabled (separate signal that SoC implements on scan insertion), SoC shall set Caliptra's scan\_mode indication to '1 for 5,000 clocks to allow secrets/assets to be flushed. | Statement of conformance | Required by Caliptra threat model |
901902
| DFT | Caliptra’s TAP should be a TAP endpoint. | Statement of conformance | Functional requirement |
903+
| DFD | Integrators shall not connect Caliptra's exposed RISC-V trace ports to any SoC logic. These ports are unvalidated and any implications to the SoC logic due to connecting these signals have not been analyzed. | Synthesis report | Required for Caliptra threat model |
902904
| Mailbox | SoC shall provide an access path between the mailbox and the application CPU complex on SoCs with such complexes (for example, Host CPUs and Smart NICs). See the [Sender Protocol](#sender-protocol) section for details about error conditions. | Statement of conformance | Required for Project Kirkland and TDISP TSM |
903905
| Fuses | SoC shall burn non-field fuses during manufacturing. Required vs. optional fuses are listed in the architectural specification. | Test on silicon | Required for UDS threat model |
904906
| Fuses | SoC shall expose an interface for burning field fuses. Protection of this interface is the SoC vendor’s responsibility. | Test on silicon | Required for Field Entropy |
@@ -915,7 +917,7 @@ For additional information, see [Caliptra assets and threats](https://github.com
915917
| Resets and Clocks | After asserting cptra\_pwrgood, SoC shall wait for a minimum of 10 clock cycles before deasserting cptra\_rst\_b. | Statement of conformance | Functional |
916918
| Resets and Clocks | SoC reset logic shall assume reset assertions are asynchronous and deassertions are synchronous. | Statement of conformance | Functional |
917919
| Resets and Clocks | SoC shall ensure Caliptra's powergood is tied to SoC’s own powergood or any other reset that triggers SoC’s cold boot flow. | Statement of conformance | Required for Caliptra threat model |
918-
| Resets and Clocks | SoC shall ensure Caliptra clock is derived from an on-die oscillator circuit. | Statement of conformance | Required for Caliptra threat model |
920+
| Resets and Clocks | SoC shall ensure Caliptra clock is derived from an on-die oscillator circuit. This is to protect against clock fault injection or clock stretching attacks. | Statement of conformance | Required for Caliptra threat model |
919921
| Resets and Clocks | SoC shall ensure that any programmable Caliptra clock controls are restricted to the SoC Manager. | Statement of conformance | Required for Caliptra threat model |
920922
| Resets and Clocks | SoC should defend against external clock stop attacks. | Statement of conformance | Required for Caliptra threat model |
921923
| Resets and Clocks | SoC should defend against external clock glitching attacks. | Statement of conformance | Required for Caliptra threat model |

0 commit comments

Comments
 (0)