SE Anti-Rollback OTP Bit Consumption#
Introduction#
Series 3 devices introduce the use of external flash, which requires special attention to maintain device security. Because external flash can be more susceptible to modification, it introduces new challenges to protecting sensitive information stored outside the device. The SE's Multiple Time Programmable (MTP) memory helps mitigate these risks by preventing security settings from being reverted to earlier, potentially less secure states.
The SE MTP is a memory region within the SE that records the completion of certain security-related operations. This ensures the device cannot be rolled back to a previous, less secure configuration. Each time the SE’s MTP is updated, its Anti-Rollback SE OTP bit counter increments, preventing the MTP from being restored to an earlier version.
End of Life (EOL) Lifecycle Phase#
The SE OTP counter is at least 2 kB in size (~16k bits) and may be allowed to overflow into the next available SE OTP region if space permits. However, once all available OTP space is exhausted, the device enters an EOL (End of Life) state. This means any operation that would require the OTP counter to be incremented, including SE, Bootloader, or Application FW updates will not be able to be performed. A list of operations that consume SE OTP Bits is listed in the table below.
Note: Simplicity Commander will return a number of OTP bits consumed and remaining on devices through the command:
commander security otprollbackcountNumber of used OTP rollback bits: 9
Number of remaining OTP rollback bits: 65526
DONEReducing OTP Bit Consumption in Development Devices#
The following commands prevent OTP bits from being consumed, but should be used in a development setting only. While these commands will slow the consumption of OTP bits in development devices, OTP consumption will still occur; therefore, OTP exhaustion remains possible even when these commands are used.
Closing a Code Region#
When using Simplicity Commander, code regions are closed automatically when using the commander flash command. To avoid closing a code region when running this command, a user can specify the --noclose flag during flashing, which will leave the region open. This option is only intended for use to prevent exhaustion of OTP bits on development devices when continuous re-flashing is done.
commander flash example.hex --noclose -d sixg301Parsing file example.hex...
Writing 168756 bytes starting at address 0x01000000
Erasing range 0x01000000 - 0x01007FFF (1 sector, 32 KB)
Erasing range 0x01008000 - 0x010B7FFF (1 sector, 704 KB)
Programming range 0x01000000 - 0x01001FFF (8 KB)
...
Programming range 0x010B6000 - 0x010B7FFF (8 KB)
Flashing completed successfully!
DONENote: Closing a code region is a prerequisite for Secure Boot, as it enables the SE to access Region 0 to perform signature validation on the bootloader firmware. Therefore, on development devices with secure boot enabled, code regions must be closed in order for firmware to be executed by the SE.
Skip IV Rolling#
In order to avoid resource exhaustion on development devices with AXiP or EXiP enabled, the transition to development command (also referred to as the Skip IV Roll command) can be used to issue a one-time command which will enforce the same IV to be used for the lifetime of the device. As this flag is enabled in OTP, this setting cannot be reversed once enabled. Devices with this option set must only be used for development purposes. Once Skip IV Rolling is enabled, devices should be considered non-secure and should not enter production, as reusing IVs on devices in the field can introduce vulnerabilities which could lead to data confidentiality being impacted. When this option is not set, IVs will continue to be rolled on each flash erase, which will maintain security of the encrypted data. For more details on AXiP and EXiP, refer to AN1509.
commander security transitiontodevelopment -d sixg301 ================================================================================
THIS IS A ONE-TIME command which permanently changes the security properties of the device.
Once done, the device permanently uses the same IV for encryption of flash, which is not
secure (using the same IV and same key can lead to exposure of the encrypted data).
This should only be enabled on development devices to prevent exhausting OTP rollback
bits after repeated flash/erase cycles.
Type 'continue' and hit enter to proceed or Ctrl-C to abort:
================================================================================
continue
The device has been permanently transitioned to NOT SECURE development mode
DONESources of OTP Bit Consumption#
SE OTP bits are consumed regardless of if these operations are implemented via a DCI command or a SE Manager API.
Number of OTP Bits | Operation | Notes |
|---|---|---|
1 bit | Erasing a Code Region | During an erase of a code region, the code region is opened and a new IV is generated, consuming one SE OTP bit per erased code region. If an erase of a code region is performed during a "flash" procedure, more than 1 SE OTP bit may be consumed. For Commander 1.22.0 and earlier, if the region is larger than 128kB, the memory region will be erased in multiple 128kB partitions of memory, consuming one SE OTP bit per 128kB partition of memory that is erased. As of Commander 1.22.1, the maximum erase block size has been increased from 128 kB to 2 MB. If the device has disabled IV rolling through the use of the commander |
1 bit | Closing a Code Region | When the code region lockbit is enabled, indicating the code region is closed, one SE OTP bit is consumed. By default, commander will close a code region automatically as part of the flash command. If the device uses the |
1 bit | Configuring Code Regions | Each time the code region configuration is updated, one SE OTP bit will be consumed. Code region configuration can only be done on open code regions. Any closed code regions must be opened before configuration can begin, which will incur SE OTP bit consumption due to opening/erasing the code regions. |
3 bits total | SE Firmware Upgrade | Each time the SE Firmware upgrade process is initiated and completed, three total SE OTP bits will be consumed. One bit will be consumed when initiating the upgrade, one when rolling the IV for the region, and one when the upgrade is completed. If the SE FW Upgrade Image is flashed directly to the device, overwriting other FW in user flash space, the flash space will need to be erased before reprogrammed, incurring the erase SE OTP bit consumption. If the SE FW Upgrade Image is OTA-ed, these additional erase steps do not apply. Note: The number of SE OTP bits consumed during an SE FW upgrade may increase in the future, if necessary. |
3 bits total | Host Firmware Upgrade (Second Stage Bootloader Upgrade) | Each time the Host Firmware upgrade process is initiated and completed, three total SE OTP bits will be consumed. One bit will be consumed when initiating the upgrade, one when rolling the IV for the region when AXiP or EXiP are enabled, and one when the upgrade is completed. |
1 bit | Host Firmware Anti-Rollback Increment | When the Host Firmware version is incremented during a Host Firmware Upgrade or through directly flashing a bootloader image with a higher version, one SE OTP bit is consumed. This only applies to devices with Secure Boot enabled. |
1 bit | Disable Device Erase | Disabling device erase consumes one SE OTP Bit. This is a one time command, and cannot be disabled. |
1 bit | Secure Debug Enable/Disable | Enabling or Disabling the Secure Debug feature consumes one SE OTP bit per operation. |
1 bit | Secure Debug Lock | Applying a Secure Debug lock (where the device can only be unlocked using authorization) consumes one SE OTP bit. |
1 bit | Write to User Data Space in SE MTP | Each write to user data space consumes one SE OTP bit. This user data space is the location within SE MTP. |
1 bit | Write/Erase of Static Tokens | Each write or erase of a static token consumes one SE OTP bit per operation. Note: Currently, a 100 write limit is placed on tokens. There is no separate counter to track the number of token writes performed. |
1 bit | GBL Bundle Version Storage | Storing the GBL bundle version in SE MTP for rollback protection of GBL upgrade images consumes one SE OTP bit. |