Considerations for Development Devices#

When developing with AXiP or EXiP-enabled devices, certain considerations must be taken into account. Specifically, SE OTP bits are consumed each time an IV is generated and when a code region is closed. This occurs because each of these operations triggers an update to the SE MTP memory. The OTP bits serve to prevent rollback attacks by ensuring that the SE MTP cannot be reverted to a previous state.

By default, IVs are regenerated each time a code region is erased to prepare the region for reprogramming. Additionally, flashing a firmware image using Simplicity Commander automatically triggers the closure of the associated code region. During development, where devices are frequently flashed and erased, this default behavior can lead to exhaustion of SE OTP memory.

The SE OTP counter is at least 2 kB in size and may be allowed to overflow into the next available OTP region if space permits. How- ever, once all available OTP space is exhausted, the device enters an EOL (End of Life) state and can no longer be reflashed. This section outlines best practices to avoid SE OTP exhaustion during development.

Reading SE OTP Count#

The current number of OTP bits consumed can be read through the use of the following command. Once SE OTP is consumed, the device will enter an EOL state. In this state, requested operations such as reflashing a device will not be able to be carried out.

commander security otprollbackcount -d sixg301commander security otprollbackcount -d sixg301

Number of used OTP rollback bits: 9 
DONENumber of used OTP rollback bits: 9 
DONE

Skip Closing a Code Region#

When using Simplicity Commander, code regions are closed automatically when using the commander flash command. To avoid clos- ing a code region when running this command, a user can specify the --noclose flag, which will leave the region open. This option is only intended for use to prevent exhaustion of OTP bits on development devices when continuous reflashing is done.

Note: Closing a code region is a prerequisite for Secure Boot, as it enables the SE to access Region 0 to perform signature validation on the bootloader firmware. Therefore, on development devices with secure boot enabled, code regions must be closed in order for firmware to be executed by the SE.

commander flash example.hex --noclose -d sixg301commander flash example.hex --noclose -d sixg301

Parsing file example.hex...
Writing 168756 bytes starting at address 0x01000000 
Erasing range 0x01000000 - 0x01007FFF (1 sector, 32 KB) 
Erasing range 0x01008000 - 0x010B7FFF (1 sector, 704 KB) 
Programming range 0x01000000 - 0x01001FFF (8 KB)
...
Programming range 0x010B6000 - 0x010B7FFF (8 KB)
Flashing completed successfully!
DONEParsing file example.hex...
Writing 168756 bytes starting at address 0x01000000 
Erasing range 0x01000000 - 0x01007FFF (1 sector, 32 KB) 
Erasing range 0x01008000 - 0x010B7FFF (1 sector, 704 KB) 
Programming range 0x01000000 - 0x01001FFF (8 KB)
...
Programming range 0x010B6000 - 0x010B7FFF (8 KB)
Flashing completed successfully!
DONE

On production devices, a code region must be closed after firmware programming to prevent further modification of the region. This can be done through the flashing command, without specifying the --noclose flag, or through a standalone DCI command in Simplicity Commander, shown in Closing a Code Region.

Transition to Development Device Command#

In order to avoid resource exhaustion on development devices due to IV rolling, the transition to development command (also referred to as the Skip IV Roll command) can be used to issue a one-time command which will enforce the same IV to be used for the lifetime of the device. As this flag is enabled in OTP, this setting cannot be reversed once enabled. Devices with this option set must only be used for development purposes. Once Skip IV Rolling is enabled, devices should be considered non-secure and should not enter production, as reusing IVs on devices in the field can introduce vulnerabilities which could lead to data confidentiality being impacted. When this option is not set, IVs will continue to be rolled on each flash erase, which will maintain security of the encrypted data.

To permanently disable IV rolling on a development device, issue the following command. This command was added in Simplicity Commander version 1.19.2 release.

commander security transitiontodevelopment -d sixg301commander security transitiontodevelopment -d sixg301

================================================================================
THIS IS A ONE-TIME command which permanently changes the security properties of the device. Once done, the device permanently uses the same IV for encryption of flash, which is not secure (using the same IV and same key can lead to exposure of the encrypted data).
This should only be enabled on development devices to prevent exhausting OTP rollback bits after repeated flash/erase cycles.

Type 'continue' and hit enter to proceed or Ctrl-C to abort:
================================================================================
continue
The device has been permanently transitioned to NOT SECURE development mode DONE================================================================================
THIS IS A ONE-TIME command which permanently changes the security properties of the device. Once done, the device permanently uses the same IV for encryption of flash, which is not secure (using the same IV and same key can lead to exposure of the encrypted data).
This should only be enabled on development devices to prevent exhausting OTP rollback bits after repeated flash/erase cycles.

Type 'continue' and hit enter to proceed or Ctrl-C to abort:
================================================================================
continue
The device has been permanently transitioned to NOT SECURE development mode DONE

Note: This command prevents OTP bits from being consumed during IV generation only. OTP consumption will still occur during code region closures and firmware version updates; therefore, OTP exhaustion remains possible even when this command is used.