OTP Controller Technical Specification

Overview

This document specifies the functionality of the one time programmable (OTP) memory controller. The OTP controller is a module that is a peripheral on the chip interconnect bus, and thus follows the Comportability Specification.

Features

Description

Theory of Operations

Block Diagram

Hardware Interfaces

Parameters

The following table lists the main parameters used throughout the OTP controller design.

Localparam Default (Max) Top Earlgrey Description

Signals

Referring to the Comportable guideline for peripheral device functionality, the module otp_ctrl has the following hardware interfaces defined.

Primary Clock: clk_i

Other Clocks: none

Bus Device Interface: tlul

Bus Host Interface: none

Peripheral Pins for Chip IO: none

Interrupts:

Interrupt NameDescription
otp_access_doneA direct access command has completed.
otp_ctrl_errAn error has occurred during an access. Check the ERR_CODE register to get more information.

Security Alerts:

Alert NameDescription
otp_reg_parity_mismatchThis alert triggers if hardware detects a parity bit error in the buffered partitions.
otp_reg_digest_mismatchThis alert triggers if the digest over the buffered registers does not match with the digest stored in OTP.
Signal Direction Type Description

Design Details

Programmers Guide

Power-up and Reset Considerations

Initialization

Interrupt Handling

Register Table

otp_ctrl.INTR_STATE @ + 0x0
Interrupt State Register
Reset default = 0x0, mask 0x3
31302928272625242322212019181716
 
1514131211109876543210
  otp_ctrl_err otp_access_done
BitsTypeResetNameDescription
0rw1c0x0otp_access_doneA direct access command has completed.
1rw1c0x0otp_ctrl_errAn error has occurred during an access. Check the ERR_CODE register to get more information.


otp_ctrl.INTR_ENABLE @ + 0x4
Interrupt Enable Register
Reset default = 0x0, mask 0x3
31302928272625242322212019181716
 
1514131211109876543210
  otp_ctrl_err otp_access_done
BitsTypeResetNameDescription
0rw0x0otp_access_doneEnable interrupt when INTR_STATE.otp_access_done is set
1rw0x0otp_ctrl_errEnable interrupt when INTR_STATE.otp_ctrl_err is set


otp_ctrl.INTR_TEST @ + 0x8
Interrupt Test Register
Reset default = 0x0, mask 0x3
31302928272625242322212019181716
 
1514131211109876543210
  otp_ctrl_err otp_access_done
BitsTypeResetNameDescription
0wo0x0otp_access_doneWrite 1 to force INTR_STATE.otp_access_done to 1
1wo0x0otp_ctrl_errWrite 1 to force INTR_STATE.otp_ctrl_err to 1


otp_ctrl.STATUS @ + 0xc
OTP status register.
Reset default = 0x0, mask 0xffffffff
31302928272625242322212019181716
err_code...
1514131211109876543210
...err_code
BitsTypeResetNameDescription
31:0ro0x0err_codeThis register holds information on the OTP controller status. TODO: make this an enum {INIT, READY, ERROR, LOCKED, WRITE_PENDING, READ_PENDING}


otp_ctrl.ERR_CODE @ + 0x10
OTP Ctrl Error Code
Reset default = 0x0, mask 0xffffffff
31302928272625242322212019181716
err_code...
1514131211109876543210
...err_code
BitsTypeResetNameDescription
31:0ro0x0err_codeThis register holds information on the error that occurred. To be checked after an error interrupt occurred. TODO: add reference to error type here.


otp_ctrl.DIRECT_ACCESS_CMD @ + 0x14
OTP array command for direct access.
Reset default = 0x0, mask 0x3
31302928272625242322212019181716
 
1514131211109876543210
  write read
BitsTypeResetNameDescription
0r0w1c0x0readInitiates a readout sequence that reads the location specified by DIRECT_ACCESS_ADDRESS and DIRECT_ACCESS_SIZE. The command places the read data in DIRECT_ACCESS_RDATA.
1r0w1c0x0writeInitiates a programming sequence that writes the DIRECT_ACCESS_WDATA to the location specified by DIRECT_ACCESS_ADDRESS and DIRECT_ACCESS_SIZE.


otp_ctrl.DIRECT_ACCESS_ADDRESS @ + 0x18
OTP array address for direct access.
Reset default = 0x0, mask 0x3ff
31302928272625242322212019181716
 
1514131211109876543210
  DIRECT_ACCESS_ADDRESS
BitsTypeResetNameDescription
9:0rw0x0DIRECT_ACCESS_ADDRESSThis is the address for the OTP word to be read or written through the direct access interface. Note that the address is 32bit aligned internally, hence bit 1:0 are ignored.


otp_ctrl.DIRECT_ACCESS_SIZE @ + 0x1c
OTP array acces size for direct access.
Reset default = 0x0, mask 0x3
31302928272625242322212019181716
 
1514131211109876543210
  DIRECT_ACCESS_SIZE
BitsTypeResetNameDescription
1:0rw0x0DIRECT_ACCESS_SIZEThis is the access size for for the OTP word to be read or written through the direct access interface. Note that the address is always aligned to the access size internally. 0 = 1 Byte, 1 = 2 Bytes, 2 = 4 Bytes, 3 = 8 Bytes.


otp_ctrl.DIRECT_ACCESS_WDATA0 @ + 0x20
Write data for direct access. Note that only 1s are effectively programmed into the array. 0s do not have any effect.
Reset default = 0x0, mask 0xffffffff
31302928272625242322212019181716
DIRECT_ACCESS_WDATA0...
1514131211109876543210
...DIRECT_ACCESS_WDATA0
BitsTypeResetNameDescription
31:0rw0x0DIRECT_ACCESS_WDATA0 for WORD0


otp_ctrl.DIRECT_ACCESS_WDATA1 @ + 0x24
Write data for direct access. Note that only 1s are effectively programmed into the array. 0s do not have any effect.
Reset default = 0x0, mask 0xffffffff
31302928272625242322212019181716
DIRECT_ACCESS_WDATA1...
1514131211109876543210
...DIRECT_ACCESS_WDATA1
BitsTypeResetNameDescription
31:0rw0x0DIRECT_ACCESS_WDATA1 for WORD1


otp_ctrl.DIRECT_ACCESS_RDATA0 @ + 0x28
Read data for direct access.
Reset default = 0x0, mask 0xffffffff
31302928272625242322212019181716
DIRECT_ACCESS_RDATA0...
1514131211109876543210
...DIRECT_ACCESS_RDATA0
BitsTypeResetNameDescription
31:0ro0x0DIRECT_ACCESS_RDATA0 for WORD0


otp_ctrl.DIRECT_ACCESS_RDATA1 @ + 0x2c
Read data for direct access.
Reset default = 0x0, mask 0xffffffff
31302928272625242322212019181716
DIRECT_ACCESS_RDATA1...
1514131211109876543210
...DIRECT_ACCESS_RDATA1
BitsTypeResetNameDescription
31:0ro0x0DIRECT_ACCESS_RDATA1 for WORD1


otp_ctrl.SECRET_INTEGRITY_DIGEST_CALC @ + 0x50
Compute and program digest for secret partition.
Reset default = 0x0, mask 0x1
31302928272625242322212019181716
 
1514131211109876543210
  SECRET_INTEGRITY_DIGEST_CALC
BitsTypeResetNameDescription
0r0w1c0x0SECRET_INTEGRITY_DIGEST_CALCWriting 1 to this register computes the partition digest and burns it into OTP. Note: this effectively locks write and read access to this partition after power cycling the device.


otp_ctrl.HW_CFG_INTEGRITY_DIGEST_CALC @ + 0x54
Compute and program digest for the hardware config partition.
Reset default = 0x0, mask 0x1
31302928272625242322212019181716
 
1514131211109876543210
  HW_CFG_INTEGRITY_DIGEST_CALC
BitsTypeResetNameDescription
0r0w1c0x0HW_CFG_INTEGRITY_DIGEST_CALCWriting 1 to this register computes the partition digest and burns it into OTP. Note that this effectively locks write access to this partition after power cycling the device.


otp_ctrl.SW_CFG_INTEGRITY_DIGEST_CALC @ + 0x58
Compute and program digest for the software config partition.
Reset default = 0x0, mask 0x1
31302928272625242322212019181716
 
1514131211109876543210
  SW_CFG_INTEGRITY_DIGEST_CALC
BitsTypeResetNameDescription
0r0w1c0x0SW_CFG_INTEGRITY_DIGEST_CALCWriting 1 to this register computes the partition digest and burns it into OTP. Note that effectively locks write access to this partition after power cycling the device.


otp_ctrl.SECRET_INTEGRITY_DIGEST @ + 0x5c
Integrity digest for the secret config partition
Reset default = 0x0, mask 0xffffffff
31302928272625242322212019181716
SECRET_INTEGRITY_DIGEST...
1514131211109876543210
...SECRET_INTEGRITY_DIGEST
BitsTypeResetNameDescription
31:0ro0x0SECRET_INTEGRITY_DIGESTThe integrity digest is 0 by default. Once the partition has been locked, this digest is set to a nonzero value.


otp_ctrl.HW_CFG_INTEGRITY_DIGEST @ + 0x60
Hardware config partition integrity digest.
Reset default = 0x0, mask 0xffffffff
31302928272625242322212019181716
HW_CFG_INTEGRITY_DIGEST...
1514131211109876543210
...HW_CFG_INTEGRITY_DIGEST
BitsTypeResetNameDescription
31:0ro0x0HW_CFG_INTEGRITY_DIGESTThe integrity digest is 0 by default. Once the partition has been locked, this digest is set to a nonzero value.


otp_ctrl.SW_CFG_INTEGRITY_DIGEST @ + 0x64
Integrity digest for the software config partition
Reset default = 0x0, mask 0xffffffff
31302928272625242322212019181716
SW_CFG_INTEGRITY_DIGEST...
1514131211109876543210
...SW_CFG_INTEGRITY_DIGEST
BitsTypeResetNameDescription
31:0ro0x0SW_CFG_INTEGRITY_DIGESTThe integrity digest is 0 by default. Once the partition has been locked, this digest is set to a nonzero value.


otp_ctrl.LC_STATE0 @ + 0x100
Life cycle state.
Reset default = 0x0, mask 0xffffffff
31302928272625242322212019181716
LC_STATE3 LC_STATE2
1514131211109876543210
LC_STATE1 LC_STATE0
BitsTypeResetNameDescription
7:0ro0x0LC_STATE0TODO: explain state encoding for BYTE0
31:8for BYTE1..BYTE3


otp_ctrl.LC_STATE1 @ + 0x104
Life cycle state.
Reset default = 0x0, mask 0xffff
31302928272625242322212019181716
 
1514131211109876543210
LC_STATE5 LC_STATE4
BitsTypeResetNameDescription
7:0ro0x0LC_STATE4TODO: explain state encoding for BYTE4
15:8for BYTE5


otp_ctrl.ID_STATE @ + 0x108
ID state of the device.
Reset default = 0x0, mask 0xff
31302928272625242322212019181716
 
1514131211109876543210
  ID_STATE
BitsTypeResetNameDescription
7:0ro0x0ID_STATEThe ID state is BLANK when set to 0x00, and CREATOR_PERSONALIZED if set to 0x6D. Note that this affects certain secrets stored in FLASH and OTP. For instance, the !!CREATOR_ROOT_KEY_SHARE0 stored in OTP is readable and writable by software if BLANK, and all hardware outputs to the LC controller and the key manager will be tied to 0 in this state. If ID state is CREATOR_PERSONALIZED the !!CREATOR_ROOT_KEY_SHARE0 is not accessible by software anymore, and all hardware outputs to the LC controller and key manager will be driven.


otp_ctrl.TEST_XXX_CNT @ + 0x10c
Counters related to the test and XXX states.
Reset default = 0x0, mask 0xffffffff
31302928272625242322212019181716
XXX_UNLOCK_CNT TEST_EXIT_CNT
1514131211109876543210
TEST_UNLOCK_CNT TEST_STATE_CNT
BitsTypeResetNameDescription
7:0ro0x0TEST_STATE_CNTTODO: add description of this counter
15:8ro0x0TEST_UNLOCK_CNTNumber of times test unlock has been attempted.
23:16ro0x0TEST_EXIT_CNTNumber of times test exit has been attempted.
31:24ro0x0XXX_UNLOCK_CNTNumber of times XXX unlock has been attempted.


otp_ctrl.TRANSITION_CNT @ + 0x110
Counter for total amount of state transition attempts.
Reset default = 0x0, mask 0xffff
31302928272625242322212019181716
 
1514131211109876543210
TRANSITION_CNT
BitsTypeResetNameDescription
15:0ro0x0TRANSITION_CNTThis counter will be incremented upon each state transition attempt, or when the transition command coming from the life cycle controller is invalid.


otp_ctrl.HW_CFG_LOCK @ + 0x200
Hardware config lock values.
Reset default = 0x0, mask 0xff
31302928272625242322212019181716
 
1514131211109876543210
  XXX_TOKEN_LOCK TEST_TOKENS_LOCK
BitsTypeResetNameDescription
2:0ro0x0TEST_TOKENS_LOCKTEST token lock value. When set to nonzero, the life cycle TEST_*_TOKENS are no longer accessible to software.
7:3ro0x0XXX_TOKEN_LOCKXXX token lock value. When set to nonzero, the life cycle XXX_*_TOKENS are no longer accessible to software.


otp_ctrl.HW_CFG0 @ + 0x204
Unallocated OTP bits.
Reset default = 0x0, mask 0xffffffff
31302928272625242322212019181716
HW_CFG0...
1514131211109876543210
...HW_CFG0
BitsTypeResetNameDescription
31:0ro0x0HW_CFG0 for WORD0


otp_ctrl.HW_CFG1 @ + 0x208
Unallocated OTP bits.
Reset default = 0x0, mask 0xffffffff
31302928272625242322212019181716
HW_CFG1...
1514131211109876543210
...HW_CFG1
BitsTypeResetNameDescription
31:0ro0x0HW_CFG1 for WORD1


otp_ctrl.HW_CFG2 @ + 0x20c
Unallocated OTP bits.
Reset default = 0x0, mask 0xffffffff
31302928272625242322212019181716
HW_CFG2...
1514131211109876543210
...HW_CFG2
BitsTypeResetNameDescription
31:0ro0x0HW_CFG2 for WORD2


otp_ctrl.HW_CFG3 @ + 0x210
Unallocated OTP bits.
Reset default = 0x0, mask 0xffffffff
31302928272625242322212019181716
HW_CFG3...
1514131211109876543210
...HW_CFG3
BitsTypeResetNameDescription
31:0ro0x0HW_CFG3 for WORD3


otp_ctrl.HW_CFG4 @ + 0x214
Unallocated OTP bits.
Reset default = 0x0, mask 0xffffffff
31302928272625242322212019181716
HW_CFG4...
1514131211109876543210
...HW_CFG4
BitsTypeResetNameDescription
31:0ro0x0HW_CFG4 for WORD4


otp_ctrl.HW_CFG5 @ + 0x218
Unallocated OTP bits.
Reset default = 0x0, mask 0xffffffff
31302928272625242322212019181716
HW_CFG5...
1514131211109876543210
...HW_CFG5
BitsTypeResetNameDescription
31:0ro0x0HW_CFG5 for WORD5


otp_ctrl.SW_CFG @ + 0x400
256 item ro window
Byte writes are not supported
310
+0x400 
+0x404 
 ...
+0x7f8 
+0x7fc 
Any read to this window directly maps to the corresponding offset in the software config partition, and triggers an OTP readout of the bytes requested. Note that the transaction will block until OTP readout has completed.


otp_ctrl.TEST_ACCESS @ + 0x800
500 item rw window
Byte writes are not supported
310
+0x800 
+0x804 
 ...
+0xfc8 
+0xfcc 
This directly maps to the OTP macro address map. Note that this is only accessible during the test life cycle state of the OpenTitan device.


Additional Notes