Device States
RSL15 allows a device to be deployed in one of two states of operation:
- A lower power, less secure Energy Harvesting state (abbreviated to EH_STATE)
- A secure state, which ensures strong validation and authentication using one or more Roots of Trust (RoT) embedded in hardware (abbreviated to ROT_STATE).
A third state is employed during device production, but this is disabled prior to a device leaving the manufacturing process (abbreviated to PROD_STATE).
In each state, there is strict control over how the states can be changed; only a subset of transitions are allowed. This is shown in the "Flow Through Possible Device States" figure
If a device manufacturer wishes to deploy devices in EH_STATE when locked, they need to safeguard against the EH_STATE becoming corrupted and the device automatically transitioning to an unsecured ROT_STATE.
- In the default configuration, the ROT_STATE is unsecured and awaiting device provisioning.
- This means that the debug port are open, and any IP held in flash may be compromised.
To counteract this situation, if locked devices are employed in EH_STATE, the NVM contents used by the ROT_STATE must be set to values which ensure that the device powers up secured. This ensures that any unexpected transition to the ROT_STATE results in the device starting up in LCS_SE, which locks the ports by default. More about how to do this is explained later in this document, but one way is to intentionally write invalid data to the signature words section in NVM.