NXP Layerscape® LX2162A, LX2122A, LX2082A Processors, Layerscape® LX2160A Processor, Layerscape® LX2160A, LX2120A, LX2080A Processors Reference guide

  • Hello! I am an AI chatbot trained to assist you with the NXP Layerscape® LX2162A, LX2122A, LX2082A Processors Reference guide. I’ve already reviewed the document and can help you find the information you need or explain it in simple terms. Just ask your questions, and providing more details will help me assist you more effectively!
QorIQ LX2160A Security (SEC) Reference
Manual
Supports LX2120A, LX2080A, LX2122A, LX2082A, and LX2162A
NXP Semiconductors
Document identifier: LX2160ASECRM
Reference Manual Rev. 0, 07/2020
Contents
Chapter 1 Overview of SEC (security engine) functionality.......................... 16
Chapter 2 Feature summary............................................................................. 18
Chapter 3 SEC implementation........................................................................ 22
3.1 SEC submodules.....................................................................................................................22
3.2 SEC Versions with Encryption Disabled..................................................................................22
Chapter 4 SEC modes of operation..................................................................24
4.1 Platform Security State............................................................................................................24
4.1.1 The effect of security state on volatile keys.............................................................................. 24
4.1.2 The effect of security state on non-volatile keys....................................................................... 24
4.2 Keys available in different security modes.............................................................................. 25
4.2.1 Keys available in trusted mode................................................................................................. 25
4.2.2 Keys available in secure mode................................................................................................. 25
4.2.3 Keys available in non-secure mode.......................................................................................... 26
4.2.4 Keys available in fail mode........................................................................................................26
Chapter 5 SEC hardware functional description............................................ 27
5.1 System Bus Interfaces.............................................................................................................28
5.1.1 AXI master (DMA) interface...................................................................................................... 28
5.1.2 Register interface (IP bus)........................................................................................................ 30
5.2 SEC service interface concepts...............................................................................................31
5.2.1 Configuring the Service Interfaces............................................................................................ 31
5.2.2 SEC descriptors........................................................................................................................ 31
5.2.3 Job termination status/error codes............................................................................................32
5.2.4 Frames and flows......................................................................................................................39
5.2.5 Frame descriptors and frames.................................................................................................. 40
5.2.6 Frame descriptor flow and flow context.....................................................................................40
5.2.7 Buffer allocation, release, and reuse.........................................................................................41
5.2.8 User data access control and isolation..................................................................................... 41
5.3 Service interfaces....................................................................................................................41
5.3.1 Job Ring interface..................................................................................................................... 42
5.3.2 Queue Manager Interface (QI).................................................................................................. 46
5.3.3 Register-based service interface...............................................................................................50
5.4 Job scheduling.........................................................................................................................52
5.4.1 Job scheduling algorithm.......................................................................................................... 52
5.4.2 Job scheduling - DECO-specific jobs........................................................................................54
5.5 Job execution hardware.......................................................................................................... 54
5.5.1 Descriptor Controller (DECO) and CHA Control Block (CCB).................................................. 54
5.5.2 Cryptographic hardware accelerators (CHAs) (overview).........................................................55
Chapter 6 Frame queues, frame descriptors, and buffers............................. 57
6.1 Frame queues......................................................................................................................... 57
6.1.1 Dequeue response....................................................................................................................57
6.2 Multi-partition resource access................................................................................................59
NXP Semiconductors
QorIQ LX2160A Security (SEC) Reference Manual, Rev. 0, 07/2020
Reference Manual
2 / 1266
6.2.1 Multi-partition resource access modes......................................................................................59
6.2.2 Flow context selection restrictions............................................................................................ 60
6.2.3 Inline Job Descriptor restrictions............................................................................................... 61
6.2.4 Replacement job descriptor restrictions.................................................................................... 61
6.2.5 Non-local jump limitations......................................................................................................... 61
6.2.6 Multi-partition resource access restriction summary................................................................. 62
6.3 Frame descriptors....................................................................................................................62
6.3.1 Flow Context............................................................................................................................. 63
6.3.2 Processing single frame jobs.................................................................................................... 71
6.3.3 Processing frame list jobs......................................................................................................... 72
6.3.4 Frame descriptor error handling................................................................................................72
6.3.5 Job descriptor construction from frame descriptor.................................................................... 73
Chapter 7 Descriptors and descriptor commands......................................... 76
7.1 Job Descriptors........................................................................................................................76
7.2 Trusted descriptors..................................................................................................................77
7.3 Shared descriptors.................................................................................................................. 78
7.3.1 Executing shared descriptors in proper order........................................................................... 79
7.3.2 Specifying different types of shared descriptor sharing............................................................ 80
7.3.3 Changing shared descriptors.................................................................................................... 81
7.4 Using in-line descriptors.......................................................................................................... 81
7.5 Using replacement job descriptors.......................................................................................... 82
7.6 Scatter/gather tables (SGTs)...................................................................................................83
7.7 Using descriptor commands....................................................................................................86
7.7.1 Command execution order........................................................................................................86
7.7.2 Command properties.................................................................................................................91
7.7.3 Command types........................................................................................................................ 91
7.7.4 SEQ vs non-SEQ commands....................................................................................................93
7.7.5 Information FIFO entries........................................................................................................... 96
7.7.6 Output FIFO Operation............................................................................................................. 96
7.7.7 Output Checksum logic............................................................................................................. 97
7.7.8 Cryptographic class...................................................................................................................98
7.7.9 Address pointers....................................................................................................................... 99
7.7.10 DECO/CCB behavior for jobs started via the register service interface..................................99
7.7.11 DECO/CCB default actions for one-off jobs.......................................................................... 100
7.7.12 DECO/CCB actions when sharing descriptors......................................................................100
7.7.13 Using a CHA more than once in a job...................................................................................100
7.8 HEADER command...............................................................................................................101
7.9 KEY commands.....................................................................................................................107
7.10 LOAD commands................................................................................................................ 111
7.11 FIFO LOAD command.........................................................................................................125
7.11.1 Bit length data....................................................................................................................... 129
7.11.2 FIFO LOAD input data type ..................................................................................................130
7.12 ECPARAM command..........................................................................................................132
7.13 STORE command............................................................................................................... 136
7.14 FIFO STORE command...................................................................................................... 146
7.15 MOVE, MOVEB, MOVEDW, and MOVE_LEN commands................................................. 153
7.16 ALGORITHM OPERATION command................................................................................ 163
7.17 PROTOCOL OPERATION Commands...............................................................................170
7.18 PKHA OPERATION command............................................................................................194
7.18.1 PKHA OPERATION: clear memory function.........................................................................196
7.18.2 PKHA OPERATION: Arithmetic Functions............................................................................197
7.18.3 PKHA OPERATION: copy memory functions....................................................................... 205
7.18.4 PKHA OPERATION: Elliptic Curve Functions.......................................................................208
NXP Semiconductors
Contents
QorIQ LX2160A Security (SEC) Reference Manual, Rev. 0, 07/2020
Reference Manual
3 / 1266
7.19 SIGNATURE command.......................................................................................................214
7.20 JUMP (HALT) command..................................................................................................... 216
7.20.1 Jump type..............................................................................................................................217
7.20.2 Test type............................................................................................................................... 219
7.20.3 JSL and TEST CONDITION fields........................................................................................ 219
7.20.4 JUMP command format........................................................................................................ 220
7.21 MATH and MATHI Commands............................................................................................224
7.22 SEQ IN PTR command....................................................................................................... 232
7.23 SEQ OUT PTR command................................................................................................... 235
Chapter 8 Protocol acceleration.....................................................................239
8.1 IPsec ESP encapsulation and decapsulation overview.........................................................240
8.1.1 IPsec ESP encapsulation and decapsulation mode support...................................................241
8.1.2 IPsec ESP error codes............................................................................................................242
8.1.3 Programming for IPsec .......................................................................................................... 243
8.1.4 IPsec ESP Transport (and Legacy Tunnel) encapsulation overview...................................... 263
8.1.5 IPsec ESP Cryptographic Encapsulation................................................................................ 265
8.1.6 IPsec ESP Transport (and Legacy Tunnel) decapsulation procedure overview..................... 271
8.1.7 IPsec ESP Cryptographic Decapsulation................................................................................274
8.1.8 IPsec ESP Tunnel encapsulation overview.............................................................................280
8.1.9 IPsec ESP tunnel decapsulation overview..............................................................................282
8.2 SSL/TLS/DTLS record encapsulation and decapsulation overview...................................... 283
8.2.1 Programming and processing details common to all versions of SSL, TLS, and DTLS......... 284
8.2.2 Process for SSL 3.0 and TLS 1.0 record encapsulation......................................................... 296
8.2.3 Process for SSL 3.0 and TLS 1.0 record decapsulation......................................................... 298
8.2.4 Process for TLS 1.1 and TLS 1.2 record encapsulation......................................................... 299
8.2.5 Process for TLS 1.1 and TLS 1.2 record decapsulation......................................................... 305
8.2.6 Process for DTLS record encapsulation................................................................................. 309
8.2.7 Process for DTLS record decapsulation................................................................................. 312
8.3 IEEE 802.1AE MACsec encapsulation and decapsulation overview.................................... 317
8.3.1 Process for 802.1AE MACsec encapsulation......................................................................... 317
8.3.2 MACsec encapsulation PDB format descriptions....................................................................321
8.3.3 Process for 802.1AE MACSec decapsulation.........................................................................322
8.3.4 MACsec decapsulation PDB format descriptions....................................................................325
8.4 IEEE 802.11 ac-2013 WPA2 MPDU encapsulation and decapsulation................................ 327
8.4.1 Processing Common to WPA2 Encapsulation and Decapsulation......................................... 327
8.4.2 Process for WPA2 encapsulation............................................................................................329
8.4.3 Process for WPA2 decapsulation............................................................................................333
8.5 Anti-Replay built-in checking................................................................................................. 336
8.6 3G RLC PDU Encapsulation and Decapsulation overview................................................... 339
8.6.1 3G RLC PDU encapsulation overview.................................................................................... 339
8.6.2 Process for 3G RLC PDU encapsulation................................................................................ 340
8.6.3 3G RLC PDU encapsulation PDB format descriptions............................................................341
8.6.4 3G RLC PDU decapsulation overview.................................................................................... 341
8.6.5 Process for 3G RLC PDU decapsulation................................................................................ 342
8.6.6 3G RLC PDU decapsulation PDB format descriptions............................................................343
8.6.7 Overriding the PDB for 3G RLC PDU encapsulation and decapsulation................................ 343
8.7 LTE and 5G PDCP PDU encapsulation and decapsulation overview...................................344
8.7.1 PDCP PDU IV generation....................................................................................................... 345
8.7.2 PDCP PDU encapsulation process for confidentiality only..................................................... 347
8.7.3 PDCP PDU encapsulation for confidentiality and integrity......................................................348
8.7.4 PDCP PDU decapsulation process for confidentiality only..................................................... 349
8.7.5 PDCP PDU decapsulation for confidentiality and integrity......................................................351
8.7.6 PDCP shared descriptor PDB format descriptions..................................................................352
NXP Semiconductors
Contents
QorIQ LX2160A Security (SEC) Reference Manual, Rev. 0, 07/2020
Reference Manual
4 / 1266
8.7.7 Overriding the PDB for PDCP encapsulation and decapsulation............................................353
Chapter 9 Public Key Cryptography Operations.......................................... 354
9.1 Conformance considerations.................................................................................................354
9.2 Specifying the ECC domain curves for the discrete-log functions.........................................355
9.3 Discrete-log key-pair generation............................................................................................358
9.3.1 Inputs to the discrete-log key-pair generation function ...................................................358
9.3.2 Assumptions of the discrete-log key-pair generation function .......................................359
9.3.3 Outputs from the discrete-log key-pair generation function ........................................... 359
9.3.4 Operation of the discrete-log key-pair generation function..................................................... 359
9.3.5 Notes associated with the discrete-log key-pair generation function ..................................... 359
9.4 Using the Diffie_Hellman function......................................................................................... 360
9.4.1 Diffie_Hellman requirements...................................................................................................360
9.4.2 Inputs to the Diffie-Hellman function....................................................................................... 361
9.4.3 Assumptions of the Diffie-Hellman function............................................................................ 361
9.4.4 Outputs from the Diffie-Hellman function................................................................................ 361
9.4.5 Operation of the Diffie-Hellman function................................................................................. 361
9.4.6 Notes associated with the Diffie-Hellman function.................................................................. 361
9.5 Generating DSA and ECDSA signatures.............................................................................. 362
9.5.1 Inputs to the DSA and ECDSA signature generation function................................................ 363
9.5.2 Assumptions of the DSA and ECDSA signature generation function ............................ 363
9.5.3 Outputs from the DSA and ECDSA signature generation function ........................................ 363
9.5.4 Operation of the DSA and ECDSA signature generation function ......................................... 363
9.5.5 Notes associated with the DSA and ECDSA Signature Generation function..........................364
9.6 Verifying DSA and ECDSA signatures.................................................................................. 365
9.6.1 Inputs to the DSA and ECDSA signature verification function................................................ 366
9.6.2 Assumptions of the DSA and ECDSA signature verification function..................................... 366
9.6.3 Outputs from the DSA and ECDSA signature verification function......................................... 366
9.6.4 Operation of the DSA and ECDSA signature verification function ......................................... 366
9.6.5 Notes associated with the DSA and ECDSA Signature Verification function .........................367
9.7 Elliptic Curve Public Key Validation.......................................................................................368
9.7.1 Inputs to the Elliptic Curve public key validation function .............................................. 369
9.7.2 Outputs from the Elliptic Curve public key validation function.................................................369
9.7.3 Operation of the Elliptic Curve public key validation function..................................................369
9.7.4 Notes associated with the Elliptic Curve public key validation function ................................. 369
9.8 RSA Finalize Key Generation (RFKG).................................................................................. 370
9.9 Implementation of the RSA encrypt operation.......................................................................372
9.10 Implementation of the RSA decrypt operation.....................................................................374
Chapter 10 Key agreement functions............................................................ 380
10.1 IKEv2 PRF overview............................................................................................................380
10.1.1 Using IKE PRF to generate SKEYSEED.............................................................................. 380
10.1.2 Using IKE PRF+ to generate keying material for the IKEv2 SA............................................381
10.1.3 Using IKE PRF+ to generate Child SA key material............................................................. 381
10.1.4 Restrictions on programming control blocks......................................................................... 381
10.1.5 IKE PRF PDB format descriptions........................................................................................ 381
10.1.6 Implementation details for IKE PRF function........................................................................ 385
10.1.7 Implementation Details for IKE PRF+ function......................................................................386
10.2 SSL/TLS/DTLS pseudo-random functions (PRF)................................................................386
10.2.1 SSL 3.0 PRF overview.......................................................................................................... 387
10.2.2 Process for SSL 3.0 PRF...................................................................................................... 388
10.2.3 SSL 3.0 PRF PDB format descriptions................................................................................. 388
10.2.4 TLS 1.0/TLS 1.1/DTLS PRF overview.................................................................................. 391
NXP Semiconductors
Contents
QorIQ LX2160A Security (SEC) Reference Manual, Rev. 0, 07/2020
Reference Manual
5 / 1266
10.2.5 Process for TLS 1.0, TLS 1.1, DTLS PRF............................................................................ 393
10.2.6 TLS 1.0, TLS 1.1, DTLS PRF PDB format descriptions........................................................395
10.2.7 TLS 1.2 PRF overview.......................................................................................................... 399
10.2.8 Process for TLS 1.2 PRF...................................................................................................... 399
10.2.9 TLS 1.2 PRF PDB format descriptions..................................................................................400
10.3 Implementation of the derived key protocol.........................................................................403
10.3.1 Using DKP with HMAC keys................................................................................................. 404
10.3.2 Implementation of the Blob Protocol..................................................................................... 405
Chapter 11 Cryptographic hardware accelerators (CHAs).......................... 406
11.1 Public-key hardware accelerator (PKHA) functionality........................................................407
11.1.1 Modular math........................................................................................................................ 408
11.1.2 About Montgomery values.................................................................................................... 408
11.1.3 Non-modular Math................................................................................................................ 409
11.1.4 Elliptic-Curve Math................................................................................................................ 409
11.1.5 PKHA Mode Register............................................................................................................ 411
11.1.6 PKHA functions..................................................................................................................... 411
11.2 Data encryption standard accelerator (DES) functionality...................................................493
11.2.1 DESA use of the Mode Register........................................................................................... 493
11.2.2 DESA use of the Key Register.............................................................................................. 494
11.2.3 DESA use of the Key Size Register...................................................................................... 494
11.2.4 DESA use of the Data Size Register.....................................................................................494
11.2.5 DESA Context Register.........................................................................................................495
11.2.6 Save and store operations in DESA context data................................................................. 495
11.3 Cyclic-redundancy check accelerator (CRCA) functionality................................................ 495
11.3.1 CRCA modes of operation.................................................................................................... 495
11.3.2 CRCA use of the Class 2 Mode Register..............................................................................495
11.3.3 CRCA Class 2 Key Register................................................................................................. 497
11.3.4 CRCA Class 2 Key Size Register......................................................................................... 497
11.3.5 CRCA Class 2 Data Size Register........................................................................................ 497
11.3.6 CRCA Class 2 Context Register........................................................................................... 497
11.3.7 Save and restore operations in CRCA context data............................................................. 497
11.4 Random-number generator (RNG) functionality..................................................................498
11.4.1 RNG features summary........................................................................................................ 498
11.4.2 RNG functional description .................................................................................................. 498
11.4.3 RNG operations.................................................................................................................... 500
11.4.4 RNG use of the Key Registers.............................................................................................. 501
11.4.5 RNG use of the Context Register..........................................................................................502
11.4.6 RNG use of the Data Size Register...................................................................................... 502
11.5 SNOW 3G Confidentiality accelerator functionality............................................................. 502
11.5.1 Differences between SNOW 3G confidentiality and SNOW 3G integrity hardware
accelerators.................................................................................................................................502
11.5.2 SNOW 3G Confidentiality use of the Mode Register............................................................ 503
11.5.3 SNOW 3G Confidentiality use of the Key and Context Registers......................................... 503
11.5.4 SNOW 3G Confidentiality accelerator use of the Data Size Register................................... 504
11.5.5 SNOW 3G Confidentiality accelerator use of the Key Size Register.................................... 504
11.6 SNOW 3G Integrity accelerator functionality.......................................................................504
11.6.1 SNOW 3G Integrity accelerator use of the Mode Register................................................... 504
11.6.2 SNOW 3G Integrity CHA use of the Key and Context Registers.......................................... 505
11.6.3 SNOW 3G Integrity accelerator use of the Data Size Register.............................................506
11.6.4 SNOW 3G Integrity accelerator use of the Key Size Register.............................................. 506
11.6.5 SNOW 3G Integrity CHA use of MAC/ICV check..................................................................506
11.7 Message digest hardware accelerator (MDHA) functionality...............................................507
11.7.1 MDHA use of the Mode Register.......................................................................................... 507
NXP Semiconductors
Contents
QorIQ LX2160A Security (SEC) Reference Manual, Rev. 0, 07/2020
Reference Manual
6 / 1266
11.7.2 MDHA use of the Key Register............................................................................................. 508
11.7.3 MDHA use of the Data Size Register....................................................................................510
11.7.4 MDHA use of the Context Register....................................................................................... 510
11.7.5 Save and restore operations in MDHA context data............................................................. 511
11.8 AES accelerator (AESA) functionality..................................................................................511
11.8.1 Differences between the AES encrypt and decrypt keys...................................................... 511
11.8.2 AESA as both Class 1 and Class 2 CHA.............................................................................. 512
11.8.3 AESA modes of operation.....................................................................................................512
11.8.4 AESA use of registers........................................................................................................... 513
11.8.5 AESA use of the parity bit..................................................................................................... 513
11.8.6 AES ECB mode.....................................................................................................................513
11.8.7 AES CBC, CBC-CS2, OFB, CFB128 modes ....................................................................... 514
11.8.8 AES CTR mode.....................................................................................................................516
11.8.9 AES XTS mode..................................................................................................................... 517
11.8.10 AES XCBC-MAC and CMAC modes.................................................................................. 519
11.8.11 AESA CCM mode............................................................................................................... 522
11.8.12 AES GCM mode..................................................................................................................525
11.8.13 AESA optimization modes...................................................................................................529
11.9 ZUC encryption accelerator (ZUCE) functionality................................................................538
11.9.1 Differences between ZUCE and ZUCA.................................................................................539
11.9.2 ZUCE use of the Mode Register........................................................................................... 539
11.9.3 ZUCE use of the Key and Context Registers........................................................................539
11.9.4 ZUCE use of the Data Size Register.....................................................................................540
11.9.5 ZUCE use of the Key Size Register ..................................................................................... 540
11.10 ZUC authentication accelerator (ZUCA) functionality........................................................540
11.10.1 ZUCA use of the Mode Register......................................................................................... 540
11.10.2 ZUCA use of the Key and Context Registers......................................................................541
11.10.3 ZUCA use of the Data Size Register...................................................................................542
11.10.4 ZUCA use of the Key Size Register.................................................................................... 542
11.10.5 ZUCA use of ICV checking................................................................................................. 542
11.11 ChaCha20 hardware accelerator (CCHA) CHA functionality............................................ 542
11.11.1 CCHA use of the Mode Register.........................................................................................542
11.11.2 Save and restore operations of context data in CCHA....................................................... 544
11.11.3 CCHA use of the Context Register..................................................................................... 544
11.11.4 CCHA use of the Data Size Register.................................................................................. 545
11.11.5 CCHA use of the Key Register............................................................................................545
11.12 Poly1305 Hardware Accelerator (PTHA) functionality.......................................................545
11.12.1 PTHA modes of operation...................................................................................................545
11.12.2 PTHA use of the Mode Register......................................................................................... 545
11.12.3 PTHA use of the Context Register...................................................................................... 546
11.12.4 PTHA Data Size Register....................................................................................................547
11.12.5 PTHA AAD Size Register....................................................................................................547
11.12.6 PTHA Key Register............................................................................................................. 547
11.12.7 PTHA Key Size Register..................................................................................................... 548
Chapter 12 Trust Architecture modules........................................................ 549
12.1 Run-time Integrity Checker (RTIC)......................................................................................549
12.1.1 RTIC modes of operation...................................................................................................... 549
12.1.2 RTIC initialization and operation........................................................................................... 549
12.1.3 RTIC use of the Throttle Register......................................................................................... 550
12.1.4 RTIC use of command, configuration, and status registers.................................................. 550
12.1.5 Initializing RTIC..................................................................................................................... 550
12.1.6 RTIC Memory Block Address/Length Registers....................................................................550
12.2 SEC virtualization and security domain identifiers (SDIDs).................................................551
NXP Semiconductors
Contents
QorIQ LX2160A Security (SEC) Reference Manual, Rev. 0, 07/2020
Reference Manual
7 / 1266
12.2.1 Access Control...................................................................................................................... 551
12.2.2 Virtualization..........................................................................................................................551
12.2.3 Security domain identifiers (SDIDs)...................................................................................... 551
12.2.4 TrustZone SecureWorld........................................................................................................ 552
12.3 Special-purpose cryptographic keys....................................................................................552
12.3.1 Initializing and clearing black and trusted descriptor keys.................................................... 552
12.3.2 Black keys and JDKEK/TDKEK............................................................................................ 552
12.3.3 Trusted descriptors and TDSK..............................................................................................552
12.3.4 Master key and blobs............................................................................................................ 553
12.4 Black keys........................................................................................................................... 553
12.4.1 Black key encapsulation schemes........................................................................................ 553
12.4.2 Differences between black and red keys.............................................................................. 553
12.4.3 Loading red keys...................................................................................................................553
12.4.4 Loading black keys................................................................................................................553
12.4.5 Avoiding errors when loading red and black keys.................................................................554
12.4.6 Encapsulating and decapsulating black keys........................................................................555
12.4.7 Types of black keys and their use.........................................................................................556
12.4.8 Types of blobs for key storage.............................................................................................. 556
12.5 Trusted descriptors..............................................................................................................556
12.5.1 Why trusted descriptors are needed..................................................................................... 556
12.5.2 Trusted-descriptor key types and uses................................................................................. 557
12.5.3 Trusted descriptors encrypting/decrypting black keys.......................................................... 557
12.5.4 Trusted-descriptor blob types and uses................................................................................ 557
12.5.5 Configuring the system to create trusted descriptors properly..............................................557
12.5.6 Creating trusted descriptors.................................................................................................. 558
12.6 Blobs....................................................................................................................................559
12.6.1 Blob protocol......................................................................................................................... 559
12.6.2 Why blobs are needed.......................................................................................................... 559
12.6.3 Blob conformance considerations......................................................................................... 559
12.6.4 Encapsulating and decapsulating blobs................................................................................560
12.6.5 Blob types............................................................................................................................. 560
12.6.6 Blob encapsulation................................................................................................................563
12.6.7 Blob decapsulation................................................................................................................564
12.7 Critical security parameters.................................................................................................564
12.8 Manufacturing-protection chip-authentication process........................................................565
12.8.1 Providing data to the manufacturing-protection authentication process............................... 567
12.8.2 MPPrivk_generation function................................................................................................ 569
12.8.3 MPPubk_generation function................................................................................................ 570
12.8.4 MPSign function.................................................................................................................... 572
12.8.5 MP-ECDH function................................................................................................................573
Chapter 13 SEC service error detection, recovery (reset), and
reconfiguration.............................................................................................575
13.1 Software SEC Reset............................................................................................................575
13.2 Job ring error detection, recovery, reset and reconfiguration..............................................575
13.2.1 Job ring user error detection, recovery, reset, and reconfiguration services........................ 575
13.2.2 Job ring error detection, recovery, reset, and reconfiguration management services.......... 577
13.3 QMan interface error detection, recovery, reset, and reconfiguration................................. 578
13.3.1 QI user services.................................................................................................................... 578
13.3.2 QI management services...................................................................................................... 579
13.4 RTIC error detection, recovery, reset, and reconfiguration................................................. 581
13.4.1 RTIC user services................................................................................................................581
13.4.2 RTIC management services..................................................................................................581
NXP Semiconductors
Contents
QorIQ LX2160A Security (SEC) Reference Manual, Rev. 0, 07/2020
Reference Manual
8 / 1266
13.5 Global and DECO error detection, recovery, reset, and reconfiguration.............................582
13.5.1 Global and DECO user services........................................................................................... 582
13.5.2 Global SEC and DECO management services.....................................................................582
Chapter 14 SEC register descriptions........................................................... 584
14.1 SEC memory map............................................................................................................... 585
14.2 Master Configuration Register (MCFGR)............................................................................ 812
14.3 Security Configuration Register (SCFGR)...........................................................................817
14.4 Job Ring a ICID Register - most significant half (JR0ICID_MS - JR3ICID_MS)................. 821
14.5 Job Ring a ICID Register - least significant half (JR0ICID_LS - JR3ICID_LS)....................823
14.6 Debug Control Register (DEBUGCTL)................................................................................824
14.7 Job Ring Start Register (JRSTARTR)................................................................................. 825
14.8 RTIC ICID Register for Block a - most significant half (RTICAICID_MS - RTICDICID_MS)827
14.9 RTIC ICID Register for Block a - least significant half (RTICAICID_LS - RTICDICID_LS). 828
14.10 Protocol Configuration Register (PROTCFG)....................................................................830
14.11 DECO Request Source Register (DECORSR)..................................................................830
14.12 DECO Bank Select Register (DECO_BANK_SEL)........................................................... 831
14.13 DECO Request Register (DECORR)................................................................................ 832
14.14 DECO0 ICID Register - most significant half (DECO0ICID_MS)...................................... 836
14.15 DECO0 ICID Register - least significant half (DECO0ICID_LS)........................................836
14.16 DECO Availability Register (DAR).....................................................................................838
14.17 DECO Reset Register (DRR)............................................................................................ 839
14.18 DECO Shared Memory Status Register (DSMSR)............................................................841
14.19 DECO Shared Memory Disable Register (DSMDR)..........................................................843
14.20 DMA Control Register (DMAC - DMA_CTRL)...................................................................844
14.21 Peak Bandwidth Smoothing Limit Register (PBSL)...........................................................846
14.22 DMAa_AIDL_MAP_MS (DMA0_AIDL_MAP_MS - DMA1_AIDL_MAP_MS).................... 847
14.23 DMAa_AIDL_MAP_LS (DMA0_AIDL_MAP_LS - DMA1_AIDL_MAP_LS)....................... 849
14.24 DMAa_AIDM_MAP_MS (DMA0_AIDM_MAP_MS - DMA1_AIDM_MAP_MS)................. 850
14.25 DMAa_AIDM_MAP_LS (DMA0_AIDM_MAP_LS - DMA1_AIDM_MAP_LS).................... 851
14.26 DMAf AXI ID Enable Register (DMA0_AID_ENB - DMA1_AID_ENB).............................. 852
14.27 DMAa AXI Read Timing Check Register (DMA0_ARD_TC - DMA1_ARD_TC)............... 854
14.28 DMAf Read Timing Check Latency Register (DMA0_ARD_LAT - DMA1_ARD_LAT)......856
14.29 DMAa AXI Write Timing Check Register (DMA0_AWR_TC - DMA1_AWR_TC)..............857
14.30 DMAf Write Timing Check Latency Register (DMA0_AWR_LAT - DMA1_AWR_LAT).....859
14.31 Manufacturing Protection Private Key Register (MPPKR0 - MPPKR63)...........................860
14.32 Manufacturing Protection Message Register (MPMR0 - MPMR31)..................................861
14.33 Manufacturing Protection Test Register (MPTESTR0 - MPTESTR31)............................. 862
14.34 Manufacturing Protection ECC Register (MPECC)........................................................... 863
14.35 Job Descriptor Key Encryption Key Register (JDKEKR0 - JDKEKR7)..............................864
14.36 Trusted Descriptor Key Encryption Key Register (TDKEKR0 - TDKEKR7)...................... 865
14.37 Trusted Descriptor Signing Key Register (TDSKR0 - TDSKR7)....................................... 866
14.38 Secure Key Nonce Register (SKNR).................................................................................867
14.39 DMA Status Register (DMA_STA).....................................................................................868
14.40 DMA_X_AID_7_4_MAP (DMA_X_AID_7_4_MAP)...........................................................869
14.41 DMA_X_AID_3_0_MAP (DMA_X_AID_3_0_MAP)...........................................................871
14.42 DMA_X_AID_15_12_MAP (DMA_X_AID_15_12_MAP)...................................................872
14.43 DMA_X_AID_11_8_MAP (DMA_X_AID_11_8_MAP).......................................................873
14.44 DMA_X AXI ID Map Enable Register (DMA_X_AID_15_0_EN)....................................... 874
14.45 DMA_X AXI Read Timing Check Control Register (DMA_X_ARTC_CTL)....................... 876
14.46 DMA_X AXI Read Timing Check Late Count Register (DMA_X_ARTC_LC)....................878
14.47 DMA_X AXI Read Timing Check Sample Count Register (DMA_X_ARTC_SC)..............879
14.48 DMA_X Read Timing Check Latency Register (DMA_X_ARTC_LAT)............................. 880
14.49 DMA_X AXI Write Timing Check Control Register (DMA_X_AWTC_CTL).......................881
NXP Semiconductors
Contents
QorIQ LX2160A Security (SEC) Reference Manual, Rev. 0, 07/2020
Reference Manual
9 / 1266
14.50 DMA_X AXI Write Timing Check Late Count Register (DMA_X_AWTC_LC)...................883
14.51 DMA_X AXI Write Timing Check Sample Count Register (DMA_X_AWTC_SC)............. 884
14.52 DMA_X Write Timing Check Latency Register (DMA_X_AWTC_LAT).............................885
14.53 RNG TRNG Miscellaneous Control Register (RTMCTL)...................................................886
14.54 RNG TRNG Statistical Check Miscellaneous Register (RTSCMISC)............................... 889
14.55 RNG TRNG Poker Range Register (RTPKRRNG)........................................................... 890
14.56 RNG TRNG Poker Maximum Limit Register (RTPKRMAX)..............................................891
14.57 RNG TRNG Poker Square Calculation Result Register (RTPKRSQ)............................... 892
14.58 RNG TRNG Seed Control Register (RTSDCTL)...............................................................893
14.59 RNG TRNG Sparse Bit Limit Register (RTSBLIM)............................................................894
14.60 RNG TRNG Total Samples Register (RTTOTSAM)..........................................................895
14.61 RNG TRNG Oscillator 2 Frequency Count Register (RTFRQCNT2)................................ 896
14.62 RNG TRNG Frequency Count Minimum Limit Register (RTFRQMIN)..............................897
14.63 RNG TRNG Frequency Count Register (RTFRQCNT)..................................................... 898
14.64 RNG TRNG Frequency Count Maximum Limit Register (RTFRQMAX)............................899
14.65 RNG TRNG Statistical Check Monobit Count Register (RTSCMC).................................. 900
14.66 RNG TRNG Statistical Check Monobit Limit Register (RTSCML).....................................901
14.67 RNG TRNG Statistical Check Run Length 1 Count Register (RTSCR1C)........................902
14.68 RNG TRNG Statistical Check Run Length 1 Limit Register (RTSCR1L).......................... 903
14.69 RNG TRNG Statistical Check Run Length 2 Count Register (RTSCR2C)........................904
14.70 RNG TRNG Statistical Check Run Length 2 Limit Register (RTSCR2L).......................... 905
14.71 RNG TRNG Statistical Check Run Length 3 Count Register (RTSCR3C)........................906
14.72 RNG TRNG Statistical Check Run Length 3 Limit Register (RTSCR3L).......................... 907
14.73 RNG TRNG Statistical Check Run Length 4 Count Register (RTSCR4C)........................908
14.74 RNG TRNG Statistical Check Run Length 4 Limit Register (RTSCR4L).......................... 909
14.75 RNG TRNG Statistical Check Run Length 5 Count Register (RTSCR5C)........................910
14.76 RNG TRNG Statistical Check Run Length 5 Limit Register (RTSCR5L).......................... 911
14.77 RNG TRNG Statistical Check Run Length 6+ Count Register (RTSCR6PC)................... 913
14.78 RNG TRNG Statistical Check Run Length 6+ Limit Register (RTSCR6PL)......................914
14.79 RNG TRNG Status Register (RTSTATUS)....................................................................... 915
14.80 RNG TRNG Entropy Read Register (RTENT0 - RTENT15)............................................. 917
14.81 RNG TRNG Statistical Check Poker Count 1 and 0 Register (RTPKRCNT10)................ 918
14.82 RNG TRNG Statistical Check Poker Count 3 and 2 Register (RTPKRCNT32)................ 919
14.83 RNG TRNG Statistical Check Poker Count 5 and 4 Register (RTPKRCNT54)................ 919
14.84 RNG TRNG Statistical Check Poker Count 7 and 6 Register (RTPKRCNT76)................ 920
14.85 RNG TRNG Statistical Check Poker Count 9 and 8 Register (RTPKRCNT98)................ 921
14.86 RNG TRNG Statistical Check Poker Count B and A Register (RTPKRCNTBA)...............922
14.87 RNG TRNG Statistical Check Poker Count D and C Register (RTPKRCNTDC)..............923
14.88 RNG TRNG Statistical Check Poker Count F and E Register (RTPKRCNTFE)............... 924
14.89 RNG DRNG Status Register (RDSTA)..............................................................................925
14.90 RNG DRNG State Handle 0 Reseed Interval Register (RDINT0)..................................... 927
14.91 RNG DRNG State Handle 1 Reseed Interval Register (RDINT1)..................................... 928
14.92 RNG DRNG Hash Control Register (RDHCNTL)..............................................................929
14.93 RNG DRNG Hash Digest Register (RDHDIG).................................................................. 930
14.94 RNG DRNG Hash Buffer Register (RDHBUF).................................................................. 930
14.95 RNG Oscillator 2 Control Register (OSC2_CTL)...............................................................931
14.96 Recoverable Error Interrupt Status (REIS)........................................................................933
14.97 Recoverable Error Interrupt Enable (REIE).......................................................................934
14.98 Recoverable Error Interrupt Force (REIF)......................................................................... 936
14.99 Recoverable Error Interrupt Halt (REIH)............................................................................938
14.100 SEC Version ID Register, most-significant half (SECVID_MS).......................................939
14.101 SEC Version ID Register, least-significant half (SECVID_LS)........................................ 941
14.102 Holding Tank 0 Job Descriptor Address (HT0_JD_ADDR)............................................. 943
14.103 Holding Tank 0 Shared Descriptor Address (HT0_SD_ADDR).......................................944
14.104 Holding Tank 0 Job Queue Control, most-significant half (HT0_JQ_CTRL_MS)............945
NXP Semiconductors
Contents
QorIQ LX2160A Security (SEC) Reference Manual, Rev. 0, 07/2020
Reference Manual
10 / 1266
14.105 Holding Tank 0 Job Queue Control, least-significant half (HT0_JQ_CTRL_LS).............948
14.106 Holding Tank 0 Status (HT0_STATUS)...........................................................................949
14.107 Holding Tank Pending Status (HT0_PEND)....................................................................950
14.108 Job Queue Debug Select Register (JQ_DEBUG_SEL).................................................. 952
14.109 Job Queue DMA Outstanding Write Count Register (JQ_DMA_OUTSTANDING_WC).953
14.110 Job Queue DMA Outstanding Read Count Register (JQ_DMA_OUTSTANDING_RC)..954
14.111 Burst Buffer DMA Outstanding Read Count Register (BB_DMA_OUTSTANDING_RC)955
14.112 Total Job Ring Job Count Register (TOT_JR_JC).......................................................... 956
14.113 Total Address Array Job Count Register (TOT_AA_JC)................................................. 957
14.114 Total Number of Holding Tanks with Jobs Register (TOT_HT_WJ)................................958
14.115 Total Job Ring Jobs Waiting Register (TOT_JR_JW)..................................................... 958
14.116 Job Ring Job IDs in Use Register, least-significant half (JRJIDU_LS)............................959
14.117 Job Ring Job-Done Job ID FIFO BC (JRJDJIFBC).........................................................962
14.118 Job Ring Job-Done Job ID FIFO (JRJDJIF)....................................................................963
14.119 Job Ring Job-Done Source 1 (JRJDS1)..........................................................................964
14.120 Job Ring Job-Done Descriptor Address 0 Register (JRJDDA)........................................965
14.121 CRCA Version ID Register (CRCA_VERSION).............................................................. 966
14.122 AFHA Version ID Register (AFHA_VERSION)................................................................968
14.123 KFHA Version ID Register (KFHA_VERSION)................................................................970
14.124 PKHA Version ID Register (PKHA_VERSION)............................................................... 971
14.125 AESA Version ID Register (AESA_VERSION)................................................................973
14.126 MDHA Version ID Register (MDHA_VERSION)..............................................................975
14.127 DESA Version ID Register (DESA_VERSION)............................................................... 977
14.128 SNW8A Version ID Register (SNW8A_VERSION)......................................................... 978
14.129 SNW9A Version ID Register (SNW9A_VERSION)......................................................... 980
14.130 ZUCE Version ID Register (ZUCE_VERSION)............................................................... 982
14.131 ZUCA Version ID Register (ZUCA_VERSION)............................................................... 983
14.132 CCHA Version ID Register (CCHA_VERSION).............................................................. 985
14.133 PTHA Version ID Register (PTHA_VERSION)................................................................987
14.134 RNG Version ID Register (RNG_VERSION)...................................................................988
14.135 TRNG Version ID Register (TRNG_VERSION).............................................................. 990
14.136 Alternate AES Hardware Accelerator Version ID Register (AAHA_VERSION)...............992
14.137 SR Version ID Register (SR_VERSION).........................................................................993
14.138 DMA Version ID Register (DMA_VERSION)...................................................................995
14.139 AI Version ID Register (AI_VERSION)............................................................................997
14.140 QI Version ID Register (QI_VERSION)........................................................................... 998
14.141 JR Version ID Register (JR_VERSION)........................................................................1000
14.142 DECO Version ID Register (DECO_VERSION)............................................................1002
14.143 Performance Counter, Number of Requests Dequeued (PC_REQ_DEQ)....................1003
14.144 Performance Counter, Number of Outbound Encrypt Requests (PC_OB_ENC_REQ) 1005
14.145 Performance Counter, Number of Inbound Decrypt Requests (PC_IB_DEC_REQ).....1007
14.146 Performance Counter, Number of Outbound Bytes Encrypted (PC_OB_ENCRYPT)...1009
14.147 Performance Counter, Number of Outbound Bytes Protected (PC_OB_PROTECT)... 1011
14.148 Performance Counter, Number of Inbound Bytes Decrypted (PC_IB_DECRYPT).......1013
14.149 Performance Counter, Number of Inbound Bytes Validated. (PC_IB_VALIDATED).....1015
14.150 Compile Time Parameters Register, most-significant half (CTPR_MS)........................1017
14.151 Compile Time Parameters Register, least-significant half (CTPR_LS)......................... 1021
14.152 Fault Address Register (FAR)....................................................................................... 1025
14.153 Fault Address ICID Register (FAICID)...........................................................................1026
14.154 Fault Address Detail Register (FADR)...........................................................................1028
14.155 SEC Status Register (SSTA).........................................................................................1031
14.156 RTIC Version ID Register (RVID)..................................................................................1034
14.157 CHA Cluster Block Version ID Register (CCBVID)........................................................1036
14.158 Input Ring Base Address Register for Job Ring a (IRBAR_JR0 - IRBAR_JR3)............1038
14.159 Input Ring Size Register for Job Ring a (IRSR_JR0 - IRSR_JR3)................................1040
NXP Semiconductors
Contents
QorIQ LX2160A Security (SEC) Reference Manual, Rev. 0, 07/2020
Reference Manual
11 / 1266
14.160 Input Ring Slots Available Register for Job Ring a (IRSAR_JR0 - IRSAR_JR3).......... 1041
14.161 Input Ring Jobs Added Register for Job Ringa (IRJAR_JR0 - IRJAR_JR3)................. 1042
14.162 Output Ring Base Address Register for Job Ring a (ORBAR_JR0 - ORBAR_JR3)..... 1043
14.163 Output Ring Size Register for Job Ring a (ORSR_JR0 - ORSR_JR3)......................... 1044
14.164 Output Ring Jobs Removed Register for Job Ring a (ORJRR_JR0 - ORJRR_JR3).... 1046
14.165 Output Ring Slots Full Register for Job Ring a (ORSFR_JR0 - ORSFR_JR3)............. 1047
14.166 Job Ring Output Status Register for Job Ring a (JRSTAR_JR0 - JRSTAR_JR3)........ 1048
14.167 Job Ring Interrupt Status Register for Job Ring a (JRINTR_JR0 - JRINTR_JR3)........1049
14.168 Job Ring Configuration Register for Job Ring a, most-significant half (JRCFGR_JR0_
MS - JRCFGR_JR3_MS)......................................................................................................1051
14.169 Job Ring Configuration Register for Job Ring a, least-significant half (JRCFGR_JR0_
LS - JRCFGR_JR3_LS)........................................................................................................1053
14.170 Input Ring Read Index Register for Job Ring a (IRRIR_JR0 - IRRIR_JR3)..................1054
14.171 Output Ring Write Index Register for Job Ring a (ORWIR_JR0 - ORWIR_JR3).......... 1055
14.172 Job Ring Command Register for Job Ring a (JRCR_JR0 - JRCR_JR3)...................... 1056
14.173 Job Ring a Address-Array Valid Register (JR0AAV - JR3AAV).................................... 1058
14.174 Job Ring a Address-Array Address b Register (JR0AAA0 - JR3AAA5)........................1060
14.175 Recoverable Error Interrupt Record 0 for Job Ring a (REIR0JR0 - REIR0JR3)........... 1061
14.176 Recoverable Error Interrupt Record 2 for Job Ring a (REIR2JR0 - REIR2JR3)........... 1062
14.177 Recoverable Error Interrupt Record 4 for Job Ring a (REIR4JR0 - REIR4JR3)........... 1063
14.178 Recoverable Error Interrupt Record 5 for Job Ring a (REIR5JR0 - REIR5JR3)........... 1065
14.179 RTIC Status Register (RSTA)........................................................................................1066
14.180 RTIC Command Register (RCMD)................................................................................1069
14.181 RTIC Control Register (RCTL)...................................................................................... 1070
14.182 RTIC Throttle Register (RTHR)..................................................................................... 1073
14.183 RTIC Watchdog Timer (RWDOG)................................................................................. 1074
14.184 RTIC Memory Block a Address b Register (RMAA0 - RMDA1).................................... 1075
14.185 RTIC Memory Block a Length b Register (RMAL0 - RMDL1)....................................... 1076
14.186 RTIC Memory Block a c Endian Hash Result Word d (RAMDB_0 - RDMDL_31).........1077
14.187 Recoverable Error Interrupt Record 0 for RTIC (REIR0RTIC)...................................... 1092
14.188 Recoverable Error Interrupt Record 2 for RTIC (REIR2RTIC)...................................... 1093
14.189 Recoverable Error Interrupt Record 4 for RTIC (REIR4RTIC)...................................... 1094
14.190 Recoverable Error Interrupt Record 5 for RTIC (REIR5RTIC)...................................... 1095
14.191 Queue Interface Configuration Register (QICFG)......................................................... 1096
14.192 Queue Interface Control Register (QICTL)....................................................................1097
14.193 Queue Interface Status Register (QISTA).....................................................................1098
14.194 Queue Interface Dequeue Configuration Register (QIDQC)......................................... 1099
14.195 Queue Interface Dequeue Event Filter Control Register 0 (QDQEFC0)....................... 1101
14.196 Queue Interface Dequeue Event Filter Control Register 1 (QDQEFC1)....................... 1102
14.197 Queue Interface Dequeue Event Filter Control Register 2 (QDQEFC2)....................... 1103
14.198 Queue Interface Enqueue Event Filter Control Register 0 (QEQEFC0)........................1104
14.199 Queue Interface Enqueue Event Filter Control Register 1 (QEQEFC1)........................1105
14.200 Queue Interface Enqueue Event Filter Control Register 2 (QEQEFC2)........................1106
14.201 Jobs in Use Register for QM Interface (JOBS_IN_USE_QI).........................................1107
14.202 Jobs in Use Register for QM Interface (Most Significant) (JOBS_IN_USE_QI_MS).....1108
14.203 Jobs Ready Register for QM Interface (JOBS_READY_QI)......................................... 1109
14.204 Jobs Ready Register for QM Interface (Most Significant) (JOBS_READY_QI_MS).....1109
14.205 Jobs Transfer Blocking Disabled Register for QM Interface (JOBS_XFR_BLK_DIS_QI)1110
14.206 Jobs Transfer Blocking Disabled Register for QM Interface (Most Significant) (JOBS_
XFR_BLK_DIS_QI_MS)........................................................................................................1111
14.207 Jobs Transferred Register for QM Interface (JOBS_XFRD_QI)....................................1112
14.208 Jobs Transferred Register for QM Interface (Most Significant) (JOBS_XFRD_QI_MS)1113
14.209 Jobs Executing Register for QM Interface (JOBS_EXEC_QI)...................................... 1114
14.210 Jobs Executing Register for QM Interface (Most Significant) (JOBS_EXEC_QI_MS).. 1115
14.211 Jobs Done Register for QM Interface (JOBS_DONE_QI).............................................1116
NXP Semiconductors
Contents
QorIQ LX2160A Security (SEC) Reference Manual, Rev. 0, 07/2020
Reference Manual
12 / 1266
14.212 Jobs Done Register for QM Interface (Most Significant) (JOBS_DONE_QI_MS).........1117
14.213 Subportal Frame Count Register for Queue Interface (SUBPORT_FC_QI_LS)...........1118
14.214 Subportal Frame Count, Most-Significant Register for Queue Interface (SUBPORT_
FC_QI_MS)...........................................................................................................................1119
14.215 Job Select Register for QI Interface (JOB_SELECT_QI).............................................. 1120
14.216 Queue Interface Job Data Register 0 (QIJOBD0)......................................................... 1121
14.217 Queue Interface Job Data Register 1 (QIJOBD1)......................................................... 1123
14.218 Queue Interface Job Data Register 2 (QIJOBD2)......................................................... 1124
14.219 Queue Interface Job Data Register 3 (QIJOBD3)......................................................... 1125
14.220 Queue Interface Job Data Register 4 (QIJOBD4)......................................................... 1126
14.221 Queue Interface Job Data Register 5 (QIJOBD5)......................................................... 1127
14.222 Queue Interface Job Data Register 6 (QIJOBD6)......................................................... 1129
14.223 Queue Interface Job Data Register 7 (QIJOBD7)......................................................... 1130
14.224 Queue Interface Job Data Register 8 (QIJOBD8)......................................................... 1131
14.225 Queue Interface Job Data Register 9 (QIJOBD9)......................................................... 1132
14.226 Queue Interface Job Data Register 10 (QIJOBD10)..................................................... 1133
14.227 Queue Interface Job Data Register 11 (QIJOBD11)..................................................... 1134
14.228 Queue Interface Job Data Register 12 (QIJOBD12)..................................................... 1135
14.229 Queue Interface Job Data Register 13 (QIJOBD13)..................................................... 1136
14.230 Queue Interface Job Data Register 14 (QIJOBD14)..................................................... 1137
14.231 Queue Interface Job Data Register 15 (QIJOBD15)..................................................... 1138
14.232 Queue Interface Job Data Register 16 (QIJOBD16)..................................................... 1139
14.233 Queue Interface Job Data Register 17 (QIJOBD17)..................................................... 1140
14.234 Queue Interface Job Data Register 18 (QIJOBD18)..................................................... 1140
14.235 Queue Interface Job Data Register 19 (QIJOBD19)..................................................... 1141
14.236 Queue Interface Job Data Register 20 (QIJOBD20)..................................................... 1142
14.237 Queue Interface Job Data Register 21 (QIJOBD21)..................................................... 1143
14.238 Queue Interface Job Data Register 22 (QIJOBD22)..................................................... 1145
14.239 Queue Interface Job Data Register 23 (QIJOBD23)..................................................... 1146
14.240 Queue Interface Job Data Register 24 (QIJOBD24)..................................................... 1147
14.241 Queue Interface Job Data Register 25 (QIJOBD25)..................................................... 1147
14.242 Queue Interface Job Data Register 26 (QIJOBD26)..................................................... 1148
14.243 Queue Interface Job Data Register 27 (QIJOBD27)..................................................... 1149
14.244 Queue Interface Job Data Register 28 (QIJOBD28)..................................................... 1150
14.245 Queue Interface Job Data Register 29 (QIJOBD29)..................................................... 1150
14.246 Queue Interface Job Data Register 30 (QIJOBD30)..................................................... 1151
14.247 Queue Interface Job Data Register 31 (QIJOBD31)..................................................... 1152
14.248 Queue Interface Job Data Register 32 (QIJOBD32)..................................................... 1153
14.249 Queue Interface Job Data Register 33 (QIJOBD33)..................................................... 1154
14.250 Recoverable Error Interrupt Record 0 for the Queue Interface (REIR0QI)....................1155
14.251 Recoverable Error Interrupt Record 1 for the Queue Interface (REIR1QI)....................1156
14.252 Recoverable Error Interrupt Record 2 for the Queue Interface (REIR2QI)....................1157
14.253 Recoverable Error Interrupt Record 4 for the Queue Interface (REIR4QI)....................1158
14.254 Recoverable Error Interrupt Record 5 for the Queue Interface (REIR5QI)....................1160
14.255 CCB d Class 1 Mode Register Format for Non-Public Key Algorithms (C0C1MR - C15C
1MR)..................................................................................................................................... 1161
14.256 CCB d Class 1 Mode Register Format for Public Key Algorithms (C0C1MR_PK - C15C
1MR_PK).............................................................................................................................. 1165
14.257 CCB d Class 1 Mode Register Format for RNG4 (C0C1MR_RNG - C15C1MR_RNG)1166
14.258 CCB d Class 1 Key Size Register (C0C1KSR - C15C1KSR)........................................1170
14.259 CCB d Class 1 Data Size Register (C0C1DSR - C15C1DSR)......................................1171
14.260 CCB d Class 1 ICV Size Register (C0C1ICVSR - C15C1ICVSR).................................1173
14.261 CCB d CHA Control Register (C0CCTRL - C15CCTRL)...............................................1173
14.262 CCB d Interrupt Control Register (C0ICTL - C15ICTL)................................................. 1177
14.263 CCB d Clear Written Register (C0CWR - C15CWR).....................................................1182
NXP Semiconductors
Contents
QorIQ LX2160A Security (SEC) Reference Manual, Rev. 0, 07/2020
Reference Manual
13 / 1266
14.264 CCB d Status and Error Register, most-significant half (C0CSTA_MS - C15CSTA_MS)1186
14.265 CCB d Status and Error Register, least-significant half (C0CSTA_LS - C15CSTA_LS)1188
14.266 CCB d Class 1 AAD Size Register (C0C1AADSZR - C15C1AADSZR)........................1192
14.267 CCB d Class 1 IV Size Register (C0C1IVSZR - C15C1IVSZR)....................................1192
14.268 PKHA A Size Register (C0PKASZR - C15PKASZR).................................................... 1193
14.269 PKHA B Size Register (C0PKBSZR - C15PKBSZR).................................................... 1194
14.270 PKHA N Size Register (C0PKNSZR - C15PKNSZR)....................................................1195
14.271 PKHA E Size Register (C0PKESZR - C15PKESZR).................................................... 1196
14.272 CCB d Class 1 Context Register Word a (C0C1CTXR0 - C15C1CTXR15)..................1197
14.273 CCB d Class 1 Key Registers Word a (C0C1KR0 - C15C1KR7)..................................1198
14.274 CCB d Class 2 Mode Register (C0C2MR - C15C2MR)................................................ 1200
14.275 CCB d Class 2 Key Size Register (C0C2KSR - C15C2KSR)........................................1202
14.276 CCB d Class 2 Data Size Register (C0C2DSR - C15C2DSR)......................................1203
14.277 CCB d Class 2 ICV Size Register (C0C2ICVSZR - C15C2ICVSZR)............................ 1205
14.278 CCB d Class 2 AAD Size Register (C0C2AADSZR - C15C2AADSZR)........................1205
14.279 CCB d Class 2 Context Register Word a (C0C2CTXR0 - C15C2CTXR17)..................1206
14.280 CCB d Class 2 Key Register Word a (C0C2KEYR0 - C15C2KEYR31)........................ 1207
14.281 CCB d FIFO Status Register (C0FIFOSTA - C15FIFOSTA).........................................1208
14.282 CCB d iNformation FIFO When STYPE != 10b (C0NFIFO - C15NFIFO)......................1209
14.283 CCB d iNformation FIFO When STYPE == 10b (C0NFIFO_2 - C15NFIFO_2).............1213
14.284 CCB d Input Data FIFO (C0IFIFO - C15IFIFO).............................................................1217
14.285 CCB d Output Data FIFO (C0OFIFO - C15OFIFO).......................................................1218
14.286 DECOd Job Queue Control Register, most-significant half (D0JQCR_MS - D15JQCR_
MS)....................................................................................................................................... 1219
14.287 DECOd Job Queue Control Register, least-significant half (D0JQCR_LS - D15JQCR_
LS)........................................................................................................................................ 1222
14.288 DECOd Descriptor Address Register (D0DAR - D15DAR)........................................... 1223
14.289 DECOd Operation Status Register, most-significant half (D0OPSTA_MS - D15OPSTA
_MS)..................................................................................................................................... 1224
14.290 DECOd Operation Status Register, least-significant half (D0OPSTA_LS - D15OPSTA
_LS)...................................................................................................................................... 1226
14.291 DECOd Checksum Register (D0CKSUMR - D15CKSUMR).........................................1227
14.292 DECOd Control and Output ICID Status Register (D0COICIDSR - D15COICIDSR)....1228
14.293 DECOd SDID and Input ICID Status Register (D0SIICIDSR - D15SIICIDSR)..............1229
14.294 DECOd Math Register m_MS (D0MTH0_MS - D15MTH7_MS)................................... 1231
14.295 DECOd Math Register m_LS (D0MTH0_LS - D15MTH7_LS)...................................... 1231
14.296 DECOd Gather Table Register a (D0GTR0 - D15GTR3)..............................................1232
14.297 DECOd Scatter Table Register a (D0STR0 - D15STR3).............................................. 1234
14.298 DECOd Descriptor Buffer Word a (D0DESB0 - D15DESB127).................................... 1235
14.299 DECOd Debug Job Register (D0DJR - D15DJR)..........................................................1236
14.300 DECOd Debug DECO Register (D0DDR - D15DDR)................................................... 1239
14.301 DECOd Debug Job Pointer (D0DJP - D15DJP)............................................................1241
14.302 DECOd Debug Shared Pointer (D0SDP - D15SDP).....................................................1242
14.303 DECOd Debug_ICID, most-significant half (D0DIR_MS - D15DIR_MS).......................1243
14.304 DECOd Debug ICID, least-significant half (D0DIR_LS - D15DIR_LS)..........................1245
14.305 Sequence Output Length Register (SOL0 - SOL15)..................................................... 1246
14.306 Variable Sequence Output Length Register (VSOL0 - VSOL15).................................. 1247
14.307 Sequence Input Length Register (SIL0 - SIL15)............................................................1248
14.308 Variable Sequence Input Length Register (VSIL0 - VSIL15).........................................1249
14.309 Protocol Override Register (D0POVRD - D15POVRD).................................................1250
14.310 Variable Sequence Output Length Register; Upper 32 bits (UVSOL0 - UVSOL15)......1251
14.311 Variable Sequence Input Length Register; Upper 32 bits (UVSIL0 - UVSIL15)............1252
14.312 DECOd Debug Execution Register (D0DER - D15DER).............................................. 1253
14.313 DECOd Debug PDB Register (D0DPR - D15DPR).......................................................1254
14.314 DECOd Debug Shared Resource Register (D0DSRR - D15DSRR).............................1255
NXP Semiconductors
Contents
QorIQ LX2160A Security (SEC) Reference Manual, Rev. 0, 07/2020
Reference Manual
14 / 1266
Appendix A Glossary.....................................................................................1258
Appendix B Acronyms and abbreviations...................................................1262
NXP Semiconductors
Contents
QorIQ LX2160A Security (SEC) Reference Manual, Rev. 0, 07/2020
Reference Manual
15 / 1266
Chapter 1
Overview of SEC (security engine) functionality
SEC is the chip's cryptographic acceleration and offloading hardware and combines cryptographic and other mathematical
functions to create a modular and scalable hardware acceleration and assurance engine. SEC implements the following functions:
• Block encryption algorithms
• Stream cipher algorithms
• Hashing algorithms
• Public key algorithms
• Run-time integrity checking
• Hardware random number generator
This version of SEC also enables significant system-level performance improvements by providing higher-level cryptographic
protocol operations.
SEC includes the following interfaces:
• A Register interface for the processor to write configuration and command information, and to read status information
• 2 DMA interfaces that allow SEC to read/write data from external memory
• A Queue Manager interface that allows SEC to accept jobs directly from the Queue Manager module
• Job Queue Controller with 4 Job Rings
• 16 Descriptor Controllers (DECO):
— Responsible for managing the sequencing, context, and execution of descriptors
— Responsible for initating data transfers via the DMA interface
— Responsible for managing keys and directing data to and from CHA(s)
— Responsible for performing packet header and trailer processing as defined by the descriptor
• Run-Time Integrity Checker (RTIC)
• Crypto Hardware Accelerators (CHAs)
— 2 Public Key Hardware Accelerators (PKHA)
— A Random Number Generator (RNG)
— 16 Advanced Encryption Standard Hardware Accelerators (AESA)
— 16 Message Digest Hardware Accelerators (MDHA)
— 16 SNOW 3G f9 Hardware Accelerators (SNOW f9)
— 16 SNOW 3G f8 Hardware Accelerators (SNOW f8)
— 16 ZUC Encryption Hardware Accelerators (ZUCE)
— 16 ZUC Authentication Hardware Accelerators (ZUCA)
— 16 Data Encryption Standard Hardware Accelerators (DESA)
— 16 Cyclic-Redundancy Check Hardware Accelerators (CRCA)
— 16 ChaCha20 hardware Accelerators (CCHA)
— 16 Poly1305 Hardware Accelerators (PTHA)
This figure shows the block diagram for SEC.
NXP Semiconductors
QorIQ LX2160A Security (SEC) Reference Manual, Rev. 0, 07/2020
Reference Manual
16 / 1266
XBAR
RNG
Memory Bus
DMA0
DMA1
Memory Bus
Queue Manager IF (QI)
Queue Manager
DECO
CCB
AESA
MDHA
CCHA
(ChaCha20)
PTHA
(Poly1305)
ZUCEZUCA
SNOWf8
SNOWf9
DESA
Job Queue Controller
RTIC
HT0
PKHA
HT15
. . .
JR0
JR3
. . .
DECO Sharing
Controller
ARS
. . .
ARS
0
5
PKHA
. . .
0
1
Slave Bus Interface
Register Interface
to / from
CCSR registers
STCSOFT.CAAM_SPEC_LX2160A.013
lx2160a
CRCA
Secure Key
Module
Master
Key
Security
State
to DECO
blob logic
. . .
DECO/CCB tile 0
16 DECO/CCB Tiles
DECO/CCB tile 15
DECO
CCB
AESA
MDHA
CCHA
(ChaCha20)
PTHA
(Poly1305)
ZUCEZUCA
SNOWf8
SNOWf9
DESA
CRCA
Figure 1. SEC block diagram
NXP Semiconductors
Overview of SEC (security engine) functionality
QorIQ LX2160A Security (SEC) Reference Manual, Rev. 0, 07/2020
Reference Manual
17 / 1266
Chapter 2
Feature summary
SEC includes the following features:
• SoC HW interfaces
— A 32-bit slave bus register interface
— 2 256-bit data / 49-bit address master bus DMA interfaces
â—¦ Automatic byte, half-word, word and double-word ordering of data read/written
â—¦ Scatter/gather support for data
• Offloading of cryptographic functions via a programmable job descriptor language
— Job Descriptors can contain multiple function commands.
— Job Descriptors can be chained to additional Job Descriptors.
— Job Descriptors can be submitted via 4 separate hardware-implemented Job Rings.
— Job Descriptors can be submitted via Data Path Acceleration Architecture (DPAA) Queue Manager portals.
• Special-purpose cryptographic keys
— Black keys
â—¦ Keys stored in memory in encrypted form and decrypted on-the-fly when used
â—¦ AES-ECB or AES-CCM encryption using a 256-bit key
— Export and import of cryptographic blobs
â—¦ Data encapsulated in a cryptographic data structure for storage in non-volatile memory
â—¦ AES-CCM encryption using a 256-bit key
â—¦ Each blob encrypted using its own randomly generated blob key.
â—¦ Blob key encrypted using a non-volatile blob key encryption key
â—¦ Blob key encryption key derived from non-volatile master key input
â—¦ Separate blob key encryption keys for trusted mode, secure mode, and non-secure mode
• Public key cryptography
— Modular Arithmetic
â—¦ Addition, subtraction, multiplication, exponentiation, reduction, inversion, greatest common denominator
â—¦ Both integer and binary polynomial functions
â—¦ Modulus size up to 4096 bits
â—¦ Arithmetic operations performed with 128-bit-digit arithmetic unit
â—¦ Timing-equalized and normal versions of modular exponentiation
â—¦ Primality testing up to 4096 bits
— DSA
â—¦ DSA sign and verify
â—¦ Verify with private key
â—¦ DSA key generation
NXP Semiconductors
QorIQ LX2160A Security (SEC) Reference Manual, Rev. 0, 07/2020
Reference Manual
18 / 1266
â—¦ Non-timing-equalized versions of private-key operations
â—¦ Timing-equalized versions of sign and key generation
â—¦ Non-timing-equalized versions of sign and key generation
— Diffie-Hellman
â—¦ Diffie-Hellman (DH) key agreement
â—¦ Key generation
â—¦ Timing-equalized versions of key agreement and key generation
â—¦ Non-timing-equalized versions of key agreement and key generation
— RSA
â—¦ Modulus size up to 4096 bits
â—¦ Public and Private Key operations
â—¦ Private keys in (n,d), (p,q,d), or 5-part (p,q,dp,dq,c) forms
â—¦ Private Key operations (decrypt, sign) timing equalized to thwart side channel attack
â—¦ Non-timing-equalized versions of private-key operations
— Elliptic curve cryptography
â—¦ Point add, point double, point multiply on both prime field and binary polynomial field curves
â—¦ Point validation (is point on curve) both prime field and binary polynomial field curves
â—¦ Point multiply on Montgomery curves (e.g. Curve25519)
â—¦ Point add, multiply and validation on twisted-form Edwards curves (e.g. Edwards25519)
â—¦ Timing-equalized and normal versions of point multiplication
â—¦ Public Key validation
â—¦ Elliptic curve digital signature algorithm (ECDSA) sign and verify
â—¦ ECDSA verify with private key
â—¦ Elliptic curve Diffie-Hellman key agreement
â—¦ ECDSA and ECDH key generation
â—¦ Modulus size up to 1024 bits
â—¦ Timing-equalized versions of ECDSA sign and key generation
â—¦ Non-timing-equalized versions of ECDSA sign and key generation
• Authentication
— CRC
— Hashing algorithms
â—¦ MD5
â—¦ SHA-1
â—¦ SHA-224
â—¦ SHA-256
â—¦ SHA-384
â—¦ SHA-512
â—¦ SHA-512/224
NXP Semiconductors
Feature summary
QorIQ LX2160A Security (SEC) Reference Manual, Rev. 0, 07/2020
Reference Manual
19 / 1266
â—¦ SHA-512/256
— Message authentication codes (MAC)
â—¦ HMAC-all hashing algorithms
â—¦ SSL 3.0 MAC (SMAC-MD5, SHA-1 only)
â—¦ AES-CMAC
â—¦ AES-XCBC-MAC
â—¦ SNOW 3G f9
â—¦ ZUC authentication
â—¦ Poly1305 authentication
— ICV/CRC checking
• Authenticated encryption algorithms (also known as AEAD algorithms)
— AES-CCM (Counter with CBC-MAC)
— AES-GCM (Galois counter mode)
— AEAD_CHACHA20_POLY1305 (per RFC 7539)
• Symmetric key block ciphers
— AES (128-bit, 192-bit or 256-bit keys)
— DES (64-bit keys, including key parity)
— 3DES (128-bit or 192-bit keys, including key parity)
— Cipher modes
â—¦ ECB, CBC, OFB for both AES and DES block ciphers
â—¦ CBC-CS2, CFB128, CTR, and XTS for AES
â—¦ CFB8 for DES
• Symmetric key stream ciphers
— ChaCha20 confidentiality algorithm
— SNOW 3G f8
— ZUC encryption
• Random-number generation
— Entropy is generated via an independent free running ring oscillator
— For lower-power consumption, oscillator is off when not generating entropy
— Designed to be NIST-compliant, pseudo random-number generator seeded using hardware-generated entropy
• Run-time integrity checking
— SHA-256 message authentication
— SHA-512 message authentication
— Segmented data-gathering to support non-contiguous data blocks in memory
— Support for up to four independent memory blocks
• Advanced protocol support
— Support for protocol-specific padding
— IPsec
NXP Semiconductors
Feature summary
QorIQ LX2160A Security (SEC) Reference Manual, Rev. 0, 07/2020
Reference Manual
20 / 1266
/