0% found this document useful (0 votes)

33 views292 pages

HSM TS V2.0 Rev2.0

The document provides a detailed specification of the 2nd Generation AURIX™ TC3xx Hardware Security Module (HSM) Version 2.0, including its architecture and functionalities. Key updates from the previous version include an increase in local RAM, the addition of various modules such as PKC and Hash, and updates to the firmware architecture. The document also outlines the target specifications, revision history, and various components of the HSM.

Uploaded by

Phong Lê

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

0% found this document useful (0 votes)

33 views292 pages

HSM TS V2.0 Rev2.0

Uploaded by

Phong Lê

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

You are on page 1/ 292

Confidential

2nd Generation AURIX™ TC3xx

Hardware Security Module
HSM Version 2.0

HSM Subsystem Downloaded by IFXDMZ\par-liaopeng 29/07/2019 09:08:44

Hardware Security Module

Target Specification
Revision 2.0
2016-03-04

Chip Card & Security

AURIX™ TC3xx Hardware Security Module

Confidential

2nd Generation AURIX™ TC3xx

Hardware Security Module
Confidential
Revision History: 2016-03-04, Revision 2.0
Page Subjects
PKC: Commands EXP, SMULT25519, XRECOVER, SMULTED25519, CHECKVALID added.

Downloaded by IFXDMZ\par-liaopeng 29/07/2019 09:08:44

Previous Revision: 2015-09-28, Rev. 1.4
Page Subjects (major changes compared to AURIX™ V1.0)
Local RAM increased to 96 KB
Timer module exchanged.
Watchdog timer module added.
Address map updated
AES: Correction of GCM example.
Hash module added.
PKC module added.
Bridge Module: ERRCTRL: Error Bits added.
Bridge Module: ERRIE: Additional Interrupt Enable Bits added
Bridge Module: DTSTSEL: Register and DTS trigger removed.
Firmware Architecture: Procedure for User OS Code Check revised
HAR will be ignored if debug mode is not enabled (no exception will be triggered).

Target Specification 2 Revision 2.0

2016-03-04
AURIX™ TC3xx Hardware Security Module

Preface Confidential

Preface
This preface introduces the HSM Target Specification.

Scope of document
This Target Specification is intended to describe the architecture and functionality of the Hardware Security
Module (HSM).

Downloaded by IFXDMZ\par-liaopeng 29/07/2019 09:08:44

Using this book
This book is organized into the following chapters:
• Chapter 1 Introduction
• Chapter 2 Core System
• Chapter 3 True Random Number Generator
• Chapter 4 AES 128 Encryption / Decryption Device
• Chapter 5 Hash Module
• Chapter 6 PKC Module
• Chapter 7 Timer Module
• Chapter 8 Watchdog Timer
• Chapter 9 Bridge Module
• Chapter 10 Memories
• Chapter 11 Firmware Architecture
• Chapter 12 System Debug
• References
• Terminology

Target Specification 11 Revision 2.0

2016-03-04
AURIX™ TC3xx Hardware Security Module

Introduction Confidential

1 Introduction
The Hardware Security Module (HSM) is an optional peripheral module of the AURIX™ Controller family. Its
main applications are:
• Secure boot
• Tuning protection (e.g. integrity of calibration data)
• Secure sensor communication (authentication and integrity of sensor data)

Downloaded by IFXDMZ\par-liaopeng 29/07/2019 09:08:44

• Authentication
• Secure flash load
• Immobilizer (theft protection)
• Secure log and
• Secure debug authentication
The HSM contains all necessary elements to allow software to implement the Secure Hardware Extension
(SHE) as defined by HIS, see [1].
Figure 1-1 below shows a general overview of the HSM subsystem and its integration into the host system.

Flash HSM TRNG

HSM Data O
C 32-bit CPU
HSM Config TriCores Debug D Bridge APB
D
Window E
S
HSM Code B
U 2 Timers
Bridge Timer
Module G Watchdog
interrupts
NVIC MPU
SRI
AES
Int.
AHB lite

Reset Clock Clock ECC

RAM Bridge Hash
Unit Unit Divider
Unified Cache
AXI Module
Single
SPB Access ECC
Window Local Boot PKC
ECC RAM ROM
SFRs
Peripherals Sensors Pins
RAM ROM
ECC

external interrupts
Figure 1-1 Architecture Overview

Target Specification 12 Revision 2.0

2016-03-04
AURIX™ TC3xx Hardware Security Module

Introduction Confidential

The HSM module comprises the following functional submodules:

• CPU based on ARM™ Cortex™ M3 including
– Debug support
– 24-bit SysTick Timer
– Nested Vector Interrupt Controller
– Memory Protection Unit (MPU)
• 4 KB unified data and instruction cache

Downloaded by IFXDMZ\par-liaopeng 29/07/2019 09:08:44

• Local Boot ROM
• 96 KB RAM
• AES module with local key and context storage
• Hash module executing either the MD-5, SHA-1 or SHA-224/SHA-256 function
• Public Key Crypto supporting fast signature generation and verification based on Elliptic Curve
Cryptography
• True Random Number Generator (TRNG)
• Timer module with two 16-bit timers
• Watchdog timer with checkpoint functionality
• HSM bridge including
– Clock divider unit
– Debug access
– Special Function Registers (SFRs) for communication with the host system

Features
• CPU based on ARM Cortex-M3.
– 32-bit CPU with Thumb-2 instruction set.
– Privilege/user mode support.
– Illegal opcode detection.
– Internal 24-bit timer.
• HSM debug features:
– Compatible to ARM.
– 6 hardware breakpoints, no flash patch support.
– 4 triggers for watchpoints.
– Full visibility of all software visible HSM registers and memories (excluding e.g. AES keys).
– HSM controls debug access to the system and separately to the HSM itself.
• 4 KB unified cache (4-way set associative).
• Internal memory protection unit (MPU).
– ARM compatible.
– 8 address regions with sub-regions.
– Used for code execution and data accesses.
– Granularity 32 Bytes to 4 GB.
– Regions aligned to size.

Target Specification 13 Revision 2.0

2016-03-04
AURIX™ TC3xx Hardware Security Module

Introduction Confidential

– Access permissions: no access, read-only, executable, read/write.

• 96 KB local RAM.
• Local boot ROM.
• True random number generator (TRNG).
• Timer unit with two 16-bit timers.
• Watchdog timer with checkpoint functionality triggering an NMI upon expiry or checkpoint mismatch.
• High-performance AES-128 unit with private key storage:

Downloaded by IFXDMZ\par-liaopeng 29/07/2019 09:08:44

– Local storage for 8 128-bit keys, 2 of them are non-alterable and “use-only”.
– Local storage of 5 contexts (including 1 for pseudo-random number generation).
– Modes of operation: ECB, CBC, CTR, OFB, GCM, XTS.
• Hash module for signature generation, verification and generic data integrity checks. It supports the
following hashing algorithms:
– MD-5.
– SHA-1.
– SHA-256.
– SHA-224 (derived using SHA-256 with some software support).
• Public Key Crypto Engine (PKC) that supports fast signature generation and verification based on Elliptic
Curve Digital Signature Algorithms (ECDSA). It enables complex algorithms on elliptic curves of bitlength
up to 256, like:
– Operations with up to 256-bit operands.
– Supports elliptic curves over fields F(p) and F(2m).
– Primitive arithmetic operations over F(p) and F(2m): modular addition, modular subtraction, modular
multiplication, modular reduction, modular division, modular inversion, multiplication.
– Primitive ECC and Check Point operations over F(p) and F(2m): point doubling, point addition, point
multiplication (with projective coordinates), Check_AB, and Check_n.
– Addition of two points in affine coordinates.
– Doubling of a point in affine coordinates.
– Scalar multiplication.
– ECDSA signature generation
– ECDSA signature verification.
• Bridge module:
– “Firewall” functionality: HSM internals are protected from accesses by other masters.
– Bus master on the SPB. Accesses possible to complete system memory map.
– Communication SFRs for exchanging data.
– SFRs for triggering an interrupt in the HSM CPU.
– 32 HSM external interrupt inputs.
– 2 interrupt signals from HSM to the system interrupt controller.
– Inputs for up to 10 sensors.
– Control of 2 pins.
– Option for triggering application and system reset of the chip.

Target Specification 14 Revision 2.0

2016-03-04
AURIX™ TC3xx Hardware Security Module

Introduction Confidential

• HSM code and constant data are stored in system PFlash. In the UCB it can be configured which sectors are
searched for a valid boot code.
• HSM EEPROM data is stored in a dedicated DFlash bank (not in all products).
• HSM “use-only” keys and the unique chip identifier are supplied in UCBs.
• HSM supports low-power mode (internal clock reduced to SPB clock / 2 and SPB clock / 4), and sleep mode.
Each submodule is described in more detail in the following chapters.
In combination with security features implemented in the host system – mainly in the flash memories, PMU

Downloaded by IFXDMZ\par-liaopeng 29/07/2019 09:08:44

(Program Memory Unit) and debug logic – and adequate software the HSM offers protection against logical
attacks. For this purpose it relies on the following features implemented in the host system:
• Adequate protection and locking of flash memory areas that are reserved for the HSM (both code and
data).
• One-Time-Programmable (OTP) pages in the config area of the flash.
• A memory region in the config area that is reserved for the HSM.
• Locking of this region in the config area against modification (OTP).
• HSM region in the config area can be switched off after the boot process – i.e. the read-only AES keys and
other configuration data is no longer accessible in the flash.
• The test must not allow observation of data/information used during normal HSM operation.
• The test must not allow infiltration of data/information into normal HSM operation.
• Debugging of the HSM must not be possible if not enabled by HSM. This includes debugging of the HSM
reserved memory regions and tracing of HSM bus transfers on the host system.
• Configuration of MBISTs in HSM module after reset, start of HSM after MBIST configuration.
• Adequate test mode protection.
The HSM contains no hardware countermeasures against physical attacks, neither non-invasive, semi-
invasive nor invasive attacks. Countermeasures against side-channel attacks and failure attacks have to be
implemented by software.

Target Specification 15 Revision 2.0

2016-03-04
AURIX™ TC3xx Hardware Security Module

Core System Confidential

2 Core System
This section covers the core system. The core system contains:
• A 32-bit CPU based on ARM™ Cortex™ M3 including
– Nested Vector Interrupt Controller (NVIC)
– SysTick Timer
• Memory Protection Unit (MPU)

Downloaded by IFXDMZ\par-liaopeng 29/07/2019 09:08:44

• Unified cache
The debug modules are defined in Chapter 12.

2.1 Address Map

The following table defines the memory map of the HSM (for a detailed description of the host memory map
see the AURIX™ TC3xx Target Specification):

Table 2-1 Memory Map

Seg. Address Range Size Attributes System Description
0 0000 0000H - 0000 0FFFH 4 KB B,C,MPU HSM Boot ROM
0000 1000H - 0FFF FFFFH B,C,MPU Host Reserved
1 1000 0000H - 1FFF FFFFH B,C,MPU Host SRAMs CPU5
2 2000 0000H - 2001 7FFFH 96 KB B,C,MPU HSM Local RAM
2001 8000H - 200F FFFFH B,C,MPU Host Reserved
2010 0000H - 21FF FFFFH B,C,MPU Host Reserved
2200 0000H - 23FF FFFFH 32 MB B,C,MPU HSM Bit banding alias region. Addresses are
mapped to 2000 0000H - 200F FFFFH
2400 0000H - 2FFF FFFFH B,C,MPU Host Reserved
3 3000 0000H - 3FFF FFFFH B,C,MPU Host SRAMs CPU4
4 4000 0000H - 41FF FFFFH B,C,MPU Host SRAMs CPU3
4200 0000H - 43FF FFFFH 32 MB B,C,MPU Host Bit banding alias region. Addresses are
mapped to 4000 0000H - 400F FFFFH
4400 0000H - 4FFF FFFFH B,C,MPU Host Reserved
5 5000 0000H - 5FFF FFFFH B,C,MPU Host SRAMs CPU2
6 6000 0000H - 6FFF FFFFH B,C,MPU Host SRAMs CPU1
7 7000 0000H - 7FFF FFFFH B,C,MPU Host SRAMs CPU0
8 8000 0000H - 802F FFFFH 3 MB B,C,MPU Host Program Flash 0
8030 0000H - 805F FFFFH 3 MB B,C,MPU Host Program Flash 1
8060 0000H - 808F FFFFH 3 MB B,C,MPU Host Program Flash 2
8090 0000H - 80BF FFFFH 3 MB B,C,MPU Host Program Flash 3
80C0 0000H - 80EF FFFFH 3 MB B,C,MPU Host Program Flash 4
80F0 0000H - 80FF FFFFH 1 MB B,C,MPU Host Program Flash 5
8100 0000H - 8FFF FFFFH B,C,MPU Host Reserved for burst access memories

Target Specification 16 Revision 2.0

2016-03-04
AURIX™ TC3xx Hardware Security Module

Core System Confidential

Table 2-1 Memory Map (cont’d)

Seg. Address Range Size Attributes System Description
9 9000 0000H - 9FFF FFFFH B,C,MPU Host Reserved for burst access memories
A A000 0000H - A02F FFFFH 3 MB XN,C,MPU Host Program Flash 0
A030 0000H - A05F FFFFH 3 MB XN,C,MPU Host Program Flash 1
A060 0000H - A08F FFFFH 3 MB XN,C,MPU Host Program Flash 2

Downloaded by IFXDMZ\par-liaopeng 29/07/2019 09:08:44

A090 0000H - A0BF FFFFH 3 MB XN,C,MPU Host Program Flash 3
A0C0 0000H - A0EF FFFFH 3 MB XN,C,MPU Host Program Flash 4
A0F0 0000H - A0FF FFFFH 1 MB XN,C,MPU Host Program Flash 5
A100 0000H - AF3F FFFFH XN,C,MPU Host Reserved for non-burst access memories
AF40 0000H - AF40 0DFFH XN,C,MPU Host UCB00 - UCB06
AF40 0E00H - AF40 0FFFH 512 B XN,C,MPU Host UCB07 - HSM Config Area
AF40 1000H - AF40 5FFFH XN,C,MPU Host UCB08 - UCB47
AF40 6000H - AFBF FFFFH XN,C,MPU Host Reserved for non-burst access memories
AFC0 0000H - AFC1 FFFFH 128 KB XN,C,MPU Host HSM Data Flash 1
AFC2 0000H - AFFF FFFFH XN,C,MPU Host Reserved for non-burst access memories
B B000 0000H - BFFF FFFFH XN,C,MPU Host Reserved for non-burst access memories
C C000 0000H - CFFF FFFFH XN,B,C,MPU Host Reserved for non-burst access memories
D D000 0000H - DFFF FFFFH XN,B,C,MPU Host Reserved for non-burst access memories

Target Specification 17 Revision 2.0

2016-03-04
AURIX™ TC3xx Hardware Security Module

Core System Confidential

Table 2-1 Memory Map (cont’d)

Seg. Address Range Size Attributes System Description
E E000 0000H - E000 0FFFH XN,PRIV HSM Reserved for Instrumentation Trace
Module (ITM)
E000 1000H - E000 1FFFH 4 KB XN,PRIV HSM Data Watchpoint and Trace (DWT)
E000 2000H - E000 2FFFH 4 KB XN,PRIV HSM Flash Breakpoint and Patch (FPB)
E000 3000H - E000 DFFFH XN,PRIV HSM Reserved for private peripherals

Downloaded by IFXDMZ\par-liaopeng 29/07/2019 09:08:44

E000 E000H - E000 EFFFH 4 KB XN,PRIV HSM System Control Space
E000 F000H - E008 9FFFH XN,PRIV HSM Reserved for private peripherals
E008 A000H - E008 BFFFH 8 KB XN,PRIV HSM Cache Control
E008 C000H - E00F EFFFH XN,PRIV HSM Reserved for private peripherals
E00F F000H - E00F FFFFH 4 KB XN,PRIV HSM ROM table
E010 0000H - E012 BFFFH XN,MPU HSM Reserved for AHB peripherals
E012 C000H - E012 C7FFH XN,MPU HSM Reserved
E012 C800H - E7FF FFFFH XN,MPU HSM Reserved for AHB peripherals
E800 0000H - E800 03FFH 1 KB XN,MPU HSM AES module
E800 0400H - E800 07FFH 1 KB XN,MPU HSM Hash module
E800 0800H - E800 3BFFH XN,MPU HSM Reserved for AHB peripherals
E800 3C00H - E800 3FFFH 1 KB XN,MPU HSM PKC module - SFR region
E800 4000H - E800 7FFFH 16 KB XN,MPU HSM PKC module - Memory region
E800 8000H - EBFF FFFFH XN,MPU HSM Reserved for AHB peripherals
EC00 0000H - EC00 00FFH 256 B XN,MPU HSM Timer 0, Timer 1
EC00 0100H - EC00 01FFH 256 B XN,MPU HSM Watchdog Timer
EC00 0200H - EC00 02FFH 256 B XN,MPU HSM TRNG
EC00 0300H - EFFF FFFFH XN,MPU HSM Reserved for APB peripherals
F F000 0000H - F003 FFFFH XN,MPU Host Reserved for host peripherals
F004 0000H - F005 FFFFH 128 KB XN,MPU Host HSM bridge
F006 0000H - F803 FFFFH XN,MPU Host Reserved for host peripherals
F804 0000H - F804 FFFFH 64 KB XN,MPU Host Host Command Interface (DMU)
F805 0000H - F805 FFFFH 64 KB XN,MPU Host Host Protection Configuration (DMU)
F806 0000H - F806 FFFFH 64 KB XN,MPU Host HSM Command Interface (DMU)
F807 0000H - F807 FFFFH 64 KB XN,MPU Host HSM Protection Configuration (DMU)
F808 0000H - FFBF FFFFH XN,MPU Host Reserved for host peripherals
FFC0 0000H - FFC1 FFFFH 128 KB XN,MPU Host Data Flash 1 (HSM Command Sequence
Interpreter)
FFC2 0000H - FFFF FFFFH XN,MPU Host Reserved for host peripherals

Target Specification 18 Revision 2.0

2016-03-04
AURIX™ TC3xx Hardware Security Module

Core System Confidential

B Burst mode access

C Cached
XN eXecute Never
MPU Under control of MPU
PRIV Accessible in privilege mode only

Downloaded by IFXDMZ\par-liaopeng 29/07/2019 09:08:44

In general memories are accessed via the unified cache and peripheral registers are directly accessed (not
through the unified cache). For exchange of data via (cached) shared host RAM the cache clean registers shall
be used, see “Cache SFRs” on Page 26.
The ranges 0000 0000H – DFFF FFFFH and E010 0000H – FFFF FFFFH are controlled by the Core MPU, see
Chapter 2.4.
The range E000 0000H – E00F FFFFH is accessible in privilege mode (see ARM Cortex M3 Technical Reference
Manual [2]) only.
The range 0000 0000H – 9FFF FFFFH uses burst access. The granularity of an access is 16 bytes.
The range A000 0000H – FFFF FFFFH uses word access. Unaligned accesses are split in several word aligned
accesses. Code cannot be executed from this address range, see [2].
According to the ARMv7M architecture unaligned accesses (e.g. word access on a address that is not dividable
by four) are split in several aligned accesses. It is also possible that some peripherals do only support register
access by word-aligned addresses. Therefore it is strongly recommended to access Special Function Registers
(SFRs) word-aligned to avoid unintended side effects.
Also SFRs shall be accessed 32-bit wise or by their register size. Using e.g. 8-bit or 16-bit accesses for a 32-bit
reigster lead to undefined behavior.
The ARM processor memory map includes two bit-band regions. These bit-band regions map each word in a
32 MB alias region of memory to a bit in a 1 MB bit-band region of memory (for details see the ARM Technical
Reference Manual). Accesses to the 32 MB alias region (2200 0000H - 23FF FFFFH) map to the 1 MB bit-band
region (2000 0000H - 2010 0000H) and accesses to the 32 MB alias region (4200 0000H - 43FF FFFFH) map to the
1 MB bit-band region (4000 0000H - 4010 0000H). This address mapping is performed regardless of whether
there is a physical memory present or not. Note, that a bus exception may be triggered by the host system in
case there is no target memory present at the re-mapped address.
Accesses to reserved address regions in the range of 0000 0000H – DFFF FFFFH or F000 0000H – FFFF FFFFH – i.e.
addresses that are not part of any memory or host peripheral – cause a bus exception by the host system and
will be signaled via ERRCTRL / ERRADDR.
Accesses to reserved address regions in the range of E000 0000H – E00F FFFFH – i.e. addresses in the Private
Peripheral Bus region the ARM default behavior applies.
Accesses to reserved address regions in the range of E010 0000H – EFFF FFFFH – i.e. addresses that are not part
of any HSM peripheral – cause a Bus Fault.
If not otherwise noted, unused addresses within a peripheral region return zero and write data is lost without
triggering an exception.
A faulty Core MPU setup resulting in a Cache write-back to ROM is silently ignored, and in this case the data is
lost.

Target Specification 19 Revision 2.0

2016-03-04
AURIX™ TC3xx Hardware Security Module

Core System Confidential

2.2 CPU
The HSM includes an Central Processing Unit based on ARM Cortex M3 Revision r2p0. Please refer to ARM
Cortex M3 Technical Reference Manual [2] and ARM Cortex M3 Errata Notice [3] for information on the
processor architecture and programming model.
The following subsections describe HSM-specific implementation options.

2.2.1 Multiprocessor Communication

Downloaded by IFXDMZ\par-liaopeng 29/07/2019 09:08:44

The instruction SEV (Send EVent) cannot be used to synchronize execution with the host system. The
communication registers of the bridge module (see Chapter 9.2.2 and Chapter 9.3.1) have to be used for
synchronization.

2.2.2 The SysTick Timer

The SysTick Timer uses the HSM system clock as core clock, see Chapter 9.2.3. As reference clock SPB clock
frequency / 16 is provided. The SysTick Calibration Value register holds the value 62500D which corresponds
to a SPB clock frequency of 100 MHz and a reference clock frequency of 6.25 MHz.
For a periodic 10 ms interrupt the value 0000 F423H (62500 - 1) has to be written into the SysTick Reload Value
register.
For a periodic 1 s interrupt the value 005F 5E0FH (62500 x 100 - 1) has to be written into the SysTick Reload
Value register.

2.2.3 Power Management

A dedicated Sleepdeep mode is not implemented. Setting of bit SLEEPDEEP in the System Control Register has
no effect besides that the SysTick Timer is not running in Sleepdeep mode.
The optional Wake-up Interrupt Controller (WIC) as described in section 7.2.4 in [2] is not implemented.

2.2.4 Byte Order

The byte order of the HSM is little endian.

2.2.5 Application Interrupt and Reset Control Register

Setting the bits SYSRESETREQ or VECTRESET in the Application Interrupt and Reset Control Register (see [2]
for details) lead to undefined behavior. Therefore these bits shall not be set.

2.2.6 Code Prefetch

The ARM Cortex M3 utilizes a Prefetch Unit (PFU) with the purpose:
• Fetch instructions in advance and forward PC relative branch instructions. Fetches are speculative in the
case of conditional branches
• Detect Thumb 32-bit instructions and present these as a single instruction word.
• Perform vector loads.
The PFU fetches instructions from the memory system that can supply one word each cycle. The PFU buffers
up to three word fetches in its FIFO, which means that it can buffer up to three Thumb 32-bit instructions or
six Thumb instructions.

Target Specification 20 Revision 2.0

2016-03-04
AURIX™ TC3xx Hardware Security Module

Core System Confidential

The majority of branches that are generated as the ALU addition of PC plus immediate are generated no later
than the decode phase of the branch opcode. In the case of conditionally executed branches, the address is
speculatively presented (consuming a fetch slot on the bus), and the forwarded result determines if the
branch path flushes the fetch queue or is preserved.
The prefetch mechanism has to be considered at the end of a code section. In order to avoid traps or ECC
errors it is advisable to pad the end of code by up to 32 bytes (size of two cache blocks).

2.2.7 Exclusive Access Instructions

Downloaded by IFXDMZ\par-liaopeng 29/07/2019 09:08:44

The exclusive access instructions STREX, LDEX and CLREX are supported and can be used for task
synchronization within the HSM. Synchronization with the host system is not possible with these instructions.
The exclusive access instructions shall be used for the HSM local RAM only. The behavior for host memories is
not deterministic as these memories can be modified by the host system.

2.2.8 Instruction Timing

The HSM uses a cache to relieve the load on host memories, particularly code memory and, in this way,
accelerates access to commonly used data.
Through this cache almost every code fetch and load/store behave as if they would access single cycle
memories. Contention on the fetch and data cache interface occurs when both use the same word offset. In
this case the code fetch is stalled for one clock cycle.
A cache miss adds up to four cycles delay for local RAM and ROM. With a targeted hit rate of above 90% this can
be neglected.
The cache itself is described in its own chapter.

2.3 Interrupt Unit

The HSM uses the Nested Vectored Interrupt Controller (NVIC) from ARM as an interrupt unit. Please refer to
chapter 8 of [2] for details.

2.3.1 Interrupt mapping

The NVIC allows design-specific number of interrupt nodes and priority levels. The HSM implements 10
interrupt nodes and 8 priority levels. The watchdog timer interrupt is connected to the NMI.
The following table provides a summary of all interrupts and the mapping to interrupt number. For details
please refer to the corresponding description of the module.

Table 2-2 Interrupt Mapping

Exception Exception Type Priority Description
Number
2 NMI -2 Watchdog Timer interrupt
16 Timer 0 Interrupt Programmable Timer 0 overflow interrupt
17 Timer 1 Interrupt Programmable Timer 1 overflow interrupt
18 TRNG Interrupt Programmable True Random Number Generator
19 Bridge Service Interrupt Programmable HSM Bridge Service interrupt
20 Bridge Error Interrupt Programmable HSM Bridge Error interrupt

Target Specification 21 Revision 2.0

2016-03-04
AURIX™ TC3xx Hardware Security Module

Core System Confidential

Table 2-2 Interrupt Mapping (cont’d)

Exception Exception Type Priority Description
Number
21 Sensor Interrupt Programmable Sensor interrupt
22 External Interrupt Programmable External Peripheral interrupt
23 -
24 PKC Interrupt Programmable PKC Ready interrupt

Downloaded by IFXDMZ\par-liaopeng 29/07/2019 09:08:44

25 PKC Interrupt Programmable PKC Error interrupt

Due to the high performance of the AES module it has no interrupt.

2.3.2 Expansion of VTOR

Bit 30 and 31 of the Vector Table Offset Register (VTOR) are added to allow to set the vector table base to flash
addresses. The reset value of VTOR is 0000 0000H.

2.4 Memory Protection Unit

With the Core MPU the HSM implements an (almost fully) ARMv7-M compatible Protected Memory System
Architecture (PMSAv7). Please refer to chapter 9 of [2] and especially [4] for details.
Some comments may be necessary for using the core MPU:
• The address range A000 0000H - FFFF FFFFH is Execute Never (XN) in the ARMv7-M architecture. The MPU
cannot change this.
• An MPU region set to the bit band alias region is ignored. Use the corresponding address range in Local
RAM instead.
• The C (Cacheable) and S (Shareable) bits and the TEX fields of the MPU regions are ignored, i.e. they have
no functionality.
• Overlapping protection regions are supported with ascending region priority, i.e. region number 7 has
highest priority, see [2].

Target Specification 22 Revision 2.0

2016-03-04
AURIX™ TC3xx Hardware Security Module

Core System Confidential

2.5 Cache
The following chapter describes the Cache module. It contains the following sections:
• Overview.
• Functional Description.
• Cache SFRs.

2.5.1 Overview

Downloaded by IFXDMZ\par-liaopeng 29/07/2019 09:08:44

The major features of the cache can be summarized as follows:
• Unified cache for memory.
• Multi-way set associativity.
• Least Recently Used (LRU) replacement policy for each set.
• Support for lock and unlock, to keep a block from being automatically replaced.
• Cache block-, set-, and all-clean (including invalidation of tags).
• Caching policy is read/write allocate and write-back - no write-through.
• One-cycle access for read and execute hits.
• One-cycle access for write hits, employing two write buffers.
• No cache line wrap penalty.
Cache memory – or simply, a cache – is a high-speed buffer located between the CPU and the (external) main
memories holding a copy of some of the memory contents to enable access to the copy, which is considerably
faster than retrieving the information from the main memory. In addition to its fast access speed, the cache
also consumes less power than the main memories. All cache systems owe their usefulness to the principle of
locality, meaning that programs are inclined to utilize a particular section of the address space for their
processing over a period of time. By including most or all of such a specific area in the cache, system
performance can be dramatically enhanced.
The cache in this product has the following hardware configuration.

Table 2-3 Cache Configuration

Size Sets (n) Ways (m) Block Size (k)
4 KB 64 4 16
Address Decomposition
tag = ADDR[31:10] set = ADDR[9:4] block = ADDR[3:0]

Target Specification 23 Revision 2.0

2016-03-04
AURIX™ TC3xx Hardware Security Module

Core System Confidential

Addr Data
0 0123 H
...
4 0ABCH
...
address Index Tag Data block address 14 4567 H

Downloaded by IFXDMZ\par-liaopeng 29/07/2019 09:08:44

0 0004 H 0ABCH ...
CPU or 1 0020 H 0DEFH 20 0DEFH
Requestor 2 0000 H 0123 H
data ... data
x 0014 H 4567 H .
.
Cache .

y
Memory

Figure 2-1 Cache Overview

The effectiveness of a cache is measured in terms of its so-called hit ratio – the probability of detecting a
requested address in the cache so that the appropriate address can be directly provided. The absence of a
corresponding address entry in the cache is referred to as a miss, with the consequence that the relevant
information has to be procured from the main memory. The cache contents are refreshed by a LRU or Round
Robin replacement policy, which selects entries that have been unused the longest (in a set) for replacement
by the most recent memory retrievals. However, the cache also provides an option for locking cache entries
against such overwriting.
As caches only cover a subset of all addresses held in the address space, they must necessarily represent a
compromise in their realization. They should be adequately dimensioned and mapped to main memory to
enable satisfactory hit results at acceptable cost. The cache is based on a set-associative design employing a
so-called tag section and a data section. Part of a requested address is compared against the tag entries for a
match (hit). If found, the corresponding block in the data section returns the corresponding data of the input
address. If the access results in a miss, however, a tag and data block in the cache is then replaced by the new
address and data. The former data block in the cache is known as a victim. If this line was modified by a write
operation (even if the value remains identical), it must also be written back to the main memory to preserve
consistency. A modified line in the cache is called dirty (indicated by an internal flag) until it has been written
back to main memory (write-back).

Target Specification 24 Revision 2.0

2016-03-04
AURIX™ TC3xx Hardware Security Module

Core System Confidential

2.5.2 Functional Description

The cache is m-way set associative for the placement of its entries. The cache is divided into n sets (n is a
power of 2), each containing m data lines. These sets are referred to as m-way sets since m tag entries are
associated with each set (m ways to find the relevant data entry). The number of cache data lines employed
by the cache is therefore n x m, each of which carries k bytes (k is a power of 2). The data line size is referred
to as the block size. For example: A 4-way cache with 32 sets and a block size of 16 bytes results in a cache size
of 2 KB (2048 bytes).

Downloaded by IFXDMZ\par-liaopeng 29/07/2019 09:08:44

The relevant data element gives the contents of the address corresponding to the tagged address entry – i.e.,
the contents of the mapped address.
A set is referenced using the set bits in the address (refer to Table 2-3 for a description of the address as used
by the cache). The ways in this set are then searched for a hit with the tag information using the tag_address
bits in the address. If a hit is found, the cache uses further information (the block bits in the address) to locate
the appropriate data in the block.
The cache peripheral provides a number of SFR controlled functions for optimized handling of the cache. For
example, the user can clean a block specified by an address, or lock a block specified by its address so that
those cache entries cannot be replaced. If the lock is no longer needed an unlock function is provided. The
complete set of SFRs is described in Section 2.5.3.
Figure 2-2 illustrates the cache principle for detecting a specified address to return the data for its assigned
address in the address space. A hit is shown in this instance.

31
Address
0

tag set block

Cache

tag way 0
tag way 1
Set n-1
...
tag way m-1

Figure 2-2 Cache Principle

Target Specification 25 Revision 2.0

2016-03-04
AURIX™ TC3xx Hardware Security Module

Core System Confidential

2.5.2.1 Parallel Cache Accesses

The words of a data block are stored in segregated memories (one data word per memory). These memories
have several interfaces: memory bus, instruction interface and data interface. The interfaces can be used in
parallel, which enhances performance. However, if different data elements in the same memory are accessed
by interfaces at the same time, one access will be given priority and the subsequent access(es) will be delayed,
meaning that a relationship between address and operation type exists. A bit named DAPCA (DisAble Parallel
Cache Accesses) in CACHE_CTRL is provided to disable simultaneous accesses to data elements. Some
reduction in performance is experienced by disabling parallel accesses.

Downloaded by IFXDMZ\par-liaopeng 29/07/2019 09:08:44

2.5.3 Cache SFRs
A number of special function registers are implemented to control the Cache operation, as listed below.

Table 2-4 Register Address Space

Module Base Address End Address Note
Cache E008 A000H E008 BFFFH

Table 2-5 Register Overview

Register Short Name Register Long Name Offset Address Reset Value
Cache SFRs, Configuration SFRs
CACHE_CONFIG Cache Configuration Register 0000H 0006 0404H
CACHE_CTRL Cache Control Register 0004H 0000 0000H
Cache SFRs, Command SFRs
CACHE_AC Cache All Clean Register 0100H 0000 0000H
CACHE_SC Cache Set Clean Register 0104H 0000 0000H
CACHE_BC Cache Block Clean Register 0110H 0000 0000H
CACHE_BT Cache Block Touch Register 0114H 0000 0000H
CACHE_BL Cache Block Lock Register 0118H 0000 0000H
CACHE_BU Cache Block Unlock Register 011CH 0000 0000H

The registers are addressed wordwise.

All Cache module SFRs are accessible in privileged mode, user access will cause a BusFault.

Target Specification 26 Revision 2.0

2016-03-04
AURIX™ TC3xx Hardware Security Module

Core System Confidential

2.5.3.1 Configuration SFRs

The configuration registers control the behavior of the cache.

Cache Configuration Register

The cache configuration register allows the cache configuration details to be viewed.

CACHE_CONFIG Offset Reset Value

Downloaded by IFXDMZ\par-liaopeng 29/07/2019 09:08:44

Cache Configuration Register 0000H 0006 0404H

Cache Set Clean Register 0104H 0000 0000H

31 0

ADDR

Field Bits Type Description

ADDR 31:0 w Address
The address to be locked. ADDR[3:0] are ignored. A read returns zero.

Target Specification 33 Revision 2.0

2016-03-04
AURIX™ TC3xx Hardware Security Module

Core System Confidential

Cache Block Unlock

A memory block specified by the address is unlocked and marked as most recently used. If that address has
no hit in the cache, then no operation is performed. Specifically, a fill is not performed.

CACHE_BU Offset Reset Value

Cache Block Unlock Register 011CH 0000 0000H

Downloaded by IFXDMZ\par-liaopeng 29/07/2019 09:08:44

31 0

ADDR

Field Bits Type Description

ADDR 31:0 w Address
The address to be unlocked. The bits ADDR[3:0] are ignored. A read
returns zero.

Target Specification 34 Revision 2.0

2016-03-04
AURIX™ TC3xx Hardware Security Module

True Random Number Generator Confidential

3 True Random Number Generator

This chapter describes the True Random Number Generator (TRNG) module. It contains the following
sections:
• Concept Overview.
• Performance.
• Functional Overview.

Downloaded by IFXDMZ\par-liaopeng 29/07/2019 09:08:44

• TRNG SFRs.

3.1 Concept Overview

The TRNG module provides random data for cryptographic algorithms (keys), protocols (challenges, blinding
values, padding bytes, etc.).
A non-deterministic natural phenomenon is exploited to generate a data stream which has to fulfill the quality
criteria (minimum entropy requirement) defined in the AIS-20/31 publication by the German BSI [12]. In
particular, requirements for devices belonging to the functionality class PTG.2 (strength of mechanism: high)
are considered .
Every noise source, even if well-designed, produces a bit stream that usually shows statistical defects due to
bandwidth limitation, ageing and temperature drifts, fabrication tolerances and deterministic disturbances.
As a consequence, the noise source is always followed by a digital postprocessing (DPP) device, as shown in
Figure 3-1, where the definitions stated in AIS-20/31 have been adopted.

Digitized noise signal

Raw randomstream source

s[i] r[i]
Noise Digital post processor
source
Digitization
compressor TRNG_DATA

Data ready

Quality check TRNG_STAT

TRNG_CTRL

Low entropy warning

s[i] Source raw bit

r[i] Random bit

Figure 3-1 Principle of TRNG operation

Target Specification 35 Revision 2.0

2016-03-04
AURIX™ TC3xx Hardware Security Module

True Random Number Generator Confidential

The postprocessor has the following two functions: it is requested to adjust the statistical distribution of the
raw bit stream s[i] (referred to as a digitized noise signal, DNS) and, above all, to increase the entropy per bit
of the output stream r[i] (internal random sequence, IRS) collecting entropy from the input sequence. Entropy
in information theory is a measure of the uncertainty associated with a random variable used to quantify the
information in a segment of data: it represents the minimum average number of bits that must be sent in order
to relay the true value of a random variable. The lower the entropy, the more predictable the bit values and
therefore the poorer the randomization.

Downloaded by IFXDMZ\par-liaopeng 29/07/2019 09:08:44

3.2 Performance
The data rate of the TRNG after postprocessing is variable and depends on the bits of entropy per second
generated by the noise source. Furthermore, it depends on the clock frequency and the configuration settings.
Nontheless the following appoximations for the minimum, typical, and maximum avarage throughput are
accurate to ± 15%. The throughput R is given in units of kilobits per second and the clock frequency f in MHz.

⎡ kbit ⎤ f [MHz]⋅ 8000

R⎢ =
⎣ s ⎦ f [MHz]⋅ T [µs] + C
⎥
(3.1)
The constants T and C are given in the following table. They correspond to the constant and dynamic time
components, respectively, for generating one byte. Hence, the number of clock cycles needed for generating
one output byte is given by t = f×T+C.

Table 3-1 Generation Time for One Random Byte

Minimum Typical Maximum
Constant time T [µs] 9 18 71
Dynamic time C [clock cycles] 335 414 758

According to this formula and for a clock frequency of 33 MHz we have a typical generation time for one byte
of ttyp = 1008 clock cycles, corresponding to a throughput of Rtyp = 260 kb/s. For a clock frequency of 100 MHz
the typical throughput is approximately Rtyp = 360 kb/s . Should the maximum number of clock cycles elapse
before generation of a data block (with a size specified by TRNG_CTRL.DBS), a warning is indicated
(TRNG_STAT.WARN).
After a reset, the bias tuning loop needs a setup time during which a lower entropy is expected from the noise
source. The setup time is less than the time required to generate one output byte (i.e. typically less than 1000
clock cycles for 33 MHz). Due to the adaptive compression, the output quality is practically assured in every
condition and the user does not have to discard any output byte after a reset or after returning from sleep
mode.

Target Specification 36 Revision 2.0

2016-03-04
AURIX™ TC3xx Hardware Security Module

True Random Number Generator Confidential

3.3 Functional Overview

The TRNG module continuously generates true random bytes for the system operation once enabled
(TRNG_CTRL.DIS = 0). The availability of new true random data is signaled by setting the DTA_RDY bit in the
TRNG_STAT register and triggering the corresponding “output buffer not empty” interrupt. The TRNG waits
until the data has been read before recommencing generation. Once the data has been read (from
TRNG_DATA32) the flag TRNG_STAT.DTA_RDY is cleared by hardware. (Note that the TRNG will, in certain
cases, not generate new data if the DTA_RDY flag is cleared: these cases relate to poor quality data as indicated
by warning and/or error bits. Please refer to Additional FIPS_ERR and WARN Information for a description

Downloaded by IFXDMZ\par-liaopeng 29/07/2019 09:08:44

of these cases.)

3.3.1 Sleep Mode / Disable

The TRNG enters sleep mode when the module is disabled by setting the control bitTRNG_CTRL.DIS.
In sleep mode, the noise source and other components are reset, the digital post-processor is disabled and its
state is maintained.

3.3.2 Interrupt Behavior

The true random number generator triggers an interrupt whenever a random data block is ready to be output
from TRNG_DATA32 (also indicated by TRNG_STAT.DTA_RDY = 1B).
An interrupt is triggered in the event of an error or a warning occurring, as indicated by the FIPS_ERR bit and/or
the WARN bit in the TRNG_STAT register. The interrupt is handled by the interrupt controller.

Note: Remember that an interrupt is only triggered once, which means that a 1B for a warning or error bit in the
TRNG_STAT SFR will not cause continuously new interrupt requests.

Target Specification 37 Revision 2.0

2016-03-04
AURIX™ TC3xx Hardware Security Module

True Random Number Generator Confidential

3.4 TRNG SFRs

The interface of the TRNG, comprises the registers shown in Table 3-3 below.

Table 3-2 Register Address Space

Module Base Address End Address Note
TRNG EC00 0200H EC00 02FFH

Downloaded by IFXDMZ\par-liaopeng 29/07/2019 09:08:44

Table 3-3 Register Overview
Register Short Name Register Long Name Offset Address Reset Value
TRNG SFRs, Status and Data Registers
TRNG_DATA32 True RNG Data Register 00H XXXX XXXXH
TRNG_STAT TRNG status register 0CH 0X0XH
TRNG SFRs, Control Registers
TRNG_CTRL TRNG control register 10H 0002H

The registers are addressed wordwise.

Target Specification 38 Revision 2.0

2016-03-04
AURIX™ TC3xx Hardware Security Module

True Random Number Generator Confidential

3.4.1 Status and Data Registers

Note: A read access to TRNG_DATA when a random word is not available (TRNG_STAT.DTA_RDY = 0) retrieves
the last value. Therefore it is necessary to check TRNG_STAT for WARN, FIPS_ERR and DTA_RDY before
TRNG_DATA32 is accessed to ensure that a new random value can be read.

True RNG Data Register

Downloaded by IFXDMZ\par-liaopeng 29/07/2019 09:08:44

TRNG_DATA32 Offset Reset Value
True RNG Data Register 00H XXXX XXXXH

31 0

DATA

Field Bits Type Description

DATA 31:0 r Random Data
Random bit block to read

Note: If the TRNG operates in byte mode, the randomly generated data is
provided in bits 7...0; all other bits return zero.

Target Specification 39 Revision 2.0

2016-03-04
AURIX™ TC3xx Hardware Security Module

True Random Number Generator Confidential

TRNG status register, TRNG_STAT

TRNG_STAT Offset Reset Value

TRNG status register 0CH 0X0XH

15 11 10 9 8 4 3 2 1 0

Downloaded by IFXDMZ\par-liaopeng 29/07/2019 09:08:44

UNLO UNLO FIPS DTA_
Res CK_* WARN Res CK_* _ERR Res RDY

w rw w rw rw

Field Bits Type Description

UNLOCK_WARN 10 w Unlock Bit for WARN
0B LOCK, The bit WARN remains unchanged in the event of this SFR
being written to. This setting prevents unintentional changes to
that bit.
1B WE, The bit WARN may be changed by writing to the SFR.
WARN 9 rw Quality Warning
The number of transitions from the value 0B to the value 1B and from
1B to 0B is monitored according to the concept outlined in Section 3.1.
A warning is issued if too few transitions within a sequence of random
bits occur. The compression does not have adequate quality. See also
Additional FIPS_ERR and WARN Information.
0B GOOD, No warning. The quality of the random data is
satisfactory.
1B LOW, Warning. The quality of the random data is inadequate.
UNLOCK_FIPS_ ERR 3 w Unlock Bit for FIPS_ERR
0B LOCK, The bit FIPS_ERR remains unchanged in the event of this
SFR being written to. This setting prevents unintentional
changes to that bit.
1B WE, The bit FIPS_ERR may be changed by writing to the SFR.
FIPS_ERR 2 rw FIPS Error
An error is indicated if the current 32 bits of data are identical to the 32
bits of data generated before the current data. See also Additional
FIPS_ERR and WARN Information.
0B OK, No error detected.
1B ERROR, Data is identical.

Target Specification 40 Revision 2.0

2016-03-04
AURIX™ TC3xx Hardware Security Module

True Random Number Generator Confidential

Field Bits Type Description

DTA_RDY 0 rw Random Data Ready
The bit is cleared by hardware during generation of a random word.
The bit is set by hardware when a new result is available and the
generation has run without warning or error . The bit is cleared by
hardware once the random data has been read. See also Additional
FIPS_ERR and WARN Information.

Downloaded by IFXDMZ\par-liaopeng 29/07/2019 09:08:44

0B BUSY, No data ready for reading.
1B RDY, Data ready for reading.

Additional FIPS_ERR and WARN Information

If the hardware sets FIPS_ERR or WARN, the corresponding “error has occurred” interrupt is triggered. Data
generation is stopped because low quality data has been produced. The software must then decide what to
do with this low quality data, namely to validate or discard the data by writing to TRNG_STAT in either of the
ways explained below:
• Discard the generated data by writing 0408H (unlock_warn = 1, warn = 0, unlock_fips_err = 1, fips_err = 0,
dta_rdy = 0). The TRNG will immediately start to generate new random data, or
• Validate the data by writing 0409H (unlock_warn = 1, warn = 0, unlock_fips_err = 1, fips_err = 0, dta_rdy =
1). This causes an “output buffer not empty” interrupt to be triggered, and the data can be read out of
TRNG_DATA32 (remember that the data is of low quality). The TRNG will recommence generation of new
random data after TRNG_DATA32 has been read.
Each of the two operations must be carried out with a single access. The TRNG will behave unpredictably if the
software attempts to update any flag in TRNG_STAT while the TRNG is generating data, or if good quality data
was generated.
Attempting to read the TRNG_DATA32 register after the hardware has detected and indicated low quality data
without first validating the data (as described above) causes the controller to retrieve the last value.

Target Specification 41 Revision 2.0

2016-03-04
AURIX™ TC3xx Hardware Security Module

True Random Number Generator Confidential

3.4.2 Control Registers

TRNG control register, TRNG_CTRL

TRNG_CTRL Offset Reset Value

Downloaded by IFXDMZ\par-liaopeng 29/07/2019 09:08:44

TRNG control register 10H 0002H

15 3 2 1 0

Res DIS DBS

rw rw

Field Bits Type Description

DIS 2 rw Disable
It stops oscillators and digital logic.
0B EN, TRNG starts generating new data if no data is ready at the time (as
indicated by TRNG_STAT.DTA_RDY) and the warning/error flags are not
set (see TRNG_STAT).
1B DIS, TRNG is stopped even if no random data is available at the time.
Reset: 0B
DBS 1:0 rw Data Block Size
00B BYTE, Size of data block is 8 bits.
01B HW, Size of data block is 16 bits.
10B WORD, Size of data block is 32 bits.
Reset: 10B

Note: The data block size can be changed (using the DBS bit) while the TRNG is generating data without first
having to disable it . Depending on the internal status of the TRNG, the new data block size is applied on
the current data generation or on the following generation of data.

Target Specification 42 Revision 2.0

2016-03-04
AURIX™ TC3xx Hardware Security Module

AES 128 Encryption / Decryption Device Confidential

4 AES 128 Encryption / Decryption Device

This chapter describes the HSM's Advanced Encryption Standard module. It contains the following sections:
• Introduction.
• Algorithms.
• Register Architecture.
• AES SFRs.

Downloaded by IFXDMZ\par-liaopeng 29/07/2019 09:08:44

• Pseudo Coding Example with Test Data.

4.1 Introduction
The AES module is a fast hardware device that supports fast encryption and decryption via a 128-bit-key AES
[5]. It enables plain/simple encryption and decryption of a single 128-bit data (i.e., plain text or cipher text)
block as well as encryption or decryption of a multitude of data blocks of 128 bits each. For these, several so-
called modes of operation are implemented
• ECB (electronic code book mode)
• CBC (cipher block chaining mode)
• CTR (32-bit counter mode)
• OFB (output feedback mode)
• CFB (cipher feedback mode)
This enables also the additional modes
• GCM (Galois counter mode)
• XTS (XEX-based Tweaked CodeBook mode (TCB) with Cipher Text Stealing (CTS))
Furthermore, the AES module supports the following features:
• Internal storage for 8 AES keys which are not readable.
• Key 0 and 1 are lockable, i.e., not writable nor readable.
• Minimum: 25 MB/s @ 100 MHz.
• Maximal latency of 1 µs @ 100 MHz.
• 5 contexts for modes of operation.

4.2 Algorithms
The AES module enables the efficient implementation of the following encryption and decryption algorithms.
All the following algorithms can be implemented using the basic instructions defined via the control register
AESCTRL.
For the following we will use the abbreviations:
BS is the byte space of the hexadecimal symbols {00H, 01H, ..., FFH}. It contains 256 elements.
DS is the space of the 16-byte data blocks BS16. It contains 2128 elements.
KS is the space of the 16-byte AES-keys BS16. It contains 2128 elements.
DS and KS are identical spaces. Distinction is made for clarity reasons.
An element P or C of DS=BS16 is written as P=(x0,...,x15) or C=(y0,...,y15). Similarly, for a k in KS.

Target Specification 43 Revision 2.0

2016-03-04
AURIX™ TC3xx Hardware Security Module

AES 128 Encryption / Decryption Device Confidential

In the GCM mode, as well as the XTS mode, polynomial arithmetic is used: The input and output values of the
plain AES are interpreted as binary polynomials of degree < 128, i.e., elements of the polynomial residue ring
R := F2[X]/(f(x)). (4.1)
Here, f is the binary polynomial of degree 128:

f(X) = X128 + X7 + X2 + X1 + 1. (4.2)

In particular, the AES input or output will be interpreted as a 128-bit string

Downloaded by IFXDMZ\par-liaopeng 29/07/2019 09:08:44

a0, a1, a2, . . . , a126, a127, (4.3)
and this defines the polynomial:

a127 X127 + a126 X126 + . . . + a2 X2 + a1 X + a0 . (4.4)

In XTS mode, the mapping between the 16-byte data blocks (x0,...,x15) and the 128-bit strings a0, a1, a2, . . . , a126,
a127, is as follows: For i=0,1,...,15 and j:=8*i

xi = aj+7 27 + aj+6 26 + . . . + aj+2 22 + aj+1 2 + aj = (aj+7 ... aj+1aj)2 . (4.5)

In GCM mode, the mapping between the 16-byte data blocks (x0,...,x15) and the 128-bit strings a0, a1, a2, . . . ,
a126, a127, is as follows: For i=0,1,...,15 and j:=8*i

xi = aj 27 + aj+1 26 + . . . + aj+5 22 + aj+6 2 + aj+7 = (aj aj+1 ... aj+7)2 . (4.6)

Note that all symbols like Pi, Ci, IVi, CVi, Yi,... denote elements of DS or KS. They do not denote any registers
which will be introduced later and do not have an index but a numeration within the name.

4.2.1 Plain AES

The plain AES encryption algorithm AES-ENC is a map:
C := AES-ENCk(P) (4.7)
where P is a 16-byte plain text from DS, k is a 16-byte key from KS, and C is a 16-byte cipher text from DS.
The mapping to the standard [5] is given as follows:
P = (in0,..., in15), as in 3.4 of [5], or P = (in[0],..., in[15]) as in 5.1 of [5]
C = (out0,..., out15), as in 3.4 of [5], or C = (out[0],..., out[15]) as in 5.1 of [5]
k = (k[0],..., k[15]), as in 5.2 of [5]
The plain AES decryption algorithm AES-DEC is a map:
P := AES-DECk(C) (4.8)
where C is a 16-byte cipher text from DS, k is a 16-byte key from KS, and P is a 16-byte plain text from DS.
The mapping to the standard [5] is given as follows:
C = (in0,..., in15), as in 3.4 of [5], or C = (in[0],..., in[15]) as in 5.3 of [5]
P = (out0,..., out15), as in 3.4 of [5], or P = (out[0],..., out[15]) as in 5.3 of [5]
k = (k[0],..., k[15]), as in 5.2 of [5]
The main functional property of these two maps is
P = AES-DECk(AES-ENCk(P)), for any k in KS and P in DS.

Target Specification 44 Revision 2.0

2016-03-04
AURIX™ TC3xx Hardware Security Module

AES 128 Encryption / Decryption Device Confidential

P C

AES AES
k k
ENC DEC

Downloaded by IFXDMZ\par-liaopeng 29/07/2019 09:08:44

AES _ENC_DEC

C P

Figure 4-1 AES

4.2.2 ECB Mode

In the ECB mode, AES encrypts and decrypts not only one 128-bit data block P out of DS but rather several
consecutive data blocks P1,..., Pn into the cipher text blocks C1,..., Cn or decrypts them back.
The ECB encryption, denoted by AES-ENCECB is defined by:
(C1,..., Cn) := AES-ENCEBC,k (P1,..., Pn), (4.9)
where n is an arbitrary positive integer and

C1 := AES-ENCk (P1),
...
Cn := AES-ENCk (Pn).

The ECB decryption, denoted by AES-DECECB is defined by:

(P1,..., Pn) := AES-DECECB,k (C1,..., Cn), (4.10)
where n is an arbitrary positive integer and

P1 := AES-DECk (C1),
...
Pn := AES-DECk (Cn).

Target Specification 45 Revision 2.0

2016-03-04
AURIX™ TC3xx Hardware Security Module

AES 128 Encryption / Decryption Device Confidential

P1 P2 P3

AES AES AES ...

k k k
ENC ENC ENC

Downloaded by IFXDMZ\par-liaopeng 29/07/2019 09:08:44

AES_ ECB

C1 C2 C3

AES AES AES ...

k k k
DEC DEC DEC

P1 P2 P3

Figure 4-2 ECB mode

4.2.3 CBC Mode

In the CBC mode with initial value IV, AES encrypts and decrypts not only one 128-bit data block P out of DS
but rather several consecutive data blocks P1,..., Pn into the cipher text blocks C1,..., Cn or decrypts them back.
It depends not only on the private key k, but also on the initial value IV, which is a value from DS.
The CBC encryption, denoted by AES-ENCCBC is defined by:
(C1,..., Cn) := AES-ENCCBC,k,IV (P1,..., Pn), (4.11)
where n is an arbitrary positive integer and

C0 := IV.
C1 := AES-ENCk (P1 XOR C0),
C2 := AES-ENCk (P2 XOR C1),
...
Cn := AES-ENCk (Pn XOR Cn-1).

The CBC decryption, denoted by AES-DECCBC is defined by:

(P1,..., Pn) := AES-DECCBC,k,IV (C1,..., Cn), (4.12)
where n is an arbitrary positive integer and

C0 := IV.

Target Specification 46 Revision 2.0

2016-03-04
AURIX™ TC3xx Hardware Security Module

AES 128 Encryption / Decryption Device Confidential

P1 := AES-DECk (C1) XOR C0,

P2 := AES-DECk (C2) XOR C1,
...
Pn := AES-DECk (Cn) XOR Cn-1.

P1 P2 P3

Downloaded by IFXDMZ\par-liaopeng 29/07/2019 09:08:44

AES AES AES ...

k k k
ENC ENC ENC

AES _CBC

C1 C2 C3

AES AES AES ...

k k k
DEC DEC DEC

P1 P2 P3

Figure 4-3 CBC mode

4.2.4 CTR Mode

In the CTR mode with initial value IV, AES encrypts and decrypts not only one 128-bit data block P out of DS
but rather several consecutive data blocks P1,..., Pn into the cipher text blocks C1,..., Cn or decrypts them back.
It depends not only on the private key k, but also on the initial value IV, which is a value from DS.
The CTR encryption, denoted by AES-ENCCTR is defined by:
(C1,..., Cn) := AES-ENCCTR,k,IV (P1,..., Pn), (4.13)
where n is an arbitrary positive integer and

IV1 := IV.
C1 := AES-ENCk (IV1) XOR P1,
IV2 := INC32(IV1),
C2 := AES-ENCk (IV2) XOR P2,

Target Specification 47 Revision 2.0

2016-03-04
AURIX™ TC3xx Hardware Security Module

AES 128 Encryption / Decryption Device Confidential

IV3 := INC32(IV2),
...
Cn := AES-ENCk (IVn) XOR Pn.

INC32 denotes the incrementation in the lowest 32 bits modulo 232.

The CTR decryption, denoted by AES-DECCTR is defined by:

Downloaded by IFXDMZ\par-liaopeng 29/07/2019 09:08:44

(P1,..., Pn) := AES-DECCTR,k,IV (C1,..., Cn), (4.14)
where n is an arbitrary positive integer and

IV1 := IV.
P1 := AES-ENCk (IV1) XOR C1,
IV2 := INC32(IV1),
P2 := AES-ENCk (IV2) XOR C2,
IV3 := INC32(IV2),
...
Pn := AES-ENCk (IVn) XOR Cn.

INC32 denotes the incrementation in the lowest 32 bits modulo 232.

Target Specification 48 Revision 2.0

2016-03-04
AURIX™ TC3xx Hardware Security Module

AES 128 Encryption / Decryption Device Confidential

IV+0 IV+1 IV+2

AES AES AES

k k k ...
ENC ENC ENC
P1 P2 P3

Downloaded by IFXDMZ\par-liaopeng 29/07/2019 09:08:44

AES_ CTR

IV+0 IV+1 IV+2

C1 C2 C3

AES AES AES

k k k ...
ENC ENC ENC

P1 P2 P3

Figure 4-4 CTR mode

4.2.5 OFB Mode

In the OFB mode with initial value IV, AES encrypts and decrypts not only one 128-bit data block P out of DS
but rather several consecutive data blocks P1,..., Pn into the cipher text blocks C1,..., Cn or decrypts them back.
It depends not only on the private key k, but also on the initial value IV, which is a value from DS.
The OFB encryption, denoted by AES-ENCOFB is defined by:
(C1,..., Cn) := AES-ENCOFB,k,IV (P1,..., Pn), (4.15)
where n is an arbitrary positive integer and

CV0 := IV,
CV1 := AES-ENCk (CV0),
C1 := CV1 XOR P1,
CV2 := AES-ENCk (CV1),
C2 := CV2 XOR P2,
CV3 := INC(CV2),
...
CVn := AES-ENCk (CVn-1),
Cn := CVn XOR Pn,

Target Specification 49 Revision 2.0

2016-03-04
AURIX™ TC3xx Hardware Security Module

AES 128 Encryption / Decryption Device Confidential

Attention: Do not mix up the values CVi with the later defined registers CV[0],...! The latter ones might
contain the former ones, but one has to distinguish between both notations!

The OFB decryption, denoted by AES-DECOFB is defined by:

(P1,..., Pn) := AES-DECOFB,k,IV (C1,..., Cn), (4.16)
where n is an arbitrary positive integer and

Downloaded by IFXDMZ\par-liaopeng 29/07/2019 09:08:44

CV0 := IV,
CV1 := AES-ENCk (CV0),
P1 := CV1 XOR C1,
CV2 := AES-ENCk (CV1),
P2 := CV2 XOR C2,
CV3 := AES-ENCk (CV2),
...
CVn := AES-ENCk (CVn-1),
Pn := CVn XOR Cn,

Attention: Do not mix up the values CVi with the later defined registers CV[0],...! The latter ones might
contain the former ones, but one has to distinguish between both notations!

Target Specification 50 Revision 2.0

2016-03-04
AURIX™ TC3xx Hardware Security Module

AES 128 Encryption / Decryption Device Confidential

AES AES AES

k k k ...
ENC ENC ENC
P1 P2 P3

Downloaded by IFXDMZ\par-liaopeng 29/07/2019 09:08:44

AES _OFB

IV
C1 C2 C3

AES AES AES

k k k ...
ENC ENC ENC

P1 P2 P3

Figure 4-5 OFB mode

4.2.6 CFB Mode

In the CFB mode with initial value IV, AES encrypts and decrypts not only one 128-bit data block P out of DS
but rather several consecutive data blocks P1,..., Pn into the cipher text blocks C1,..., Cn or decrypts them back.
It depends not only on the private key k, but also on the initial value IV, which is a value from DS.
The CFB encryption, denoted by AES-ENCCFB is defined by:
(C1,..., Cn) := AES-ENCCFB,k,IV (P1,..., Pn), (4.17)
where n is an arbitrary positive integer and

CV0 := IV,
C1 := CV1 := AES-ENCk (CV0) XOR P1,
C2 := CV2 := AES-ENCk (CV1) XOR P2,
...
Cn := CVn := AES-ENCk (CVn-1) XOR Pn.

Attention: Do not mix up the values CVi with the later defined registers CV[0],...! The latter ones might
contain the former ones, but one has to distinguish between both notations!

Target Specification 51 Revision 2.0

2016-03-04
AURIX™ TC3xx Hardware Security Module

AES 128 Encryption / Decryption Device Confidential

The CFB decryption, denoted by AES-DECCFB is defined by:

(P1,..., Pn) := AES-DECCFB,k,IV (C1,..., Cn), (4.18)
where n is an arbitrary positive integer and

C0 := IV,
CV1 := C0,

Downloaded by IFXDMZ\par-liaopeng 29/07/2019 09:08:44

P1 := AES-ENCk (CV1) XOR C1,
CV2 := C1,
P2 := AES-ENCk (CV2) XOR C2,
CV3 := C2,
...
Pn := AES-ENCk (CVn) XOR Cn,

Attention: Do not mix up the values CVi with the later defined registers CV[0],...! The latter ones might
contain the former ones, but one has to distinguish between both notations!

AES AES AES

k k k ...
ENC ENC ENC
P1 P2 P3

AES_ CFB

IV
C1 C2 C3

AES AES AES

k k k ...
ENC ENC ENC

P1 P2 P3

Figure 4-6 CFB mode

Target Specification 52 Revision 2.0

2016-03-04
AURIX™ TC3xx Hardware Security Module

AES 128 Encryption / Decryption Device Confidential

4.2.7 GCM Mode

The GCM mode [8] is a combination of the CTR mode together with the GHASH. In the GCM mode with initial
value IV, AES encrypts and decrypts not only one 128-bit data block P out of DS but rather several consecutive
data blocks P1,..., Pn into the cipher text blocks C1,..., Cn or decrypts them back. It depends not only on the
private key k, but also on the initial value IV, which is a value from DS. Additionally, the encryption operation
computes an authentication tag T which additionally depends on additional data blocks A1,..., Am which will
not be encrypted. The decryption not only decrypts the cipher text blocks C1,..., Cn but also checks the
authentication tag information T. It is assumed, that the blocks P1,..., Pn and A1,..., Am are already full 128-bit

Downloaded by IFXDMZ\par-liaopeng 29/07/2019 09:08:44

blocks (maybe by the padding described in [8]).
The GCM encryption, denoted by AES-ENCGCM is defined by:
(C1,..., Cn,T) := AES-ENCGCM, k, IV (A1,..., Am, P1,..., Pn), (4.19)
where n, m are arbitrary non-negative integers and the blocks are computed in the following way:

H := AES-ENCk (0128)
J0 := IV (or the preparation according to [8])
Y0 := 0
Y1 := (Y0 XOR A1)*H mod f
Y2 := (Y1 XOR A2)*H mod f
...
Ym := (Ym-1 XOR Am)*H mod f
CV1 := inc(J0)
C1 := P1 XOR AES-ENCk (CV1)
Ym+1 := (Ym XOR C1)*H mod f
CV2 := inc(CV1)
C2 := P2 XOR AES-ENCk (CV2)
Ym+2 := (Ym+1 XOR C2)*H mod f
...
CVn := inc(CVn-1)
Cn := Pn XOR AES-ENCk (CVn)
Ym+n := (Ym+n-1 XOR Cn)*H mod f
S := (Ym+n XOR L)*H mod f
T := S XOR AES-ENCk (J0)
Here, the block L consists of length information about the blocks A1, ..., Am and P1, ..., Pn.

The GCM decryption, denoted by AES-DECGCM is defined by:

(P1,..., Pn,T’) := AES-DECGCM, k, IV (A1,..., Am, C1,..., Cn), (4.20)
where n, m are arbitrary positive integers and the blocks are computed in the following way:

H := AES-ENCk (0128)

Target Specification 53 Revision 2.0

2016-03-04
AURIX™ TC3xx Hardware Security Module

AES 128 Encryption / Decryption Device Confidential

J0 := IV (or the preparation according to [8])

Y0 := 0
Y1 := (Y0 XOR A1)*H mod f
Y2 := (Y1 XOR A2)*H mod f
...
Ym := (Ym-1 XOR Am)*H mod f
Ym+1 := (Ym XOR C1)*H mod f

Downloaded by IFXDMZ\par-liaopeng 29/07/2019 09:08:44

CV1 := inc(J0)
P1 := C1 XOR AES-ENCk (CV1)
Ym+2 := (Ym+1 XOR C2)*H mod f
CV2 := inc(CV1)
P2 := C2 XOR AES-ENCk (CV2)
...
Ym+n := (Ym+n-1 XOR Cn)*H mod f
CVn := inc(CVn-1)
Pn := Cn XOR AES-ENCk (CVn)
S := (Ym+n XOR L)*H mod f
T’ := S XOR AES-ENCk (J0)
Here, the block L consists of length information about the blocks A1, ..., Am and C1, ..., Cn.
Now, T can be compared with T’. If the values are equal, the cipher text blocks are authenticated, otherwise
rejected.

Target Specification 54 Revision 2.0

2016-03-04
AURIX™ TC3xx Hardware Security Module

AES 128 Encryption / Decryption Device Confidential

0 A1 A2 ... Am P1 P2 ... Pn L

AES
k AES
ENC k
CTR

Downloaded by IFXDMZ\par-liaopeng 29/07/2019 09:08:44

H
C1 C2 ... Cn

AES _GCM

... ...

IV inc

AES
k X
ENC T

multiplication with
H modulo f:
Y=X*H mod f

Figure 4-7 GCM mode

Attention: Note that the GCM-Mode usually is also defined in the case that the last Block Pn is not a
complete 128 bit block. Then Pn has to be padded with zeros, and also Cn has to be padded
with zeros. This more general mode is not covered in this specificationof the AES module.

4.2.8 XTS Mode

The XTS encryption [9] of a single 128-bit data block P, which has the sequential number j within a data unit,
using a 256-bit key k=k1||k2 and the (128-bit) tweak value i, is denoted by:
C := AES-ENCXTS,k,i,j (P),
also in [9] written as
C := XTS-AES-blockEnc(k, P, i, j ).
C is computed by the following way:

T := (AES-ENCk2(i) * (Xj)) mod f,

Target Specification 55 Revision 2.0

2016-03-04
AURIX™ TC3xx Hardware Security Module

AES 128 Encryption / Decryption Device Confidential

C := AES-ENCk1 (P XOR T) XOR T,

The XTS decryption of a single 128-bit data block C, which has the sequential number j within a data unit, using
a 256-bit key k=k1||k2 and the tweak value i, is denoted by:
P := AES-DECXTS,k,i,j (C).
also in [9] written as
P := XTS-AES-blockDec(k, C, i, j ).

Downloaded by IFXDMZ\par-liaopeng 29/07/2019 09:08:44

P is computed by the following way:

T := (AES-ENCk2(i) * (Xj)) mod f,

P := AES-DECk1 (C XOR T) XOR T,

Note that for consecutive blocks, i.e., with sequential number j and j+1 within the data unit, the tweak value T
for the block j+1 can be computed from the tweak value of block j by simply multiplying it with X mod f.

Target Specification 56 Revision 2.0

2016-03-04
AURIX™ TC3xx Hardware Security Module

AES 128 Encryption / Decryption Device Confidential

i
Xj mod f X X

AES
k2
ENC

Downloaded by IFXDMZ\par-liaopeng 29/07/2019 09:08:44

P1 T P2 P3

AES _XTS
AES AES AES ...
k1 k1 k1
ENC ENC ENC

C1 C2 C3

AES AES AES ...

k1 k1 k1
DEC DEC DEC

P1 P2 P3

Figure 4-8 XTS mode

Target Specification 57 Revision 2.0

2016-03-04
AURIX™ TC3xx Hardware Security Module

AES 128 Encryption / Decryption Device Confidential

4.3 Register Architecture

The registers of the AES module, which are relevant for the programer, can be classified into two categories,
namely the SFR-registers which are directly accessible by the CPU and the internal registers which are only
accessible indirectly via the SFR-registers.
The SFR-registers are:
• The control register AESCTRL which is a 32-bit word register.
• The status register AESSTAT which is a 32-bit word register.

Downloaded by IFXDMZ\par-liaopeng 29/07/2019 09:08:44

• The input register AESIN which consists of 4 32-bit word registers.
• The output register AESOUT which consists of 4 32-bit word registers.
• The second output register AESOUTSAVE which consists of 4 32-bit word registers.
The internal registers are:
• The 8 key registers K0, K1, ..., K7 which are each 128 bits wide.
• The 5 chaining variable registers CV0, CV1, CV2, CV3, CV4 which are each 128 bits wide.
After reset, these 8+5 registers have the value 0.
The operation of the AES module will be controlled solely by writing to the AESCTRL register. By virtue of this
the following operations are manageable:
• Copying of a key value from AESIN to some Kx (x=0,...,7) register.
• Locking of the keys K0 or K1, such that they are not writable any more.
• Copying of an IV value from AESIN to some CVy (y=0,1,2,3,4).
• Copying of a CV value from some CVy to AESOUT.
• Cryptographically processing of the input in AESIN, using at most one of the specified keys and chaining
variables and outputting it in AESOUT.
• Saving of the content of AESOUT into AESOUTSAVE. This is only an indirect process which will happen
automatically if a process is triggered that will overwrite AESOUT.
Usually an en-/decryption operation is done in the following way: The key is loaded into some Ky, an IV is
loaded into some CVy, then AESIN is filled with the input for the cryptographic operation. By writing AESCTRL
the operation is triggered. Waiting for AES to finish the operation and then reading the output out of AESOUT.
Important for pipelined operation of the module are the following facts:
• The AESCTRL register is always accessible. If the system (CPU) writes to the AESCTRL register while an
operation takes place, i.e., while AESSTAT.BSY is set, then the AES module will generate a wait signal for
the accessing bus, halting the write process until the operation is finished and the new value can be written
into AESCTRL.
• The AESSTAT register is always accessible.
• The input register is always accessible. After the start of an encryption operation, the input register AESIN
is idle and ready for being filled with the next input value.
• After the start of an encryption operation and before the end of this operation (indicated by the busy flag
in AESSTAT) the AESOUT is not accessible. A read access during this time will be stalled until AESSTAT.BSY
is cleared. For pipelined usage, the AESOUTSAVE register has to be used: The first action of a cryptographic
operation will be the copying of the content of AESOUT to AESOUTSAVE.
Furthermore note: If interrupts may occur that also access the AES module, the software must make sure that
these interrupts may not disturb the former AES operation by overwriting input or output values. So, either

Target Specification 58 Revision 2.0

2016-03-04
AURIX™ TC3xx Hardware Security Module

AES 128 Encryption / Decryption Device Confidential

these interrupts will be disabled, or the it is assured that the old values will be restored after such an
intermediary interrupt.

Downloaded by IFXDMZ\par-liaopeng 29/07/2019 09:08:44

Target Specification 59 Revision 2.0

2016-03-04
AURIX™ TC3xx Hardware Security Module

AES 128 Encryption / Decryption Device Confidential

4.4 AES SFRs

There are 14 registers in the AES module, the AESCTRL, AESSTAT, AESIN0, AESIN1, AESIN2, AESIN3, AESOUT0,
AESOUT1, AESOUT2, AESOUT3, AESOUTSAVE0, AESOUTSAVE1, AESOUTSAVE2, AESOUTSAVE3.

Table 4-1 Register Address Space

Module Base Address End Address Note
AES E800 0000H E800 03FFH

Downloaded by IFXDMZ\par-liaopeng 29/07/2019 09:08:44

Table 4-2 Register Overview
Register Short Name Register Long Name Offset Address Reset Value
AES SFRs, Control and Status Registers
AESCTRL AES Control Register 10H 0001 3000H
AESSTAT AES Status Register 14H 0000 0006H
AES SFRs, Input Registers
AESIN0 AES INPUT register 0 00H 0000 0000H
AESIN1 AES INPUT register 1 04H 0000 0000H
AESIN2 AES INPUT register 2 08H 0000 0000H
AESIN3 AES INPUT register 3 0CH 0000 0000H
AES SFRs, Output Registers
AESOUT0 AES OUTPUT register 0 20H 0000 0000H
AESOUT1 AES OUTPUT register 1 24H 0000 0000H
AESOUT2 AES OUTPUT register 2 28H 0000 0000H
AESOUT3 AES OUTPUT register 3 2CH 0000 0000H
AESOUTSAVE0 AES OUTPUT save register 0 30H 0000 0000H
AESOUTSAVE1 AES OUTPUT save register 1 34H 0000 0000H
AESOUTSAVE2 AES OUTPUT save register 2 38H 0000 0000H
AESOUTSAVE3 AES OUTPUT save register 3 3CH 0000 0000H

The registers are addressed wordwise.

Registers can only be accessed 32-bit wise and 32-bit aligned. Using 8-bit, 16-bit or un-aligned accesses lead
to a bus error.
Access to unused addresses results in a bus error.
Write access to read only registers results in a bus error.

Target Specification 60 Revision 2.0

2016-03-04
AURIX™ TC3xx Hardware Security Module

AES 128 Encryption / Decryption Device Confidential

4.4.1 Control and Status Registers

AESCTRL
This register triggers the operations of the AES module. In the description, IN denotes the input to the AES-
operation which was loaded to the registers AESIN0,..., AESIN3. OUT denotes the output of the AES-operation
which will be stored in AESOUT0,...,AESOUT3. OUTSAVE denotes the old Output of the former operation.

Downloaded by IFXDMZ\par-liaopeng 29/07/2019 09:08:44

Commands that are not defined, will trigger no operation (NOP).

AESCTRL Offset Reset Value

AES Control Register 10H 0001 3000H

31 17 16 12 11 9 8 4 3 2 0
Re
Res OPC Res KEYNR s CVNR

rw rw rw

Field Bits Type Description

OPC 16:12 rw Operation Code
This field defines the operation of the AES module. For an in-depth
description of the commands, see the table below.
Note: An opcode with unspecified OPC will be ignored.

00H ECB-ENC, encrypts input with ECB mode

01H ECB-DEC, decrypts input with ECB mode
02H CBC-ENC, encrypts input with CBC mode
03H CBC-DEC, decrypts input with CBC mode
04H CTR, en- and decrypts input with CTR mode
05H OFB, en- and decrypts input with OFB mode
06H CFB-ENC, encrypts input with CFB mode
07H CFB-DEC, decrypts input with CFB mode
08H GCM-ENC, encrypts input with GCTR mode and G-hashes OUT
09H GCM-DEC, decrypts input with GCTR mode and G-hashes IN
0AH GCM-MAC, G-hashes the input
0BH XTS-ENC, encrypts with XTS mode
0CH XTS-DEC, decrypts with XTS mode
10H WK, writes input to selected key register and resets IN
11H LK, locks the key registers K0 or K1 such that they are not
writable anymore: Key is specified by KEYNR and works only with
KEYNR=0 or 1, otherwise the command will be ignored.
Furthermore LOCK0 or LOCK1 (in AESSTAT) is set to 1.
12H WCV, writes input to the selected chaining variable register
13H RCV, copies selected CV register to output register

Target Specification 61 Revision 2.0

2016-03-04
AURIX™ TC3xx Hardware Security Module

AES 128 Encryption / Decryption Device Confidential

Field Bits Type Description

KEYNR 8:4 rw Key Number
This bit field defines the number of the key register for the selected
operation. Valid keys are represented by 00H up to 07H. All values
between 08H and 1EH are rfu.

Note: An opcode with invalid KEYNR will be ignored.

Downloaded by IFXDMZ\par-liaopeng 29/07/2019 09:08:44

1FH OLDKEY, uses the key of the last AES operation, but only for the
cryptographic operations – i.e., only for OPC < 0DH, with the
exception of 0AH. This functionality can only work properly
provided it is preceded by one of the operations referred to
above (using a valid key). Moreover, the key must not be
overwritten since the associated operation was performed.
CVNR 2:0 rw Chaining Variable Number
This bit field defines the number of the chaining variable register for
the selected operation.

Note: An opcode with invalid CVNR will be ignored.

0D CVNR0, Depending on the OpCode, Chaining Variable CV[0] will

be used
1D CVNR1, Depending on the OpCode, Chaining Variable CV[1] will
be used
2D CVNR2, Depending on the OpCode, Chaining Variable CV[2] will
be used
3D CVNR3, Depending on the OpCode, Chaining Variable CV[3] will
be used
4D CVNR4, Depending on the OpCode, Chaining Variable CV[4] will
be used

ECB-ENC
OUTSAVE <-- OUT,
OUT <-- AES-ENCK[KEYNR](IN)

ECB-DEC
OUTSAVE <-- OUT,
OUT <-- AES-DECK[KEYNR](IN)

CBC-ENC
OUTSAVE <-- OUT,
OUT <-- AES-ENCK[KEYNR](IN XOR CV[CVNR])
CV[CVNR] <-- OUT

Target Specification 62 Revision 2.0

2016-03-04
AURIX™ TC3xx Hardware Security Module

AES 128 Encryption / Decryption Device Confidential

CBC-DEC
OUTSAVE <-- OUT,
OUT <-- AES-DECK[KEYNR](IN) XOR CV[CVNR],
CV[CVNR] <-- IN

CTR
OUTSAVE <-- OUT,

Downloaded by IFXDMZ\par-liaopeng 29/07/2019 09:08:44

OUT <-- AES-ENCK[KEYNR](CV[CVNR]) XOR IN
CV[CVNR] <-- INC32(CV[CVNR]).

OFB
OUTSAVE <-- OUT,
CV[CVNR] <-- AES-ENCK[KEYNR](CV[CVNR])
OUT <-- CV[CVNR] XOR IN.

CFB-ENC
OUTSAVE <-- OUT
OUT <--CV[CVNR] <-- AES-ENCK[KEYNR](CV[CVNR]) XOR IN

CFB-DEC
OUTSAVE <-- OUT,
OUT <-- AES-ENCK[KEYNR](CV[CVNR]) XOR IN,
CV[CVNR] <-- IN.

GCM-ENC
OUTSAVE <-- OUT,
OUT <-- AES-ENCK[KEYNR](CV[0]) XOR IN
CV[0] <-- INC32(CV[0]),
CV[2] <-- (CV[2] XOR OUT) * CV[1] mod f(X).

GCM-DEC
OUTSAVE <-- OUT,
CV[2] <-- (CV[2] XOR IN) * CV[1] mod f(X),
OUT <-- AES-ENCK[KEYNR](CV[0]) XOR IN,
CV[0] <-- INC32(CV[0]).

GCM-MAC
OUTSAVE <-- OUT,
OUT <-- IN,
CV[2] <-- (CV[2] XOR IN) * CV[1] mod f(X) .

XTS-ENC
OUTSAVE <-- OUT,
OUT <-- AES-ENCK[KEYNR](IN XOR CV[CVNR]) XOR CV[CVNR],
CV[CVNR] <-- CV[CVNR] * X mod f(X).

Target Specification 63 Revision 2.0

2016-03-04
AURIX™ TC3xx Hardware Security Module

AES 128 Encryption / Decryption Device Confidential

XTS-DEC
OUTSAVE <-- OUT,
OUT <-- AES-DECK[KEYNR](IN XOR CV[CVNR]) XOR CV[CVNR],
CV[CVNR] <-- CV[CVNR] * X mod f(X).

WK
if (KEYNR>2) or (KEYNR=1 and AESSTAT.LOCK1=0) or (KEYNR=0 and AESSTAT.LOCK0=0) then

Downloaded by IFXDMZ\par-liaopeng 29/07/2019 09:08:44

K[KEYNR] <-- IN
end if
IN <-- 0

LK
-

WCV
CV[CVNR] <-- IN

RCV
OUTSAVE <-- OUT
OUT <-- CV[CVNR]

Target Specification 64 Revision 2.0

2016-03-04
AURIX™ TC3xx Hardware Security Module

AES 128 Encryption / Decryption Device Confidential

AESSTAT
The AESSTAT register contains information whether AES is busy and the keys K0 and K1 are locked..

AESSTAT Offset Reset Value

AES Status Register 14H 0000 0006H

31 3 2 1 0

Downloaded by IFXDMZ\par-liaopeng 29/07/2019 09:08:44

LO LO BS
Res C* C* Y

r r r

Field Bits Type Description

LOCK1 2 r Lock Key1
0H K1WENABLED, Key K1 can be written again.
1H K1LOCKED, Key K1 is locked, i.e., K1 can not be written again.
LOCK0 1 r Lock Key0
0H K0WENABLED, Key K0 can be written again.
1H K0LOCKED, Key K0 is locked, i.e., K0 can not be written again.
BSY 0 r Busy flag
0H idle, The AES module is idle. Input data can be sent to AESIN,
Output data can be read out of AESOUT or AESOUTSAVE, or an
operation can be triggered by sending a command to the
AESCTRL register.
1H busy, The AES module is working. Future Input data can be sent
to AESIN. A command sent to the AESCRTL and reading of the
AESOUTx registers will be stalled until the running operation is
finished.

Target Specification 65 Revision 2.0

2016-03-04
AURIX™ TC3xx Hardware Security Module

AES 128 Encryption / Decryption Device Confidential

4.4.2 Input Registers

AESIN0
The AESIN0 register contains part of a key, IV, plain text or cipher text.

AESIN0 Offset Reset Value

Downloaded by IFXDMZ\par-liaopeng 29/07/2019 09:08:44

AES INPUT register 0 00H 0000 0000H

31 24 23 16 15 8 7 0

IN15 IN14 IN13 IN12

rw rw rw rw

Field Bits Type Description

IN15 31:24 rw Input Byte 15
This byte represents the byte 15 of a key, IV, plain text or cipher text.
IN14 23:16 rw Input Byte 14
This byte represents the byte 14 of a key, IV, plain text or cipher text.
IN13 15:8 rw Input Byte 13
This byte represents the byte 13 of a key, IV, plain text or cipher text.
IN12 7:0 rw Input Byte 12
This byte represents the byte 12 of a key, IV, plain text or cipher text.

Target Specification 69 Revision 2.0

2016-03-04
AURIX™ TC3xx Hardware Security Module

AES 128 Encryption / Decryption Device Confidential

4.4.3 Output Registers

AESOUT0
The AESOUT0 register contains part of a plain text or cipher text.

AESOUT0 Offset Reset Value

Downloaded by IFXDMZ\par-liaopeng 29/07/2019 09:08:44

AES OUTPUT register 0 20H 0000 0000H

31 24 23 16 15 8 7 0

OUTSAVE15 OUTSAVE14 OUTSAVE13 OUTSAVE12

r r r r

Field Bits Type Description

OUTSAVE15 31:24 r Output Byte 15
This byte represents the byte 15 of the output.
OUTSAVE14 23:16 r Output Byte 14
This byte represents the byte 14 of the output.
OUTSAVE13 15:8 r Output Byte 13
This byte represents the byte 13 of the output.
OUTSAVE12 7:0 r Output Byte 12
This byte represents the byte 12 of the output.

Target Specification 77 Revision 2.0

2016-03-04
AURIX™ TC3xx Hardware Security Module

AES 128 Encryption / Decryption Device Confidential

4.5 Pseudo Coding Example with Test Data

All 32 and 128 bit values are given in hexadecimal, omitting the prefix “0x”

identify:
loadkey = 0x10
loadCV = 0x12
ecbenc = 0x00

Downloaded by IFXDMZ\par-liaopeng 29/07/2019 09:08:44

cbcenc = 0x02
ctrenc = 0x04
ofbenc = 0x05
cfbenc = 0x06
gcmenc = 0x08
gcmmac = 0x0a
xtsenc = 0x0b

Default words are given in LITTLE ENDIAN MODE!

For all following encryption examples, the following data are fixed:

key = 2b7e151628aed2a6abf7158809cf4f3c
IV = 000102030405060708090a0b0c0d0e0f (except for the CTR mode)
P1 = 6bc1bee22e409f96e93d7e117393172a
P2 = ae2d8a571e03ac9c9eb76fac45af8e51
P3 = 30c81c46a35ce411e5fbc1191a0a52ef
P4 = f69f2445df4f9b17ad2b417be66c3710
where these hexadecimal strings have to be interpreted, e.g., in the way that the 16
bytes are concatenated as:
B = b_0|b_1|b_2|b_3|b_4|b_5|b_6|b_7|b_8|b_9|b_10|b_11|b_12|b_13|b_14|b_15
On a 32-bit platform, this will be written as
arrays of 32-bit words:
key k[4]
IV IV[4]
P1 P1[4]
P2 P2[4]
P3 P3[4]
P4 P4[4]
C1 P1[4]
C2 P2[4]
C3 P3[4]
C4 P4[4]
with
k[0] <- 16157e2b
k[1] <- a6d2ae28
k[2] <- 8815f7ab
k[3] <- 3c4fcf09
IV[0] <- 03020100
IV[1] <- 07060504
IV[2] <- 0b0a0908
IV[3] <- 0f0e0d0c

Target Specification 78 Revision 2.0

2016-03-04
AURIX™ TC3xx Hardware Security Module

AES 128 Encryption / Decryption Device Confidential

P1[0] <- e2bec16b

P1[1] <- 969f402e
P1[2] <- 117e3de9
P1[3] <- 2a179373
P2[0] <- 578a2dae
P2[1] <- 9cac031e
P2[2] <- ac6fb79e
P2[3] <- 518eaf45

Downloaded by IFXDMZ\par-liaopeng 29/07/2019 09:08:44

P3[0] <- 461cc830
P3[1] <- 11e45ca3
P3[2] <- 19c1fbe5
P3[3] <- ef520a1a
P4[0] <- 45249ff6
P4[1] <- 179b4fdf
P4[2] <- 7b412bad
P4[3] <- 10376ce6

1. ECB-mode

NIST SP800-38A [6]:

"F.1.1 ECB-AES128.Encrypt
Key 2b7e151628aed2a6abf7158809cf4f3c
Block #1
Plaintext 6bc1bee22e409f96e93d7e117393172a
Input Block 6bc1bee22e409f96e93d7e117393172a
Output Block 3ad77bb40d7a3660a89ecaf32466ef97
Ciphertext 3ad77bb40d7a3660a89ecaf32466ef97
Block #2
Plaintext ae2d8a571e03ac9c9eb76fac45af8e51
Input Block ae2d8a571e03ac9c9eb76fac45af8e51
Output Block f5d3d58503b9699de785895a96fdbaaf
Ciphertext f5d3d58503b9699de785895a96fdbaaf
Block #3
Plaintext 30c81c46a35ce411e5fbc1191a0a52ef
Input Block 30c81c46a35ce411e5fbc1191a0a52ef
Output Block 43b1cd7f598ece23881b00e3ed030688
Ciphertext 43b1cd7f598ece23881b00e3ed030688
Block #4
Plaintext f69f2445df4f9b17ad2b417be66c3710
Input Block f69f2445df4f9b17ad2b417be66c3710
Output Block 7b0c785e27e8ad3f8223207104725dd4
Ciphertext 7b0c785e27e8ad3f8223207104725dd4"

key = 2b7e151628aed2a6abf7158809cf4f3c
P1 = 6bc1bee22e409f96e93d7e117393172a
P2 = ae2d8a571e03ac9c9eb76fac45af8e51
P3 = 30c81c46a35ce411e5fbc1191a0a52ef
P4 = f69f2445df4f9b17ad2b417be66c3710
C1 = 3ad77bb40d7a3660a89ecaf32466ef97
C2 = f5d3d58503b9699de785895a96fdbaaf

Target Specification 79 Revision 2.0

2016-03-04
AURIX™ TC3xx Hardware Security Module

AES 128 Encryption / Decryption Device Confidential

C3 = 43b1cd7f598ece23881b00e3ed030688
C4 = 7b0c785e27e8ad3f8223207104725dd4

Encryption with ECB mode with key in K5:

AESIN0 <- k[0]

AESIN1 <- k[1]
AESIN2 <- k[2]

Downloaded by IFXDMZ\par-liaopeng 29/07/2019 09:08:44

AESIN3 <- k[3]
AESCTRL <- 0000loadkey050
AESIN0 <- P1[0]
AESIN1 <- P1[1]
AESIN2 <- P1[2]
AESIN3 <- P1[3]
AESCTRL <- 0000ecbenc050
wait until AESSTAT AND 00000001 = 0
C1[0] <- AESOUT0
C1[1] <- AESOUT1
C1[2] <- AESOUT2
C1[3] <- AESOUT3
AESIN0 <- P2[0]
AESIN1 <- P2[1]
AESIN2 <- P2[2]
AESIN3 <- P2[3]
AESCTRL <- 0000ecbenc050
wait until AESSTAT AND 00000001 = 0
C2[0] <- AESOUT0
C2[1] <- AESOUT1
C2[2] <- AESOUT2
C2[3] <- AESOUT3
AESIN0 <- P3[0]
AESIN1 <- P3[1]
AESIN2 <- P3[2]
AESIN3 <- P3[3]
AESCTRL <- 0000ecbenc050
wait until AESSTAT AND 00000001 = 0
C3[0] <- AESOUT0
C3[1] <- AESOUT1
C3[2] <- AESOUT2
C3[3] <- AESOUT3
AESIN0 <- P4[0]
AESIN1 <- P4[1]
AESIN2 <- P4[2]
AESIN3 <- P4[3]
AESCTRL <- 0000ecbenc050
wait until AESSTAT AND 00000001 = 0
C4[0] <- AESOUT0
C4[1] <- AESOUT1
C4[2] <- AESOUT2
C4[3] <- AESOUT3

Target Specification 80 Revision 2.0

2016-03-04
AURIX™ TC3xx Hardware Security Module

AES 128 Encryption / Decryption Device Confidential

now, the output is

C1[0] = B47BD73A
C1[1] = 60367A0D
C1[2] = F3CA9EA8
C1[3] = 97EF6624
C2[0] = 85D5D3F5
C2[1] = 9D69B903

Downloaded by IFXDMZ\par-liaopeng 29/07/2019 09:08:44

C2[2] = 5A8985E7
C2[3] = AFBAFD96
C3[0] = 7FCDB143
C3[1] = 23CE8E59
C3[2] = E3001B88
C3[3] = 880603ED
C4[0] = 5E780C7B
C4[1] = 3FADE827
C4[2] = 71202382
C4[3] = D45D7204

Encryption with ECB mode with key in K5, in a pipelined version:

AESIN0 <- k[0]

AESIN1 <- k[1]
AESIN2 <- k[2]
AESIN3 <- k[3]
AESCTRL <- 0000loadkey050
AESIN0 <- P1[0]
AESIN1 <- P1[1]
AESIN2 <- P1[2]
AESIN3 <- P1[3]
AESCTRL <- 0000ecbenc050
AESIN0 <- P2[0]
AESIN1 <- P2[1]
AESIN2 <- P2[2]
AESIN3 <- P2[3]
[wait until AESSTAT AND 00000001 = 0]
AESCTRL <- 0000ecbenc050
C1[0] <- AESOUTSAVE0
C1[1] <- AESOUTSAVE1
C1[2] <- AESOUTSAVE2
C1[3] <- AESOUTSAVE3
AESIN0 <- P3[0]
AESIN1 <- P3[1]
AESIN2 <- P3[2]
AESIN3 <- P3[3]
[wait until AESSTAT AND 00000001 = 0]
AESCTRL <- 0000ecbenc050
C2[0] <- AESOUTSAVE0
C2[1] <- AESOUTSAVE1
C2[2] <- AESOUTSAVE2
C2[3] <- AESOUTSAVE3

Target Specification 81 Revision 2.0

2016-03-04
AURIX™ TC3xx Hardware Security Module

AES 128 Encryption / Decryption Device Confidential

AESIN0 <- P4[0]

AESIN1 <- P4[1]
AESIN2 <- P4[2]
AESIN3 <- P4[3]
[wait until AESSTAT AND 00000001 = 0]
AESCTRL <- 0000ecbenc050
C3[0] <- AESOUTSAVE0
C3[1] <- AESOUTSAVE1

Downloaded by IFXDMZ\par-liaopeng 29/07/2019 09:08:44

C3[2] <- AESOUTSAVE2
C3[3] <- AESOUTSAVE3
[wait until AESSTAT AND 00000001 = 0]
C4[0] <- AESOUT0
C4[1] <- AESOUT1
C4[2] <- AESOUT2
C4[3] <- AESOUT3

now, the output is again the same as above.

2. CBC-mode

NIST SP800-38A [6]:

"F.2.1 CBC-AES128.Encrypt
Key 2b7e151628aed2a6abf7158809cf4f3c
IV 000102030405060708090a0b0c0d0e0f
Block #1
Plaintext 6bc1bee22e409f96e93d7e117393172a
Input Block 6bc0bce12a459991e134741a7f9e1925
Output Block 7649abac8119b246cee98e9b12e9197d
Ciphertext 7649abac8119b246cee98e9b12e9197d
Block #2
Plaintext ae2d8a571e03ac9c9eb76fac45af8e51
Input Block d86421fb9f1a1eda505ee1375746972c
Output Block 5086cb9b507219ee95db113a917678b2
Ciphertext 5086cb9b507219ee95db113a917678b2
Block #3
Plaintext 30c81c46a35ce411e5fbc1191a0a52ef
Input Block 604ed7ddf32efdff7020d0238b7c2a5d
Output Block 73bed6b8e3c1743b7116e69e22229516
Ciphertext 73bed6b8e3c1743b7116e69e22229516
Block #4
Plaintext f69f2445df4f9b17ad2b417be66c3710
Input Block 8521f2fd3c8eef2cdc3da7e5c44ea206
Output Block 3ff1caa1681fac09120eca307586e1a7
Ciphertext 3ff1caa1681fac09120eca307586e1a7"

key = 2b7e151628aed2a6abf7158809cf4f3c
IV = 000102030405060708090a0b0c0d0e0f
P1 = 6bc1bee22e409f96e93d7e117393172a
P2 = ae2d8a571e03ac9c9eb76fac45af8e51
P3 = 30c81c46a35ce411e5fbc1191a0a52ef

Target Specification 82 Revision 2.0

2016-03-04
AURIX™ TC3xx Hardware Security Module

AES 128 Encryption / Decryption Device Confidential

P4 = f69f2445df4f9b17ad2b417be66c3710
C1 = 7649abac8119b246cee98e9b12e9197d
C2 = 5086cb9b507219ee95db113a917678b2
C3 = 73bed6b8e3c1743b7116e69e22229516
C4 = 3ff1caa1681fac09120eca307586e1a7

Encryption with CBC mode with key in K7 and IV in CV1:

Downloaded by IFXDMZ\par-liaopeng 29/07/2019 09:08:44

AESIN0 <- k[0]
AESIN1 <- k[1]
AESIN2 <- k[2]
AESIN3 <- k[3]
AESCTRL <- 0000loadkey070
AESIN0 <- IV[0]
AESIN1 <- IV[1]
AESIN2 <- IV[2]
AESIN3 <- IV[3]
AESCTRL <- 0000loadCV001
AESIN0 <- P1[0]
AESIN1 <- P1[1]
AESIN2 <- P1[2]
AESIN3 <- P1[3]
AESCTRL <- 0000cbcenc071
wait until AESSTAT AND 00000001 = 0
// Now CV1 = 7649abac8119b246cee98e9b12e9197d
C1[0] <- AESOUT0
C1[1] <- AESOUT1
C1[2] <- AESOUT2
C1[3] <- AESOUT3
AESIN0 <- P2[0]
AESIN1 <- P2[1]
AESIN2 <- P2[2]
AESIN3 <- P2[3]
AESCTRL <- 0000cbcenc071
wait until AESSTAT AND 00000001 = 0
// Now CV1 = 5086cb9b507219ee95db113a917678b2
C2[0] <- AESOUT0
C2[1] <- AESOUT1
C2[2] <- AESOUT2
C2[3] <- AESOUT3
AESIN0 <- P3[0]
AESIN1 <- P3[1]
AESIN2 <- P3[2]
AESIN3 <- P3[3]
AESCTRL <- 0000cbcenc071
wait until AESSTAT AND 00000001 = 0
// Now CV1 = 73bed6b8e3c1743b7116e69e22229516
C3[0] <- AESOUT0
C3[1] <- AESOUT1
C3[2] <- AESOUT2
C3[3] <- AESOUT3

Target Specification 83 Revision 2.0

2016-03-04
AURIX™ TC3xx Hardware Security Module

AES 128 Encryption / Decryption Device Confidential

AESIN0 <- P4[0]

AESIN1 <- P4[1]
AESIN2 <- P4[2]
AESIN3 <- P4[3]
AESCTRL <- 0000cbcenc071
wait until AESSTAT AND 00000001 = 0
// Now CV1 = 3ff1caa1681fac09120eca307586e1a7
C4[0] <- AESOUT0

Downloaded by IFXDMZ\par-liaopeng 29/07/2019 09:08:44

C4[1] <- AESOUT1
C4[2] <- AESOUT2
C4[3] <- AESOUT3

now, the output is:

C1[0] = ACAB4976
C1[1] = 46B21981
C1[2] = 9B8EE9CE
C1[3] = 7D19E912
C2[0] = 9BCB8650
C2[1] = EE197250
C2[2] = 3A11DB95
C2[3] = B2787691
C3[0] = B8D6BE73
C3[1] = 3B74C1E3
C3[2] = 9EE61671
C3[3] = 16952222
C4[0] = A1CAF13F
C4[1] = 09AC1F68
C4[2] = 30CA0E12
C4[3] = A7E18675

Encryption with CBC mode with key in K7, in a pipelined version:

AESIN0 <- k[0]

AESIN1 <- k[1]
AESIN2 <- k[2]
AESIN3 <- k[3]
AESCTRL <- 0000loadkey050
AESIN0 <- IV[0]
AESIN1 <- IV[1]
AESIN2 <- IV[2]
AESIN3 <- IV[3]
AESCTRL <- 0000loadCV001
AESIN0 <- P1[0]
AESIN1 <- P1[1]
AESIN2 <- P1[2]
AESIN3 <- P1[3]
AESCTRL <- 0000cbcenc071
AESIN0 <- P2[0]
AESIN1 <- P2[1]
AESIN2 <- P2[2]

Target Specification 84 Revision 2.0

2016-03-04
AURIX™ TC3xx Hardware Security Module

AES 128 Encryption / Decryption Device Confidential

AESIN3 <- P2[3]

[wait until AESSTAT AND 00000001 = 0]
// Now CV1 = 7649abac8119b246cee98e9b12e9197d
AESCTRL <- 0000cbcenc071
C1[0] <- AESOUTSAVE0
C1[1] <- AESOUTSAVE1
C1[2] <- AESOUTSAVE2
C1[3] <- AESOUTSAVE3

Downloaded by IFXDMZ\par-liaopeng 29/07/2019 09:08:44

AESIN0 <- P3[0]
AESIN1 <- P3[1]
AESIN2 <- P3[2]
AESIN3 <- P3[3]
[wait until AESSTAT AND 00000001 = 0]
// Now CV1 = 5086cb9b507219ee95db113a917678b2
AESCTRL <- 0000cbcenc071
C2[0] <- AESOUTSAVE0
C2[1] <- AESOUTSAVE1
C2[2] <- AESOUTSAVE2
C2[3] <- AESOUTSAVE3
AESIN0 <- P4[0]
AESIN1 <- P4[1]
AESIN2 <- P4[2]
AESIN3 <- P4[3]
[wait until AESSTAT AND 00000001 = 0]
// Now CV1 = 73bed6b8e3c1743b7116e69e22229516
AESCTRL <- 0000cbcenc071
C3[0] <- AESOUTSAVE0
C3[1] <- AESOUTSAVE1
C3[2] <- AESOUTSAVE2
C3[3] <- AESOUTSAVE3
[wait until AESSTAT AND 00000001 = 0]
// Now CV1 = 3ff1caa1681fac09120eca307586e1a7
C4[0] <- AESOUT0
C4[1] <- AESOUT1
C4[2] <- AESOUT2
C4[3] <- AESOUT3

now, the output is again the same as above.

3. CTR mode

NIST SP800-38A [6]:

"F.5.1 CTR-AES128.Encrypt
Key 2b7e151628aed2a6abf7158809cf4f3c
Init. Counter f0f1f2f3f4f5f6f7f8f9fafbfcfdfeff
Block #1
Input Block f0f1f2f3f4f5f6f7f8f9fafbfcfdfeff
Output Block ec8cdf7398607cb0f2d21675ea9ea1e4
Plaintext 6bc1bee22e409f96e93d7e117393172a

Target Specification 85 Revision 2.0

2016-03-04
AURIX™ TC3xx Hardware Security Module

AES 128 Encryption / Decryption Device Confidential

Ciphertext 874d6191b620e3261bef6864990db6ce
Block #2
Input Block f0f1f2f3f4f5f6f7f8f9fafbfcfdff00
Output Block 362b7c3c6773516318a077d7fc5073ae
Plaintext ae2d8a571e03ac9c9eb76fac45af8e51
Ciphertext 9806f66b7970fdff8617187bb9fffdff
Block #3
Input Block f0f1f2f3f4f5f6f7f8f9fafbfcfdff01

Downloaded by IFXDMZ\par-liaopeng 29/07/2019 09:08:44

Output Block 6a2cc3787889374fbeb4c81b17ba6c44
Plaintext 30c81c46a35ce411e5fbc1191a0a52ef
Ciphertext 5ae4df3edbd5d35e5b4f09020db03eab
Block #4
Input Block f0f1f2f3f4f5f6f7f8f9fafbfcfdff02
Output Block e89c399ff0f198c6d40a31db156cabfe
Plaintext f69f2445df4f9b17ad2b417be66c3710
Ciphertext 1e031dda2fbe03d1792170a0f3009cee"

key = 2b7e151628aed2a6abf7158809cf4f3c
IV = f0f1f2f3f4f5f6f7f8f9fafbfcfdfeff
P1 = 6bc1bee22e409f96e93d7e117393172a
P2 = ae2d8a571e03ac9c9eb76fac45af8e51
P3 = 30c81c46a35ce411e5fbc1191a0a52ef
P4 = f69f2445df4f9b17ad2b417be66c3710
C1 = 874d6191b620e3261bef6864990db6ce
C2 = 9806f66b7970fdff8617187bb9fffdff
C3 = 5ae4df3edbd5d35e5b4f09020db03eab
C4 = 1e031dda2fbe03d1792170a0f3009cee

On a 32-bit platform, the counter will be written as

array:
IV IV[4]
with
IV[0] <- F3F2F1F0
IV[1] <- F7F6F5F4
IV[2] <- FBFAF9F8
IV[3] <- FFFEFDFC

Encryption with CTR mode with key in K3 and IV in CV3:

AESIN0 <- k[0]

Target Specification 86 Revision 2.0

2016-03-04
AURIX™ TC3xx Hardware Security Module

AES 128 Encryption / Decryption Device Confidential

AESIN0 <- P1[0]

AESIN1 <- P1[1]
AESIN2 <- P1[2]
AESIN3 <- P1[3]
AESCTRL <- 0000ctrenc033
wait until AESSTAT AND 00000001 = 0
C1[0] <- AESOUT0
C1[1] <- AESOUT1

Downloaded by IFXDMZ\par-liaopeng 29/07/2019 09:08:44

C1[2] <- AESOUT2
C1[3] <- AESOUT3
// Now CV3 = f0f1f2f3f4f5f6f7f8f9fafbfcfdff00
AESIN0 <- P2[0]
AESIN1 <- P2[1]
AESIN2 <- P2[2]
AESIN3 <- P2[3]
AESCTRL <- 0000ctrenc033
wait until AESSTAT AND 00000001 = 0
C2[0] <- AESOUT0
C2[1] <- AESOUT1
C2[2] <- AESOUT2
C2[3] <- AESOUT3
// Now CV3 = f0f1f2f3f4f5f6f7f8f9fafbfcfdff01
AESIN0 <- P3[0]
AESIN1 <- P3[1]
AESIN2 <- P3[2]
AESIN3 <- P3[3]
AESCTRL <- 0000ctrenc033
wait until AESSTAT AND 00000001 = 0
C3[0] <- AESOUT0
C3[1] <- AESOUT1
C3[2] <- AESOUT2
C3[3] <- AESOUT3
// Now CV3 = f0f1f2f3f4f5f6f7f8f9fafbfcfdff002
AESIN0 <- P4[0]
AESIN1 <- P4[1]
AESIN2 <- P4[2]
AESIN3 <- P4[3]
AESCTRL <- 0000ctrenc033
wait until AESSTAT AND 00000001 = 0
C4[0] <- AESOUT0
C4[1] <- AESOUT1
C4[2] <- AESOUT2
C4[3] <- AESOUT3
// Now CV3 = f0f1f2f3f4f5f6f7f8f9fafbfcfdff03

now, the output is:

C1[0] = 91614D87
C1[1] = 26E320B6
C1[2] = 6468EF1B
C1[3] = CEB60D99

Target Specification 87 Revision 2.0

2016-03-04
AURIX™ TC3xx Hardware Security Module

AES 128 Encryption / Decryption Device Confidential

C2[0] = 6BF60698
C2[1] = FFFD7079
C2[2] = 7B181786
C2[3] = FFFDFFB9
C3[0] = 3EDFE45A
C3[1] = 5ED3D5DB
C3[2] = 02094F5B
C3[3] = AB3EB00D

Downloaded by IFXDMZ\par-liaopeng 29/07/2019 09:08:44

C4[0] = DA1D031E
C4[1] = D103BE2F
C4[2] = A0702179
C4[3] = EE9C00F3

Encryption with CTR mode with key in K3, in a pipelined version:

AESIN0 <- k[0]

AESIN1 <- k[1]
AESIN2 <- k[2]
AESIN3 <- k[3]
AESCTRL <- 0000loadkey030
AESIN0 <- IV[0]
AESIN1 <- IV[1]
AESIN2 <- IV[2]
AESIN3 <- IV[3]
AESCTRL <- 0000loadCV003
// Now CV3 = f0f1f2f3f4f5f6f7f8f9fafbfcfdfeff
AESIN0 <- P1[0]
AESIN1 <- P1[1]
AESIN2 <- P1[2]
AESIN3 <- P1[3]
AESCTRL <- 0000ctrenc033
AESIN0 <- P2[0]
AESIN1 <- P2[1]
AESIN2 <- P2[2]
AESIN3 <- P2[3]
// Now CV3 = f0f1f2f3f4f5f6f7f8f9fafbfcfdff00
AESCTRL <- 0000ctrenc033
C1[0] <- AESOUTSAVE0
C1[1] <- AESOUTSAVE1
C1[2] <- AESOUTSAVE2
C1[3] <- AESOUTSAVE3
AESIN0 <- P3[0]
AESIN1 <- P3[1]
AESIN2 <- P3[2]
AESIN3 <- P3[3]
// Now CV3 = f0f1f2f3f4f5f6f7f8f9fafbfcfdff01
AESCTRL <- 0000ctrenc033
C2[0] <- AESOUTSAVE0
C2[1] <- AESOUTSAVE1
C2[2] <- AESOUTSAVE2

Target Specification 88 Revision 2.0

2016-03-04
AURIX™ TC3xx Hardware Security Module

AES 128 Encryption / Decryption Device Confidential

C2[3] <- AESOUTSAVE3

AESIN0 <- P4[0]
AESIN1 <- P4[1]
AESIN2 <- P4[2]
AESIN3 <- P4[3]
// Now CV3 = f0f1f2f3f4f5f6f7f8f9fafbfcfdff02
AESCTRL <- 0000ctrenc033
C3[0] <- AESOUTSAVE0

Downloaded by IFXDMZ\par-liaopeng 29/07/2019 09:08:44

C3[1] <- AESOUTSAVE1
C3[2] <- AESOUTSAVE2
C3[3] <- AESOUTSAVE3
// Now CV3 = f0f1f2f3f4f5f6f7f8f9fafbfcfdff03
C4[0] <- AESOUT0
C4[1] <- AESOUT1
C4[2] <- AESOUT2
C4[3] <- AESOUT3

now, the output is again the same as above.

4. OFB mode

NIST SP800-38A [6]:

"F.4.1 OFB-AES128.Encrypt
Key 2b7e151628aed2a6abf7158809cf4f3c
IV 000102030405060708090a0b0c0d0e0f
Block #1
Input Block 000102030405060708090a0b0c0d0e0f
Output Block 50fe67cc996d32b6da0937e99bafec60
Plaintext 6bc1bee22e409f96e93d7e117393172a
Ciphertext 3b3fd92eb72dad20333449f8e83cfb4a
Block #2
Input Block 50fe67cc996d32b6da0937e99bafec60
Output Block d9a4dada0892239f6b8b3d7680e15674
Plaintext ae2d8a571e03ac9c9eb76fac45af8e51
Ciphertext 7789508d16918f03f53c52dac54ed825
Block #3
Input Block d9a4dada0892239f6b8b3d7680e15674
Output Block a78819583f0308e7a6bf36b1386abf23
Plaintext 30c81c46a35ce411e5fbc1191a0a52ef
Ciphertext 9740051e9c5fecf64344f7a82260edcc
Block #4
Input Block a78819583f0308e7a6bf36b1386abf23
Output Block c6d3416d29165c6fcb8e51a227ba994e
Plaintext f69f2445df4f9b17ad2b417be66c3710
Ciphertext 304c6528f659c77866a510d9c1d6ae5e"

key = 2b7e151628aed2a6abf7158809cf4f3c
IV = 000102030405060708090a0b0c0d0e0f
P1 = 6bc1bee22e409f96e93d7e117393172a
P2 = ae2d8a571e03ac9c9eb76fac45af8e51
P3 = 30c81c46a35ce411e5fbc1191a0a52ef

Target Specification 89 Revision 2.0

2016-03-04
AURIX™ TC3xx Hardware Security Module

AES 128 Encryption / Decryption Device Confidential

P4 = f69f2445df4f9b17ad2b417be66c3710
C1 = 3b3fd92eb72dad20333449f8e83cfb4a
C2 = 7789508d16918f03f53c52dac54ed825
C3 = 9740051e9c5fecf64344f7a82260edcc
C4 = 304c6528f659c77866a510d9c1d6ae5e

Encryption with OFB mode with key in K3 and IV in CV2:

Downloaded by IFXDMZ\par-liaopeng 29/07/2019 09:08:44

AESIN0 <- k[0]
AESIN1 <- k[1]
AESIN2 <- k[2]
AESIN3 <- k[3]
AESCTRL <- 0000loadkey030
AESIN0 <- IV[0]
AESIN1 <- IV[1]
AESIN2 <- IV[2]
AESIN3 <- IV[3]
AESCTRL <- 0000loadCV002
// Now CV2 = 000102030405060708090a0b0c0d0e0f
AESIN0 <- P1[0]
AESIN1 <- P1[1]
AESIN2 <- P1[2]
AESIN3 <- P1[3]
AESCTRL <- 0000ofbenc032
wait until AESSTAT AND 00000001 = 0
C1[0] <- AESOUT0
C1[1] <- AESOUT1
C1[2] <- AESOUT2
C1[3] <- AESOUT3
// Now CV2 = 50fe67cc996d32b6da0937e99bafec60
AESIN0 <- P2[0]
AESIN1 <- P2[1]
AESIN2 <- P2[2]
AESIN3 <- P2[3]
AESCTRL <- 0000ofbenc032
wait until AESSTAT AND 00000001 = 0
C2[0] <- AESOUT0
C2[1] <- AESOUT1
C2[2] <- AESOUT2
C2[3] <- AESOUT3
// Now CV2 = d9a4dada0892239f6b8b3d7680e15674
AESIN0 <- P3[0]
AESIN1 <- P3[1]
AESIN2 <- P3[2]
AESIN3 <- P3[3]
AESCTRL <- 0000ofbenc032
wait until AESSTAT AND 00000001 = 0
C3[0] <- AESOUT0
C3[1] <- AESOUT1
C3[2] <- AESOUT2
C3[3] <- AESOUT3

Target Specification 90 Revision 2.0

2016-03-04
AURIX™ TC3xx Hardware Security Module

AES 128 Encryption / Decryption Device Confidential

// Now CV2 = a78819583f0308e7a6bf36b1386abf23

AESIN0 <- P4[0]
AESIN1 <- P4[1]
AESIN2 <- P4[2]
AESIN3 <- P4[3]
AESCTRL <- 0000ofbenc032
wait until AESSTAT AND 00000001 = 0
C4[0] <- AESOUT0

Downloaded by IFXDMZ\par-liaopeng 29/07/2019 09:08:44

C4[1] <- AESOUT1
C4[2] <- AESOUT2
C4[3] <- AESOUT3
// Now CV0 = c6d3416d29165c6fcb8e51a227ba994e

now, the output is:

C1[0] = 2ED93F3B
C1[1] = 20AD2DB7
C1[2] = F8493433
C1[3] = 4AFB3CE8
C2[0] = 8D508977
C2[1] = 038F9116
C2[2] = DA523CF5
C2[3] = 25D84EC5
C3[0] = 1E054097
C3[1] = F6EC5F9C
C3[2] = A8F74443
C3[3] = CCED6022
C4[0] = 28654C30
C4[1] = 78C759F6
C4[2] = D910A566
C4[3] = 5EAED6C1

Encryption with OFB mode with key in K3, in a pipelined version:

AESIN0 <- k[0]

AESIN1 <- k[1]
AESIN2 <- k[2]
AESIN3 <- k[3]
AESCTRL <- 0000loadkey030
AESIN0 <- IV[0]
AESIN1 <- IV[1]
AESIN2 <- IV[2]
AESIN3 <- IV[3]
AESCTRL <- 0000loadCV002
// Now CV2 = 000102030405060708090a0b0c0d0e0f
AESIN0 <- P1[0]
AESIN1 <- P1[1]
AESIN2 <- P1[2]
AESIN3 <- P1[3]
AESCTRL <- 0000ofbenc032

Target Specification 91 Revision 2.0

2016-03-04
AURIX™ TC3xx Hardware Security Module

AES 128 Encryption / Decryption Device Confidential

AESIN0 <- P2[0]

AESIN1 <- P2[1]
AESIN2 <- P2[2]
AESIN3 <- P2[3]
// Now CV2 = 50fe67cc996d32b6da0937e99bafec60
AESCTRL <- 0000ofbenc032
C1[0] <- AESOUTSAVE0
C1[1] <- AESOUTSAVE1

Downloaded by IFXDMZ\par-liaopeng 29/07/2019 09:08:44

C1[2] <- AESOUTSAVE2
C1[3] <- AESOUTSAVE3
AESIN0 <- P3[0]
AESIN1 <- P3[1]
AESIN2 <- P3[2]
AESIN3 <- P3[3]
// Now CV2 = d9a4dada0892239f6b8b3d7680e15674
AESCTRL <- 0000ofbenc032
C2[0] <- AESOUTSAVE0
C2[1] <- AESOUTSAVE1
C2[2] <- AESOUTSAVE2
C2[3] <- AESOUTSAVE3
AESIN0 <- P4[0]
AESIN1 <- P4[1]
AESIN2 <- P4[2]
AESIN3 <- P4[3]
// Now CV2 = a78819583f0308e7a6bf36b1386abf23
AESCTRL <- 0000ofbenc032
C3[0] <- AESOUTSAVE0
C3[1] <- AESOUTSAVE1
C3[2] <- AESOUTSAVE2
C3[3] <- AESOUTSAVE3
// Now CV0 = c6d3416d29165c6fcb8e51a227ba994e
C4[0] <- AESOUT0
C4[1] <- AESOUT1
C4[2] <- AESOUT2
C4[3] <- AESOUT3

now, the output is again the same as above.

5. CFB mode

NIST SP800-38A [6]:

"CFB128-AES192.Encrypt
Key 2b7e151628aed2a6abf7158809cf4f3c
IV 000102030405060708090a0b0c0d0e0f
Segment #1
Input Block 000102030405060708090a0b0c0d0e0f
Output Block 50fe67cc996d32b6da0937e99bafec60
Plaintext 6bc1bee22e409f96e93d7e117393172a
Ciphertext 3b3fd92eb72dad20333449f8e83cfb4a
Segment #2
Input Block 3b3fd92eb72dad20333449f8e83cfb4a

Target Specification 92 Revision 2.0

2016-03-04
AURIX™ TC3xx Hardware Security Module

AES 128 Encryption / Decryption Device Confidential

Output Block 668bcf60beb005a35354a201dab36bda

Plaintext ae2d8a571e03ac9c9eb76fac45af8e51
Ciphertext c8a64537a0b3a93fcde3cdad9f1ce58b
Segment #3
Input Block c8a64537a0b3a93fcde3cdad9f1ce58b
Output Block 16bd032100975551547b4de89daea630
Plaintext 30c81c46a35ce411e5fbc1191a0a52ef
Ciphertext 26751f67a3cbb140b1808cf187a4f4df

Downloaded by IFXDMZ\par-liaopeng 29/07/2019 09:08:44

Segment #4
Input Block 26751f67a3cbb140b1808cf187a4f4df
Output Block 36d42170a312871947ef8714799bc5f6
Plaintext f69f2445df4f9b17ad2b417be66c3710
Ciphertext c04b05357c5d1c0eeac4c66f9ff7f2e6"

key = 2b7e151628aed2a6abf7158809cf4f3c
IV = 000102030405060708090a0b0c0d0e0f
P1 = 6bc1bee22e409f96e93d7e117393172a
P2 = ae2d8a571e03ac9c9eb76fac45af8e51
P3 = 30c81c46a35ce411e5fbc1191a0a52ef
P4 = f69f2445df4f9b17ad2b417be66c3710
C1 = 3b3fd92eb72dad20333449f8e83cfb4a
C2 = c8a64537a0b3a93fcde3cdad9f1ce58b
C3 = 26751f67a3cbb140b1808cf187a4f4df
C4 = c04b05357c5d1c0eeac4c66f9ff7f2e6

Encryption with CFB mode with key in K5 and IV in CV0:

AESIN0 <- k[0]

AESIN1 <- k[1]
AESIN2 <- k[2]
AESIN3 <- k[3]
AESCTRL <- 0000loadkey050
AESIN0 <- IV[0]
AESIN1 <- IV[1]
AESIN2 <- IV[2]
AESIN3 <- IV[3]
AESCTRL <- 0000loadCV000
// Now CV0 = 000102030405060708090a0b0c0d0e0f
AESIN0 <- P1[0]
AESIN1 <- P1[1]
AESIN2 <- P1[2]
AESIN3 <- P1[3]
AESCTRL <- 0000cfbenc050
wait until AESSTAT AND 00000001 = 0
C1[0] <- AESOUT0
C1[1] <- AESOUT1
C1[2] <- AESOUT2
C1[3] <- AESOUT3
// Now CV0 = 3b3fd92eb72dad20333449f8e83cfb4a
AESIN0 <- P2[0]

Target Specification 93 Revision 2.0

2016-03-04
AURIX™ TC3xx Hardware Security Module

AES 128 Encryption / Decryption Device Confidential

AESIN1 <- P2[1]

AESIN2 <- P2[2]
AESIN3 <- P2[3]
AESCTRL <- 0000cfbenc050
wait until AESSTAT AND 00000001 = 0
C2[0] <- AESOUT0
C2[1] <- AESOUT1
C2[2] <- AESOUT2

Downloaded by IFXDMZ\par-liaopeng 29/07/2019 09:08:44

C2[3] <- AESOUT3
// Now CV0 = c8a64537a0b3a93fcde3cdad9f1ce58b
AESIN0 <- P3[0]
AESIN1 <- P3[1]
AESIN2 <- P3[2]
AESIN3 <- P3[3]
AESCTRL <- 0000cfbenc050
wait until AESSTAT AND 00000001 = 0
C3[0] <- AESOUT0
C3[1] <- AESOUT1
C3[2] <- AESOUT2
C3[3] <- AESOUT3
// Now CV0 = 26751f67a3cbb140b1808cf187a4f4df
AESIN0 <- P4[0]
AESIN1 <- P4[1]
AESIN2 <- P4[2]
AESIN3 <- P4[3]
AESCTRL <- 0000cfbenc050
wait until AESSTAT AND 00000001 = 0
C4[0] <- AESOUT0
C4[1] <- AESOUT1
C4[2] <- AESOUT2
C4[3] <- AESOUT3
// Now CV0 = c04b05357c5d1c0eeac4c66f9ff7f2e6

now, the output is:

C1[0] = 2ED93F3B
C1[1] = 20AD2DB7
C1[2] = F8493433
C1[3] = 4AFB3CE8
C2[0] = 3745A6C8
C2[1] = 3FA9B3A0
C2[2] = ADCDE3CD
C2[3] = 8BE51C9F
C3[0] = 671F7526
C3[1] = 40B1CBA3
C3[2] = F18C80B1
C3[3] = DFF4A487
C4[0] = 35054BC0
C4[1] = 0E1C5D7C
C4[2] = 6FC6C4EA
C4[3] = E6F2F79F

Target Specification 94 Revision 2.0

2016-03-04
AURIX™ TC3xx Hardware Security Module

AES 128 Encryption / Decryption Device Confidential

Encryption with CFB mode with key in K5, in a pipelined version:

AESIN0 <- k[0]

AESIN1 <- k[1]
AESIN2 <- k[2]
AESIN3 <- k[3]
AESCTRL <- 0000loadkey050

Downloaded by IFXDMZ\par-liaopeng 29/07/2019 09:08:44

AESIN0 <- IV[0]
AESIN1 <- IV[1]
AESIN2 <- IV[2]
AESIN3 <- IV[3]
AESCTRL <- 0000loadCV000
// Now CV0 = 000102030405060708090a0b0c0d0e0f
AESIN0 <- P1[0]
AESIN1 <- P1[1]
AESIN2 <- P1[2]
AESIN3 <- P1[3]
AESCTRL <- 0000cfbenc050
AESIN0 <- P2[0]
AESIN1 <- P2[1]
AESIN2 <- P2[2]
AESIN3 <- P2[3]
// Now CV0 = 3b3fd92eb72dad20333449f8e83cfb4a
AESCTRL <- 0000cfbenc050
C1[0] <- AESOUTSAVE0
C1[1] <- AESOUTSAVE1
C1[2] <- AESOUTSAVE2
C1[3] <- AESOUTSAVE3
AESIN0 <- P3[0]
AESIN1 <- P3[1]
AESIN2 <- P3[2]
AESIN3 <- P3[3]
// Now CV0 = c8a64537a0b3a93fcde3cdad9f1ce58b
AESCTRL <- 0000cfbenc050
C2[0] <- AESOUTSAVE0
C2[1] <- AESOUTSAVE1
C2[2] <- AESOUTSAVE2
C2[3] <- AESOUTSAVE3
AESIN0 <- P4[0]
AESIN1 <- P4[1]
AESIN2 <- P4[2]
AESIN3 <- P4[3]
// Now CV0 = 26751f67a3cbb140b1808cf187a4f4df
AESCTRL <- 0000cfbenc050
C3[0] <- AESOUTSAVE0
C3[1] <- AESOUTSAVE1
C3[2] <- AESOUTSAVE2
C3[3] <- AESOUTSAVE3
// Now CV0 = c04b05357c5d1c0eeac4c66f9ff7f2e6
C4[0] <- AESOUT0

Target Specification 95 Revision 2.0

2016-03-04
AURIX™ TC3xx Hardware Security Module

AES 128 Encryption / Decryption Device Confidential

C4[1] <- AESOUT1

C4[2] <- AESOUT2
C4[3] <- AESOUT3

now, the output is again the same as above.

6. XTS-mode

Downloaded by IFXDMZ\par-liaopeng 29/07/2019 09:08:44

IEEE 1619-2007:
"Annex B" Vector 8
Key1 = 27182818284590452353602874713526
Key2 = 31415926535897932384626433832795
i = fe000000000000000000000000000000
P1 = d55f684f81f4426e9fde92a5ff02df2a
P2 = c896af63962888a97910c1379e20b0a3
P3 = b1db613fb7fe2e07004329ea5c22bfd3
P4 = 3e3dbe4cf58cc608c2c26c19a2e2fe22
where these hexadecimal strings have to be interpreted, e.g., in the way that the 16
bytes are concatenated as:
B = b_0|b_1|b_2|b_3|b_4|b_5|b_6|b_7|b_8|b_9|b_10|b_11|b_12|b_13|b_14|b_15
On a 32-bit platform, this will be written as
arrays of 32-bit words:
key1 k1[4]
key2 k2[4]
i I[4]
P1 P1[4]
P2 P2[4]
P3 P3[4]
P4 P4[4]
C1 P1[4]
C2 P2[4]
C3 P3[4]
C4 P4[4]
with
k1[0] <- 18281827
k1[1] <- 45904528
k1[2] <- 28605323
k1[3] <- 26357174

k2[0] <- 26594131

k2[1] <- 93975853
k2[2] <- 64628423
k2[3] <- 95278333

I[0] <- 000000FE

I[1] <- 00000000
I[2] <- 00000000
I[3] <- 00000000

P1[0] <- 4F685FD5

P1[1] <- 6E42F481

Target Specification 96 Revision 2.0

2016-03-04
AURIX™ TC3xx Hardware Security Module

AES 128 Encryption / Decryption Device Confidential

P1[2] <- A592DE9F

P1[3] <- 2ADF02FF
P2[0] <- 63AF96C8
P2[1] <- A9882896
P2[2] <- 37C11079
P2[3] <- A3B0209E
P3[0] <- 3F61DBB1
P3[1] <- 072EFEB7

Downloaded by IFXDMZ\par-liaopeng 29/07/2019 09:08:44

P3[2] <- EA294300
P3[3] <- D3BF225C
P4[0] <- 4CBE3D3E
P4[1] <- 08C68CF5
P4[2] <- 196CC2C2
P4[3] <- 22FEE2A2

Key1 27182818284590452353602874713526
Key2 31415926535897932384626433832795
i fe000000000000000000000000000000
j start with 0
Block #1
Plaintext d55f684f81f4426e9fde92a5ff02df2a
Ciphertext 72efc1ebfe1ee25975a6eb3aa8589dda
Block #2
Plaintext c896af63962888a97910c1379e20b0a3
Ciphertext 2b261f1c85bdab442a9e5b2dd1d7c395
Block #3
Plaintext b1db613fb7fe2e07004329ea5c22bfd3
Ciphertext 7a16fc08e526d4b1223f1b1232a11af2
Block #4
Plaintext 3e3dbe4cf58cc608c2c26c19a2e2fe22
Ciphertext 74c3d70dac57f83e0983c498f1a6f1ae

Encryption with XTS mode with key1 in K5 and key2 in K4:

AESIN0 <- k2[0]

AESIN1 <- k2[1]
AESIN2 <- k2[2]
AESIN3 <- k2[3]
AESCTRL <- 0000loadkey040
AESIN0 <- I[0]
AESIN1 <- I[1]
AESIN2 <- I[2]
AESIN3 <- I[3]
AESCTRL <- 0000ecbenc040
wait until AESSTAT AND 00000001 = 0
AESIN0 <- AESOUT0
AESIN1 <- AESOUT1
AESIN2 <- AESOUT2
AESIN3 <- AESOUT3
AESCTRL <- 0000loadCV002
// Now CV2 = AES-enc(key2,i)

Target Specification 97 Revision 2.0

2016-03-04
AURIX™ TC3xx Hardware Security Module

AES 128 Encryption / Decryption Device Confidential

AESIN0 <- k1[0]

AESIN1 <- k1[1]
AESIN2 <- k1[2]
AESIN3 <- k1[3]
AESCTRL <- 0000loadkey050
// Now K5 = key1
AESIN0 <- P1[0]
AESIN1 <- P1[1]

Downloaded by IFXDMZ\par-liaopeng 29/07/2019 09:08:44

AESIN2 <- P1[2]
AESIN3 <- P1[3]
AESCTRL <- 000xtsenc052
wait until AESSTAT AND 00000001 = 0
C1[0] <- AESOUT0
C1[1] <- AESOUT1
C1[2] <- AESOUT2
C1[3] <- AESOUT3
AESIN0 <- P2[0]
AESIN1 <- P2[1]
AESIN2 <- P2[2]
AESIN3 <- P2[3]
AESCTRL <- 000xtsenc052
wait until AESSTAT AND 00000001 = 0
C2[0] <- AESOUT0
C2[1] <- AESOUT1
C2[2] <- AESOUT2
C2[3] <- AESOUT3
AESIN0 <- P3[0]
AESIN1 <- P3[1]
AESIN2 <- P3[2]
AESIN3 <- P3[3]
AESCTRL <- 000xtsenc052
wait until AESSTAT AND 00000001 = 0
C3[0] <- AESOUT0
C3[1] <- AESOUT1
C3[2] <- AESOUT2
C3[3] <- AESOUT3
AESIN0 <- P4[0]
AESIN1 <- P4[1]
AESIN2 <- P4[2]
AESIN3 <- P4[3]
AESCTRL <- 000xtsenc052
wait until AESSTAT AND 00000001 = 0
C4[0] <- AESOUT0
C4[1] <- AESOUT1
C4[2] <- AESOUT2
C4[3] <- AESOUT3

now, the output is

C1[0] <- EBC1EF72

C1[1] <- 59E21EFE

Target Specification 98 Revision 2.0

2016-03-04
AURIX™ TC3xx Hardware Security Module

AES 128 Encryption / Decryption Device Confidential

C1[2] <- 3AEBA675

C1[3] <- DA9D58A8
C2[0] <- 1C1F262B
C2[1] <- 44ABBD85
C2[2] <- 2D5B9E2A
C2[3] <- 95C3D7D1
C3[0] <- 08FC167A
C3[1] <- B1D426E5

Downloaded by IFXDMZ\par-liaopeng 29/07/2019 09:08:44

C3[2] <- 121B3F22
C3[3] <- F21AA132
C4[0] <- 0DD7C374
C4[1] <- 3EF857AC
C4[2] <- 98C48309
C4[3] <- AEF1A6F1

8. GCM-mode
Reference
McGrew, after Test Case 4 (slightly changed)
Key = feffe9928665731c6d6a8f9467308308
IV = cafebabefacedbaddecaf888
A1 = feedfacedeadbeeffeedfacedeadbeef
A2 = abaddad2
P1 = d9313225f88406e5a55909c5aff5269a
P2 = 86a7a9531534f7da2e4c303d8a318a72
P3 = 1c3c0c95956809532fcf0e2449a6b525
P4 = b16aedf5aa0de657ba637b3900000000
L = 00000000000000a00000000000000200
where these hexadecimal strings have to be interpreted, e.g., in the way that the 16
bytes are concatenated as:
B = b_0|b_1|b_2|b_3|b_4|b_5|b_6|b_7|b_8|b_9|b_10|b_11|b_12|b_13|b_14|b_15
On a 32-bit platform, this will be written as
arrays of 32-bit words:
key k[4]
IV I[4]
A1 A1[4]
A2 A2[4]
P1 P1[4]
P2 P2[4]
P3 P3[4]
P4 P4[4]
L L[4]
C1 C1[4]
C2 C2[4]
C3 C3[4]
C4 C4[4]
T T[4]
with

k[0] <- 92E9FFFE

k[1] <- 1C736586

Target Specification 99 Revision 2.0

2016-03-04
AURIX™ TC3xx Hardware Security Module

AES 128 Encryption / Decryption Device Confidential

k[2] <- 948F6A6D

k[3] <- 08833067
I[0] <- BEBAFECA
I[1] <- ADDBCEFA
I[2] <- 88F8CADE
I[3] <- 01000000
A1[0] <- CEFAEDFE
A1[1] <- EFBEADDE

Downloaded by IFXDMZ\par-liaopeng 29/07/2019 09:08:44

A1[2] <- CEFAEDFE
A1[3] <- EFBEADDE
A2[0] <- D2DAADAB
A2[1] <- 00000000
A2[2] <- 00000000
A2[3] <- 00000000
P1[0] <- 253231D9
P1[1] <- E50684F8
P1[2] <- C50959A5
P1[3] <- 9A26F5AF
P2[0] <- 53A9A786
P2[1] <- DAF73415
P2[2] <- 3D304C2E
P2[3] <- 728A318A
P3[0] <- 950C3C1C
P3[1] <- 53096895
P3[2] <- 240ECF2F
P3[3] <- 25B5A649
P4[0] <- F5ED6AB1
P4[1] <- 57E60DAA
P4[2] <- 397B63BA
P4[3] <- 00000000
L[0] <- 00000000
L[1] <- A0000000
L[2] <- 00000000
L[3] <- 00020000

Key feffe9928665731c6d6a8f9467308308
IV cafebabefacedbaddecaf88800000001
H b83b533708bf535d0aa6e52980d53b78

Encryption with GCM mode with key in K5, IV in CV0, H in CV1:

AESIN0 <- k[0]

AESIN1 <- k[1]
AESIN2 <- k[2]
AESIN3 <- k[3]
AESCTRL <- 0000loadkey050
// Now k in K5
AESIN0 <- 00000000
AESIN1 <- 00000000
AESIN2 <- 00000000
AESIN3 <- 00000000

Target Specification 100 Revision 2.0

2016-03-04
AURIX™ TC3xx Hardware Security Module

AES 128 Encryption / Decryption Device Confidential

AESCTRL <- 0000loadCV002

// Clear CV2 = 0
AESCTRL <- 0000ecbenc050
wait until AESSTAT AND 00000001 = 0
// Now H in AESOUT
AESIN0 <- AESOUT0
AESIN1 <- AESOUT1
AESIN2 <- AESOUT2

Downloaded by IFXDMZ\par-liaopeng 29/07/2019 09:08:44

AESIN3 <- AESOUT3
AESCTRL <- 0000loadCV001
// Now H in CV1 = b83b533708bf535d0aa6e52980d53b78
AESIN0 <- I[0]
AESIN1 <- I[1]
AESIN2 <- I[2]
AESIN3 <- I[3]
AESCTRL <- 0000loadCV000
// Now IV in CV0 = cafebabefacedbaddecaf88800000001
AESCTRL <- 0000ctrenc050
// Dummy encryption for incrementation of CV0
// Now inc32(IV) in CV0
AESIN0 <- A1[0]
AESIN1 <- A1[1]
AESIN2 <- A1[2]
AESIN3 <- A1[3]
AESCTRL <- 000gcmmac000
wait until AESSTAT AND 00000001 = 0
// Now CV2 = ED56AAF8A72D67049FDB9228EDBA1322
AESIN0 <- A2[0]
AESIN1 <- A2[1]
AESIN2 <- A2[2]
AESIN3 <- A2[3]
AESCTRL <- 000gcmmac000
wait until AESSTAT AND 00000001 = 0
// Now CV2 = CD47221CCEF0554EE4BB044C88150352
AESIN0 <- P1[0]
AESIN1 <- P1[1]
AESIN2 <- P1[2]
AESIN3 <- P1[3]
AESCTRL <- 000gcmenc050
wait until AESSTAT AND 00000001 = 0
// Now CV2 = 54F5E1B2B5A8F9525C23924751A3CA51
C1[0] <- AESOUT0
C1[1] <- AESOUT1
C1[2] <- AESOUT2
C1[3] <- AESOUT3
AESIN0 <- P2[0]
AESIN1 <- P2[1]
AESIN2 <- P2[2]
AESIN3 <- P2[3]
AESCTRL <- 000gcmenc050
wait until AESSTAT AND 00000001 = 0

Target Specification 101 Revision 2.0

2016-03-04
AURIX™ TC3xx Hardware Security Module

AES 128 Encryption / Decryption Device Confidential

// Now CV2 = 324F585C6FFC1359AB371565D6C45F93

C2[0] <- AESOUT0
C2[1] <- AESOUT1
C2[2] <- AESOUT2
C2[3] <- AESOUT3
AESIN0 <- P3[0]
AESIN1 <- P3[1]
AESIN2 <- P3[2]

Downloaded by IFXDMZ\par-liaopeng 29/07/2019 09:08:44

AESIN3 <- P3[3]
AESCTRL <- 000gcmenc050
wait until AESSTAT AND 00000001 = 0
// Now CV2 = CA7DD446AF4AA70CC3C0CD5ABBA6AA1C
C3[0] <- AESOUT0
C3[1] <- AESOUT1
C3[2] <- AESOUT2
C3[3] <- AESOUT3
AESIN0 <- P4[0]
AESIN1 <- P4[1]
AESIN2 <- P4[2]
AESIN3 <- P4[3]
AESCTRL <- 000gcmenc050
wait until AESSTAT AND 00000001 = 0
// Now CV2 = 8E8C2F3823398AD4C475594827899155
// CV2 = 1590DF9B2EB6768289E57D56274C8570 is the value according to unchanged case.
C4[0] <- AESOUT0
C4[1] <- AESOUT1
C4[2] <- AESOUT2
C4[3] <- AESOUT3
// C4[3] = 5d908bd0
AESIN0 <- L[0]
AESIN1 <- L[1]
AESIN2 <- L[2]
AESIN3 <- L[3]
AESCTRL <- 000gcmmac000
wait until AESSTAT AND 00000001 = 0
// Now CV2 = 57AAFAF870DDDF6EB1CE6E77B798_A5DF
// CV2 = 698E57F70E6ECC7FD9463B7260A9AE5F is the value according to unchanged case.
AESIN0 <- I[0]
AESIN1 <- I[1]
AESIN2 <- I[2]
AESIN3 <- I[3]
AESCTRL <- 0000loadCV000
// Now IV in CV0
AESCTRL <- 0000readCV002
wait until AESSTAT AND 00000001 = 0
AESIN0 <- AESOUT0
AESIN1 <- AESOUT1
AESIN2 <- AESOUT2
AESIN3 <- AESOUT3
AESCTRL <- 0000ctrenc050
wait until AESSTAT AND 00000001 = 0

Target Specification 102 Revision 2.0

2016-03-04
AURIX™ TC3xx Hardware Security Module

AES 128 Encryption / Decryption Device Confidential

T[0] <- AESOUT0

T[1] <- AESOUT1
T[2] <- AESOUT2
T[3] <- AESOUT3
now, the output is

C1[0] = C21E8342
C1[1] = 24747721

Downloaded by IFXDMZ\par-liaopeng 29/07/2019 09:08:44

C1[2] = B721724B
C1[3] = 9CD4D084
C2[0] = 2F21AAE3
C2[1] = E0A4022C
C2[2] = 237EC135
C2[3] = 2EA1AC29
C3[0] = B214D521
C3[1] = 1C936654
C3[2] = 5A6A8F7D
C3[3] = 05AA84AC
C4[1] = 390BA31B
C4[2] = 97AC0A6A
C4[3] = 91E0583D
T[0] = B3E2ED65
T[1] = CAB6924C
T[2] = 5FBC72FC
T[3] = C7112330

T 65ED_E2B3_4C92_B6CA_FC72_BC5F_3023_11C7
// 5BC9_4FBC_3221_A5DB_94FA_E95A_E712_1A47 is the value according to unchanged case.

Target Specification 103 Revision 2.0

2016-03-04
AURIX™ TC3xx Hardware Security Module

Hash Module Confidential

5 Hash Module

5.1 Features
The hash module supports different hashing algorithms. It works in a block-oriented way and uses a FIFO and
an internal block buffer to maximize data throughput. To support different protocols, it also includes an
endianness converter.

Downloaded by IFXDMZ\par-liaopeng 29/07/2019 09:08:44

The module is intended to be used for signature generation, verification and generic data integrity checks. The
following table summarizes the supported hash algorithms and the performance of the module.

Table 5-1 Hash Algorithms and Performance

Algorithm Clock Cycles per Notes
512-bit Data Block
MD-5 65 —
SHA-1 81 —
SHA-224 65 Special software handling needed, see Section 5.2.4
SHA-256 65 —

The module supports multi-tasking environments; however, for preemptive multi-tasking, it will be necessary
to use a software abstraction layer as the module does not support stopping or resuming hash calculations at
arbitrary points in time.

Target Specification 104 Revision 2.0

2016-03-04
AURIX™ TC3xx Hardware Security Module

Hash Module Confidential

5.2 Functional Description

The hash module works in a block-oriented way. To achieve maximum performance, a doublebuffering
scheme is implemented. A 64-byte internal buffer stores 512 bits of data to be hashed. If this buffer is filled, the
hash calculation is started. While the hash module is busy, the next 512 bits of data can already be written into
the module.
The module itself can be used in a word-oriented way or in block mode. In word mode, the HASH_STAT.DF_NF
bit must be polled after each 32-bit data write. In block mode, 512 bits of data must be written before the bit

Downloaded by IFXDMZ\par-liaopeng 29/07/2019 09:08:44

is polled. Obviously, the performance in block mode is much higher.
Data is written into a 32-bit wide FIFO which has 16 entries (this equals the 512-bit block size needed by the
hash algorithms). When this FIFO is full, its contents is copied into an internal buffer which is then hashed.
After all data to be hashed has been written and the hashing operation of the last written data block has
finished (indicated by HASH_STAT.BSY == 0), the result can be read from the hash result value register
HASH_VAL. Since the length of the result depends on the chosen hash algorithm, a counter in the status
register indicates the amount of 32-bit words which are available in the output register.
If the result is read from HASH_VAL when the HASH_STAT.BSY bit is still 1, zero values are read. The read
operation of the hash value is destructive; that means the result can be read only once from the module. When
HASH_STAT.CNT reached 0, the result cannot be read again; reading further data returns zero values.

5.2.1 Data Transfers and FIFO Flag

After reset or after a write to the HASH_CFG register, the internal buffer and the FIFO are empty. Bit
HASH_STAT.DF_NF is set which indicates that 64 bytes can be written into the FIFO. After 64 bytes have been
written, this bit will change from 1 to 0.

Note: The busy flag HASH_STAT.BSY will already change from 0 to 1 after the first 32 bits are written to the data
register.

When the FIFO is full, its contents is copied into the internal buffer; after the first word has been copied,
HASH_STAT.DF_NF will already be read as 1 again. The whole copy operation needs 16 clock cycles. The
DF_NF bit will only be read as 0 when the software writes 64 bytes (512 bits) while the hash engine is still busy
and cannot receive new data.
The hashing operation starts after the FIFO contents has been copied into the internal buffer; when hashing
of the internal buffer is done, the HASH_STAT.BSY flag will change back from 1 to 0. If the FIFO has been filled
again already when the hashing of the internal buffer finishes, it is immediately copied again and hashed
(which implies that HASH_STAT.BSY will be read as 1 again).
The word order of the data which is sent to the module is fixed; the most significant word (MSW) should always
be sent first. The word order of the result which is read from the module can be programmed. The byte order
can be changed for both input and output data (see Section 5.2.5).

5.2.2 Output Data Size

The length of the data which is read from the module (the hash digest) depends on the chosen algorithm.
When calculation of the hash value is finished, the HASH_STAT.CNT field holds the number of output words.
The word order of the digest output can be configured using HASH_CFG.ORDER_OUT as shown in Figure 5-1
(note that this bit has to be set as needed before data is sent to the module since writing HASH_CFG resets the
hash engine and clears the data FIFO).

Target Specification 105 Revision 2.0

2016-03-04
AURIX™ TC3xx Hardware Security Module

Hash Module Confidential

Hash Algorithm Output

MSW LSW
SHA-224*/SHA-256

SHA-1

Downloaded by IFXDMZ\par-liaopeng 29/07/2019 09:08:44

MD-5

H0 H1 H2 H3 H4 H5 H6 H7

HASH_CFG.ORDER_OUT == 0 HASH_CFG.ORDER_OUT == 1
(LSW first) (MSW first)

SHA- SHA- SHA- SHA-

MD-5 SHA-1 MD-5 SHA-1
224* 256 224* 256

H3 H4 H7 H7 first H0 H0 H0 H0

H2 H3 H6 H6 H1 H1 H1 H1

H1 H2 H5 H5 H2 H2 H2 H2

H0 H1 H4 H4 H3 H3 H3 H3

H0 H3 H3 H4 H4 H4

H2 H2 H5 H5

H1 H1 H6 H6
H0 H0 last H7 H7

* note that word H7 must be discarded

in software for SHA-224 operations
Hash_OutputOrder .vsd

Figure 5-1 Word Order of Hash Digest Output

5.2.3 User-Defined Initialization Vector (Multiapplication Support)

The hash module supports user-defined initialization vectors. This allows support of multitasking as well:
when one task uses the hash module and is interrupted, it just has to save the current hash value and reload
it as initialization value after the task runs again (note that saving and restoring the current hash value is only
possible after a running hash operation has finished which is indicated by HASH_STAT.BSY == 0).
As interleaved reading and writing of data is not possible (for instance, writes to the initialization vector
register HASH_IVIN must not be interleaved with writes to HASH_DATA or reads from HASH_VAL), a software

Target Specification 106 Revision 2.0

2016-03-04
AURIX™ TC3xx Hardware Security Module

Hash Module Confidential

abstraction layer is necessary to fully support preemptive multitasking. This layer must also assure that writes
to HASH_DATA and reads from HASH_VAL are not interleaved.
The length of the initialization vector depends on the selected hash algorithm. After selecting the hash
algorithm using the HASH_CFG.ALGO bitfield and enabling the use of a predefined initialization vector by
setting the HASH_CFG.IV_MODE bit to 1, the initialization vector to be used is written into the HASH_IVIN
register (with the most significant word first).
Writing HASH_CFG.IV_MODE to 1 does not change the current initialization vector (which also implies that the
vector is not automatically reset to the default value of the currently selected hash algorithm). This is only

Downloaded by IFXDMZ\par-liaopeng 29/07/2019 09:08:44

done by writing the new vector into the HASH_IVIN register. If HASH_CFG.IV_MODE is set but no vector is
written into HASH_IVIN, the hash digest from the previous calculation is used as initialization vector.
The length of the initialization vector for MD-5 is 128 bits, that means that four write accesses to HASH_IVIN
are necessary. If SHA-1 is selected, five accesses are necessary to write 160 bits; for SHA-224 and SHA-256,
eight write accesses are needed to write 256 bits (also refer to Section 5.2.4 for SHA-224).
If sufficient bits have been written into the HASH_IVIN register, the bit HASH_STAT.IV_OK will be set to 1 by
the hardware which indicates that the initialization vector is ok. If more data is written to the HASH_IVIN
register, this bit will be reset to 0 until a full initialization vector has been written again.
As long as no settings have to be changed in HASH_CFG, it is possible to just write a different initialization
vector to HASH_IVIN after a hash operation finished without writing HASH_CFG again (that means, the
HASH_CFG.IV_MODE bit is not reset by hardware once an initialization vector has been loaded into the
module).

Note: If the HASH_STAT.BSY bit is set, writes to HASH_IVIN are ignored.

5.2.4 SHA-224 Hash Support

The module can also be used to calculate SHA-224 hashes. This is done using a user-defined initialization
vector and selecting the SHA-256 algorithm in the HASH_CFG.ALGO bitfield (this can be done since the
calculation of SHA-256 and SHA-224 is identical; only the initialization vector is different and 32 bits of the
result are discarded). For a detailed flow, please refer to Section 5.4.4.
If the calculation of the hash value has to be interrupted after some data blocks have been written (also see
Section 5.2.3), software has to read the current value from HASH_VAL and later re-enter it as user-defined
initialization vector into the HASH_IVIN register. This is the same flow used for other hash algorithms as well;
however, note that all eight 32-bit values have to be read and restored into the initialization value register.

5.2.5 Endianness
The data format employed by each hashing algorithm is specified in the respective specification documents.
Regarding byte endianness, MD-5 expects little-endian data (most-significant-byte right), while SHA-x expect
big-endian data (most-significant-byte left).
To ease the usage of the hash module, the hardware takes care of arranging the bytes in the order needed by
the target algorithm. Furthermore, the expected byte endianness can be programmed via configuration bits
BEND_IN / BEND_OUT in the HASH_CFG register. BEND_IN defines the byte order interpretation for registers
HASH_DATA and HASH_IVIN, while BEND_OUT defines the endianness of the HASH_VAL register.
The resulting 16-word input block given to the internal hash engine is shown in Figure 5-2 for BEND_IN == 0
and in Figure 5-3 for BEND_IN == 1. The hardware takes care of feeding each algorithm (MD-5 / SHA-1 / SHA-
224 / SHA-256) with the proper byte order according to the standard.

Target Specification 107 Revision 2.0

2016-03-04
AURIX™ TC3xx Hardware Security Module

Hash Module Confidential

Attention: Byte swapping is performed in HW for MD-5 when BEND_IN = 0 and for SHA-x when BEND_IN
= 1 (i.e. when a hash function is executed with its non-default endianness). The SW must
take into account HW byte swapping, so that padding data must be pre-swapped in such
cases.
Similarly, algorithm results are sent out according to the BEND_OUT configuration. Note that, according to
the MD-5 specifications, the resulting string should be read out in little-endian format (hence BEND_OUT
should be set to 1), while in the case of SHA-x, the result should be interpreted as big-endian (BEND_OUT = 0).

Downloaded by IFXDMZ\par-liaopeng 29/07/2019 09:08:44

However, the SW has full control over the desired output format.

Attention: Output data byte swapping is performed in HW for MD-5 when BEND_OUT = 0 and for SHA-x
when BEND_OUT = 1.

Target Specification 108 Revision 2.0

2016-03-04
AURIX™ TC3xx Hardware Security Module

Hash Module Confidential

32-bit data words from FIFO

31-24 23-16 15-8 7-0
01 02 03 04 First word

05 06 07 08 Second word

09 80 00 00 Third word (incl. padding)

Downloaded by IFXDMZ\par-liaopeng 29/07/2019 09:08:44

SH
-5

A-
x
04 03 02 01 word 0 01 02 03 04

08 07 06 05 05 06 07 08
00 00 80 09 09 80 00 00

00 00 00 00 00 00 00 00

00 00 00 00 00 00 00 00
Padding: 00 00 00 00 00 00 00 00 Padding:
´1´ followed by a ´1´ followed by a
sequence of ´0´s 00 00 00 00 00 00 00 00 sequence of ´0´s
00 00 00 00 00 00 00 00

00 00 00 00 00 00 00 00

00 00 00 00 00 00 00 00
64-bit value 00 00 00 48 00 00 00 00 64-bit value (bit
(bit counter) counter)
LSW first 00 00 00 00 word 15 00 00 00 48 MSW first

Hash_BigEndian .vsd

Figure 5-2 Hash Data Format Big Endian System (BEND_IN = 0)

Target Specification 109 Revision 2.0

2016-03-04
AURIX™ TC3xx Hardware Security Module

Hash Module Confidential

32-bit data words from FIFO

31-24 23-16 15-8 7-0
04 03 02 01 First word

08 07 06 05 Second word

00 00 80 09 Third word (incl. padding)

Downloaded by IFXDMZ\par-liaopeng 29/07/2019 09:08:44

SH
-5

A-
x
04 03 02 01 word 0 01 02 03 04

08 07 06 05 05 06 07 08
00 00 80 09 09 80 00 00

00 00 00 00 00 00 00 00

00 00 00 00 00 00 00 00
Padding: 00 00 00 00 00 00 00 00 Padding:
´1´ followed by a ´1´ followed by a
sequence of ´0´s 00 00 00 00 00 00 00 00 sequence of ´0´s
00 00 00 00 00 00 00 00

00 00 00 00 00 00 00 00

00 00 00 00 00 00 00 00
64-bit value 00 00 00 48 00 00 00 00 64-bit value (bit
(bit counter) counter)
LSW first 00 00 00 00 word 15 00 00 00 48 MSW first

Hash_LittleEndian .vsd

Figure 5-3 Hash Data Format Little Endian System (BEND_IN = 1)

Target Specification 110 Revision 2.0

2016-03-04
AURIX™ TC3xx Hardware Security Module

Hash Module Confidential

5.3 Hash Registers

This section describes the special function registers of the hash module. All bits markes as reserved (Res) are
ignored if written; when read, these bits return a value of 0.

Table 5-2 Register Address Space

Module Base Address End Address Note
HASH E800 0400H E800 07FFH Hash module

Downloaded by IFXDMZ\par-liaopeng 29/07/2019 09:08:44

Table 5-3 Register Overview
Register Short Name Register Long Name Offset Address Reset Value
Hash Registers, Configuration SFR
HASH_CFG HASH Configuration Register 00H 0000 0000H
Hash Registers, Status and Control
HASH_STAT HASH Status Register 04H 0000 0004H
HASH_IVIN Hash Initialization Value Register 08H 0000 0000H
Hash Registers, Data SFRs
HASH_VAL Hash Output Value Register 0CH 0000 0000H
HASH_DATA Hash Data Input Register 10H 0000 0000H

The registers are addressed wordwise.

Accesses to unused addresses result in a bus error.
Read accesses to write-only registers or write accesses to read-only registers result in a bus error.
Registers can only be accessed 32-bit wise and 32-bit aligned. Using 8-bit, 16-bit or un-aligned accesses results
in a bus error.

Target Specification 111 Revision 2.0

2016-03-04
AURIX™ TC3xx Hardware Security Module

Hash Module Confidential

5.3.1 Configuration SFR

HASH Configuration Register

Writes to this register reset the hash engine. Ongoing hash operations are aborted, the internal buffer is
cleared and the FIFO is cleared as well.

Downloaded by IFXDMZ\par-liaopeng 29/07/2019 09:08:44

HASH_CFG Offset Reset Value
HASH Configuration Register 00H 0000 0000H

31 16

Res

15 8 7 6 5 4 3 2 1 0
BEND BEND ORDE IV_M
Res _IN _OUT Res R_O* ODE Res ALGO

rw rw rw rw rw

Field Bits Type Description

BEND_IN 7 rw Input Byte Endianness
This bit defines the byte order interpretation of the 32-bit input words
to the hash engine. This bit affects the byte order when data is written
to HASH_DATA or HASH_IVIN (see Section 5.2.5).
0B BIG, The MSB is the left-most byte.
1B LIT, The MSB is the right-most byte.
BEND_OUT 6 rw Output Byte Endianness
This bit defines the byte order interpretation of the 32-bit output
words of the hash engine. This bit affects the byte order when data is
read from HASH_VAL (see Section 5.2.5).
0B BIG, The MSB is the left-most byte.
1B LIT, The MSB is the right-most byte.
ORDER_OUT 4 rw Output Word Sequence Order
This bit defines whether the most significant word or the least
significant word is output first when the hash digest is read from
HASH_VAL (see Section 5.2.2).
0B LSW_FIRST, First word of the output packet is the least
significant word
1B MSW_FIRST, First word of the output packet is the most
significant word

Target Specification 112 Revision 2.0

2016-03-04
AURIX™ TC3xx Hardware Security Module

Hash Module Confidential

Field Bits Type Description

IV_MODE 3 rw Initialization Value Mode
Selects whether the starting state of the hash algorithm will be the
initialization value programmed to the HASH_IVIN port rather than
the default starting state.

Note: This bit is not automatically reset after a user-defined

initialization vector has been written; also refer to Section 5.2.3.

Downloaded by IFXDMZ\par-liaopeng 29/07/2019 09:08:44

0B NO_IV, Hashing starts from scratch. The initialization value is
ignored.
1B USE_IV, The starting state of the hash algorithm is determined
by the previously written initialization value.
ALGO 1:0 rw Hash Algorithm
Selects the hash function to be executed. To calculate SHA-224 hash
values, please refer to Section 5.2.4.
00B NONE, No hash function is executed.
01B MD5, MD-5 hash function is executed.
10B SHA1, SHA-1 hash function is executed.
11B SHA256, SHA-256 hash function is executed.

Target Specification 113 Revision 2.0

2016-03-04
AURIX™ TC3xx Hardware Security Module

Hash Module Confidential

5.3.2 Status and Control

HASH Status Register

HASH_STAT Offset Reset Value

HASH Status Register 04H 0000 0004H

Downloaded by IFXDMZ\par-liaopeng 29/07/2019 09:08:44

31 16

Res

15 12 11 8 7 3 2 1 0
DF_N IV_O
Res CNT Res F K BSY

r r r r

Field Bits Type Description

CNT 11:8 r Result Counter
After a hash operation finishes (bit BSY indicates idle state), this bit
field is set to the number of 32-bit words available in the hash result
register HASH_VAL. When the result register is read, each read of a 32-
bit value decrements this field.
If this bit field is 0 and data is read from HASH_VAL, zeroes will be
returned and the CNT field is not updated anymore.
DF_NF 2 r Data FIFO Not Full
If this bit is set, the data FIFO is not full, that means, additional data can
be written into the HASH_DATA register.
0B FIFO_FULL, Data FIFO currently full.
1B FIFO_NOTFULL, Data can be written into HASH_DATA.
IV_OK 1 r Initialization Vector OK
This bit indicates that a valid initialization vector has been written into
the HASH_IVIN register. Depending on the chosen hash algorithm, this
bit is set to 1 by hardware after the needed amount of bits has been
written to HASH_IVIN (see Section 5.2.3). If this bit is set and write
accesses to HASH_IVIN occur, it is reset until a full initialization vector
was written again.
This bit is also reset if the hash algorithm is changed in HASH_CFG.
0B IV_INVALID, Custom initialization vector not valid.
1B IV_VALID, Custom initialization vector is valid.

Target Specification 114 Revision 2.0

2016-03-04
AURIX™ TC3xx Hardware Security Module

Hash Module Confidential

Field Bits Type Description

BSY 0 r Busy Flag
This bit indicates the busy status of the hash module. Note that this bit
is set as soon as data is written into HASH_DATA.
0B HASH_IDLE, No operation.
1B HASH_BUSY, A hashing operation or initialization is ongoing.

Downloaded by IFXDMZ\par-liaopeng 29/07/2019 09:08:44

Target Specification 115 Revision 2.0

2016-03-04
AURIX™ TC3xx Hardware Security Module

Hash Module Confidential

Hash Initialization Value Register

HASH_IVIN Offset Reset Value

Hash Initialization Value Register 08H 0000 0000H

31 0

Downloaded by IFXDMZ\par-liaopeng 29/07/2019 09:08:44

HASH_INIT_VEC

Field Bits Type Description

HASH_INIT_VEC 31:0 w Hash Initialization Value
If bit HASH_CFG.IV_MODE is set, the initialization value for the hash
calculation is taken from this register. Otherwise, this register is
ignored and the default initialization value for the selected hash
algorithm is used.
Note that the amount of data this register holds is dependent on the
selected hash algorithm; be sure to set the algorithm before writing
this register. MD-5 needs 4 words (128 bit) while for the SHA-1
algorithm, 5 words (that means, 160 bits) have to be written. For
SHA-224 or SHA-256, 8 words (256 bits) must be written.
Write operations to this register have to occur as consecutive
accesses (that means, no accesses to other registers with the
exception of reading HASH_STAT must occur). If an init value for
SHA-256 shall be written, this means 8 consecutive write accesses
to this register.

Target Specification 116 Revision 2.0

2016-03-04
AURIX™ TC3xx Hardware Security Module

Hash Module Confidential

5.3.3 Data SFRs

Hash Output Value Register

HASH_VAL Offset Reset Value

Downloaded by IFXDMZ\par-liaopeng 29/07/2019 09:08:44

Hash Output Value Register 0CH 0000 0000H

31 0

HASH_VAL

Field Bits Type Description

HASH_VAL 31:0 r Hash Output Value
After hashing has finished, the output value can be read from this
register. Depending on the selected hash algorithm, this needs several
consecutive read accesses (4 reads for MD-5, 5 reads for SHA-1 and 8
reads for SHA-256; SHA-224 needs 7 or 8 reads depending on the
output word order, see Section 5.2.2).
Each read decrements the HASH_STAT.CNT bit field (this bit field
counts the number of 32-bit words available as result) until that field is
0.

Target Specification 117 Revision 2.0

2016-03-04
AURIX™ TC3xx Hardware Security Module

Hash Module Confidential

Hash Data Input Register

HASH_DATA Offset Reset Value

Hash Data Input Register 10H 0000 0000H

31 0

Downloaded by IFXDMZ\par-liaopeng 29/07/2019 09:08:44

HASH_DATA

Field Bits Type Description

HASH_DATA 31:0 w Hash Input Data
Data to be hashed is written into this register. This fills the internal
data FIFO; after 512 bits have been written, the whole data block is
copied from the FIFO into the hash buffer and is hashed. In the
meantime, the data FIFO can be filled again.
Note that hashing only starts after exactly 512 bits have been written
into this register (that means 16 write accesses). No automatic
padding of the data block is done in the module.

Target Specification 118 Revision 2.0

2016-03-04
AURIX™ TC3xx Hardware Security Module

b) Check that HASH_STAT.IV_OK is 1.

c) Write 64-byte data block to HASH_DATA.
d) Poll until HASH_STAT.BSY is 0.
e) Read the hash digest from HASH_VAL and save it as current digest of application B.
5. Repeat steps 3 and 4 until all data of the applications has been hashed.
Obviously, the applications can hash more than one block of data when they are scheduled to use the module
(but steps 3a...3e and 4a...4e of the above description must not be interrupted by a task switch). If the

Downloaded by IFXDMZ\par-liaopeng 29/07/2019 09:08:44

applications use different settings or algorithms, each application has to initialize the module by itself (that
means, step 2 of the description above would have to be done by each application whenever it is scheduled to
use the hash module).
Note that for SHA-224, it is mandatory that all eight words of the intermediate digest are read out and later
written back as initialization vector (even though for the final result, only seven words are valid, see
Section 5.2.4).

5.5 Debug Support

Due to the fact that most accesses to the module are either destructive read operations or change the internal
state of the hash engine, the debug support of this module is limited.
If a user-defined initialization vector is used and is written into HASH_IVIN, it is not possible to read back that
vector (or any part of it) since HASH_IVIN is a write-only register. Similarly, hash data written to the data FIFO
via the HASH_DATA register cannot be read back; it is not possible to read the FIFO fill level.
The hash digest register HASH_VAL is read-only. The result can only be read once from this register
(destructive read), it is not possible in any way to read the result (or parts of it) in a debug break environment
and then restore that result to be available again in a runtime environment.
Note that it is possible to read the HASH_STAT register while an initialization vector is written into
HASH_IVIN; however, no other register accesses must occur during that write of the user-defined vector.

Target Specification 121 Revision 2.0

2016-03-04
AURIX™ TC3xx Hardware Security Module

PKC Module Confidential

6 PKC Module
This chapter describes the HSM's Public Key Cryptography module PKC. It contains the following sections:
• Introduction.
• Algorithms.
• Register Architecture and Programming Model.
• PKC SFRs.

Downloaded by IFXDMZ\par-liaopeng 29/07/2019 09:08:44

• Shared Crypto Memory.
• Further detailed definition/specification of commands
• Pseudo Coding Example with Test Data

6.1 Introduction
The PKC module is a hardware module that supports fast signature generation and verification with ECDSA.
In particular, it enables modular and non-modular operations on integers and binary polynomials up to 256
bit length:
• Multiplication
• Modular addition and subtraction
• Modular multiplication
• Modular inversion and division
• Modular exponentiation
It enables also complex algorithms on all common elliptic curves of bitlength up to 256, like
• Addition of two points in affine coordinates
• Doubling of a point in affine coordinates
• Scalar multiplication
The supported curves are all curves defined over finite fields of the type Fp and GF(2d)= F2[X]/f of bitlength up
to 256 bit length. This includes the NIST curves P-192, P-224, P-256, K-163, B-163, K-233, B-233, as well as the
Brainpool curves brainpoolP160r1, brainpoolP192r1, brainpoolP224r1, brainpoolP256r1.
Additionally support for operations on Curve25519 and Ed25519 is included.
Furthermore, the PKC module supports the following features:
• Storage for 32 values (integers or binary polynomials) of up to 256 bit length.
• Generation of 200 ECDSA-signature/s @100MHz for elliptic curves of key-length 256.
• Verification of 100 ECDSA-signature/s @100MHz for elliptic curves of key-length 256.

Target Specification 122 Revision 2.0

2016-03-04
AURIX™ TC3xx Hardware Security Module

PKC Module Confidential

6.2 Algorithms
The PKC module enables the efficient implementation of the operations and algorithms described below.
For the following, the notations, concepts, and abbreviations are used:
• Z:
– Ring of integers: Z = {..., -3, -2, -1, 0, 1, 2, 3, ...}
– The elements are usually represented as signed or unsigned integers, as known from, e.g., C-language.
Note that on a real physical device, the representation of integers is always restricted to a certain

Downloaded by IFXDMZ\par-liaopeng 29/07/2019 09:08:44

subset of Z, e.g., [0,2n[ or [-2n,2n[.
– Furthermore addition (ADD), subtraction (SUB), and multiplication (MULT) operations are defined on
the elements of Z. They are the well known operations on integers.
• F2 :
– Field of two elements, also sometimes written as GF(2).
– The elements are the values 0 and 1, and are usually represented by a single bit.
– Furthermore addition (ADD), subtraction (SUB), and multiplication (MULT) operations are defined on
the elements of F2. Addition and Subtraction are the same operation and correspond to the logic XOR
operation. Multiplication corresponds to the logic AND operation.
• F2[X]:
– Ring of binary polynomials.
– The elements f are polynomials in X with coefficients ai in F2:
f(X) = ad Xd + ad-1 Xd-1 + ... +a1 X1 +a0 X0 .
If ad=1, then d is called the degree deg(f) of f. Additionally one sets deg(0) := -1.
Usually the element f is represented as the bit-string
(ad ad-1 ... a1 a0)
and therefore often identified with the corresponding (unsigned) integer of the value f(2), i.e.,
(ad ad-1 ... a1 a0)2 = ad 2d + ad-1 2d-1 + ... +a1 21 +a0.
Hence f is usually stored the same way the integer f(2)=(ad ad-1 ... a1 a0)2 would be stored.
– Here, addition (ADD), subtraction (SUB), and multiplication (MULT) operations are defined: They differ
from the well known operations on integers. An addition and subtraction consists of a bitwise XOR
operation on the usual corresponding integer representation. The multiplication is more complex and
built-up by additions.
• mod:
– for any positive integer n, an integer or expression followed by “mod n” denotes the unique integer in
the interval [0,n[ which has the same modulo-n-remainder as the expression itself:
For a fixed positive integer n, every integer a can uniquely be written in the form
a = q * n + r,
with r lying in the interval [0,n[. (This means that Z is a so called Euclidean Domain.) Then r = a mod n.
– for any binary polynomial f of positive degree, a binary polynomial or expression followed by “mod f”
denotes the unique binary polynomial of degree < deg(f) which has the same modulo-f-remainder as
the expression itself.
for a fixed non-zero polynomial f, every binary polynomial a can uniquely be written in the form
a = q * f + r,
with deg(r)<deg(f). (This means that F2[X] is a so called Euclidean Domain.) Then r = a mod f.
• Z/n:

Target Specification 123 Revision 2.0

2016-03-04
AURIX™ TC3xx Hardware Security Module

PKC Module Confidential

– Residue Class Ring: For any positive integer n, Z/n is a mathematical object that usually is represented
by the set of n symbols
{(0 mod n), (1 mod n),...,(n-1 mod n)}.
– In practical application, the n elements of Z/n are usually represented by the n integers 0, 1, ..., n-1.
– An addition, subtraction and multiplication is defined on this set, making it to a commutative ring.
– Using the usual representation with the integers 0, 1, ..., n-1, these three operations are the modular
addition (ADDN), modular subtraction (SUBN), and modular multiplication (MULTN).

Downloaded by IFXDMZ\par-liaopeng 29/07/2019 09:08:44

• Fp :
– Finite Field of p elements. p has to be a prime number.
– Fp := Z/p.
• F2[X]/(f) :
– Residue Polynomial Ring: For any non-zero binary polynomial f, F2[X]/(f) is a mathematical object that
usually is represented by the set of symbols
{ (a mod n) : for all a in F2[X] with deg(a)<deg(f) }.
– In practical application, the elements of F2[X]/(f) are usually represented by the binary polynomials a of
degree less than the degree of f.
– An addition, subtraction and multiplication is defined on this set, making it to a commutative ring.
– Using the usual representation with binary polynomials a of degree less than deg(f), these three
operations are the modular addition (ADDN), modular subtraction (SUBN), and modular multiplication
(MULTN).
– If the polynomial is irreducible, i.e., if there is not non-trivial product f = g*h, then this object is a finite
field and will often be denoted by GF(2deg(f)). Also the notation F2[X]/f is used.

Note: Also, not directly obvious by the notation, the following objects correspond to each other, i.e, are used in
a similar way:
- Z and F2[X]
- Z/n and F2[X]/(f)
- Fp and F2[X]/(f) for an irreducible polynomial f, or GF(2d). However the last notation does not specify the
module-polynomial f.

6.2.1 Arithmetic Operations over Z, Z/n, and Fp.

6.2.1.1 Addition in Z
For any integer a and b, the addition in Z, denoted as
c := ADD(a,b) (6.1)
is mathematically defined in Z in the well known way:
ADD(a,b) := a + b. (6.2)

Target Specification 124 Revision 2.0

2016-03-04
AURIX™ TC3xx Hardware Security Module

PKC Module Confidential

6.2.1.2 Subtraction in Z
For any integer a and b, the subtraction in Z, denoted as
c := SUB(a,b) (6.3)
is mathematically defined in Z in the well known way:
SUB(a,b) := a - b. (6.4)

Downloaded by IFXDMZ\par-liaopeng 29/07/2019 09:08:44

6.2.1.3 Multiplication in Z
For any integer a and b, the addition in Z, denoted as
c := MULT(a,b) (6.5)
is mathematically defined in Z in the well known way:
MULT(a,b) := a * b. (6.6)

6.2.1.4 Modular Reduction in Z

For any integer b and positive integer n, the modular reduction, denoted as
c := RED(b,n) (6.7)
is mathematically defined in Z in the following way:
RED(b,n) := b mod n. (6.8)

Note: Although, the input values may be arbitrary, the result always lies in the interval [0,n[.

6.2.1.5 Modular Addition in Z, Addition in Z/n

For any integer a and b and positive integer n, the modular addition, denoted as
c := ADDN(a,b,n) (6.9)
is mathematically defined in Z in the following way:
ADDN(a,b,n) := (a + b) mod n. (6.10)
This also induces a well defined addition on the ring Z/n.

Note: Although, the input values may be arbitrary, the result always lies in the interval [0,n[.

6.2.1.6 Modular Subtraction in Z, Subtraction in Z/n

For any integer a and b and positive integer n, the modular subtraction, denoted as
c := SUBN(a,b,n) (6.11)
is mathematically defined in Z in the following way:
SUBN(a,b,n) := (a - b) mod n. (6.12)
This also induces a well defined subtraction on the ring Z/n.

Note: Although, the input values may be arbitrary, the result always lies in the interval [0,n[.

Target Specification 125 Revision 2.0

2016-03-04
AURIX™ TC3xx Hardware Security Module

PKC Module Confidential

6.2.1.7 Modular Multiplication in Z, Multiplication in Z/n

For any integer a and b and positive integer n, the modular multiplication, denoted as
c := MULTN(a,b,n) (6.13)
is mathematically defined in Z in the following way:
MULTN(a,b,n) := (a * b) mod n (6.14)
This also induces a well defined multiplication on the ring Z/n.

Downloaded by IFXDMZ\par-liaopeng 29/07/2019 09:08:44

Note: Although, the input values may be arbitrary, the result always lies in the interval [0,n[.

6.2.1.8 Modular Inversion over Z

For any positive integer n and any integer b such that the greatest common divisor of b and n is 1, the modular
inversion computation, denoted as
c := INV(b,n) (6.15)
is mathematically defined in Z in the following way:

INV(b,n) := b-1 mod n. (6.16)

c is the unique integer in the interval [0,n[ that has the property 1=c * b mod n. This inverse does not exist if
there exists an integer d>1 which divides b as well as n.
This also induces a well defined inverse operation in the ring Z/n - but not for all of its elements.

Note: In Z this can be realized by the extended Euclidean algorithm.

Note: If n is a prime, than the inverse exists for all b with b mod n > 0.
Note: Although, the input values may be arbitrary, the result always lies in the interval [0,n[.

6.2.1.9 Modular Division over Z

For any positive integer n, any integer a, and any integer b such that the greatest common division of b and n
is 1, the modular division computation, denoted as
c := DIVN(a,b,n) (6.17)
is mathematically defined in Z in the following way:

DIVN(a,b,n) := a * b-1 mod n = MULTN(a,INV(b,n),n). (6.18)

This quotient does not exist if there exists an integer d>1 which divides b as well as n.
This also induces a well defined division operation in the ring Z/n - but not for all of its elements.

Note: Although, the input values may be arbitrary, the result always lies in the interval [0,n[.

6.2.1.10 Modular Exponentiation

For any integer a, any non-negative integer b and any positive integer n, the modular exponentiation
computation, denoted as
c := EXP(a,b,n) (6.19)

Target Specification 126 Revision 2.0

2016-03-04
AURIX™ TC3xx Hardware Security Module

PKC Module Confidential

is mathematically defined in Z in the following way:

EXP(a,b,n) := ab mod n. (6.20)

This also induces a well defined exponentiation operation in the ring Z/n.

Note: This can be realized by the usual square and multiply algorithms.

Note: Although, the input values of this mathematical operation may be arbitrary, the result always lies in the
interval [0,n[.

Downloaded by IFXDMZ\par-liaopeng 29/07/2019 09:08:44

6.2.2 Elliptic Curve Operations over Fp.
If p>3 is a prime integer and a,b, are two integers, preferably in Fp={0,...,p-1} or in ]-p,p[, such that the
Discriminant is not zero in Fp,

4 * a3 + 27 * b2 mod p ≠ 0 (6.21)
then an elliptic curve E(a,b,p) is defined. E(a,b,p) is a mathematical object which can be represented by a
subset of (Fp × Fp) u { 0 } via

E(a,b,p) := { (x,y) in (Fp × Fp) : (x3 + a * x + b - y2) mod p = 0} u {0} (6.22)

Additionally a formal element 0 will be added to this set. This element is called the point at infinity, or also
the zero-point.
The number of elements of the set E(a,b,p) is called the order of the elliptic curve and is often denoted by n.
An element of the set E(a,b,p) is called a point on the elliptic curve E(a,b,p). On this set, an addition of points
PA,PB is defined. There are three cases for an addition PC= PA + PB:
• If PA or PB is 0 then PC := PB or PC := PA, respectively.
• If PA = PB, the addition is a doubling operation.(Section 6.2.2.1)
• Else if PA ≠ PB, then this is a (generic) addition operation. (Section 6.2.2.2)
This addition operation makes E(a,b,p) to an abelian group. Here the inverse point (or negative) of a point
PA=(xA,yA) is given by:
- PA = (xA, - yA mod p). (6.23)
Every abelian group is canonically a so called Z-module. I.e., the integers k operate on the points P of the
elliptic curve viz:
k * P := (...((P + P) + P) +... ) + P (k times), if k > 0 (6.24)
k * P := 0, if k = 0 (6.25)
k * P := 0 - ((-k) P), if k < 0 (6.26)
This operation is called scalar multiplication.
Let P be a point on the elliptic curve E(a,b,p). The smallest positive integer n such that n*P=0 is called the order
of the point P. It is known, that the order always exists (and is finite). Furthermore, the order of a point divides
the order of the elliptic curve.
Additionally, there are cryptographic operations on elliptic curves like the Elliptic Curve Digital Signature
Algorithm (ECDSA). See Section 6.2.2.4

Target Specification 127 Revision 2.0

2016-03-04
AURIX™ TC3xx Hardware Security Module

PKC Module Confidential

6.2.2.1 Point Doubling on an Elliptic Curve over Fp

The point doubling computation, denoted as
PC := PDBL(PA,a,b,p) (6.27)
is mathematically defined in the following way:
If PA = (xA,yA) is a point on the elliptic curve E(a,b,p), represented by its affine coordinates, then the double
PC=(xC,yC) is given by:

Downloaded by IFXDMZ\par-liaopeng 29/07/2019 09:08:44

xC := c2 - 2* xA mod p (6.28)
yC := c * (xA-xC) - yA mod p. (6.29)
with

c := (3 * xA2 + a) * (2 * yA)-1 mod p. (6.30)

If PA lies on the curve E(a,b,p) then the double of the point, PC, also lies on the curve.
If it happens that yA=0 and a division is not possible then PC is defined to be 0.

6.2.2.2 Point Addition on an Elliptic Curve over Fp

The point addition computation, denoted as
PC := PADD(PA, PB, a, b, p) (6.31)
is mathematically defined in the following way:
If PA = (xA,yA) , PB = (xB,yB) are different points on the elliptic curve E(a,b,p), represented by their affine
coordinates, then the sum point PC=(xC,yC) is given by:

xC := c2 - xA- xB mod p (6.32)

yC := c * (xA-xC) - yA mod p. (6.33)
with

c := (yB-yA) * (xB-xA)-1 mod p. (6.34)

If PA and PB lie on the curve E(a,b,p) then the sum of the point, PC, also lies on the curve.
If it happens that xB = xA and yA ≠ yB and therefore a division is not possible then PC is defined to be 0.

6.2.2.3 Scalar Multiplication on an Elliptic Curve over Fp

Downloaded by IFXDMZ\par-liaopeng 29/07/2019 09:08:44

Let P be a point on the elliptic curve E(a,b,p). The smallest positive integer n such that n*P=0 is called the order
of the point P. It is known, that the order always exists (and is finite). Furthermore, the order of a point divides
the order of the elliptic curve.
For the special case of the values:

p := 2255 - 19 (6.58)
A := 486662 (6.59)
B := 1 (6.60)
this curve is called Curve25519. The standard generator point P=(x,y) for applications is given by
x := 9 (6.61)
y := ... (undefined) (6.62)
the order of the point is 2252+27742317777372353535851937790883648493.

6.2.3.1 Point Doubling on Curve25519

The point doubling computation on Curve25519 or Montgomery curves in general, denoted as
PC := M-PDBL(PA,A,B,p) (6.63)
is mathematically defined in the following way:
If PA = (xA,yA) is a point on the Montgomery curve M(A,B,p), represented by its affine coordinates, then the
double PC=(xC,yC) is given by:

xC := B * c2 - A - xA - xA mod p (6.64)

yC := (2xA+xA+A) c - B c3 - yA mod p. (6.65)

with

c := (3 xA2+ 2 * A + 1) * (2 * B * yA)-1 mod p. (6.66)

If PA lies on the curve M(A,B,p) then the double of the point, PC, also lies on the curve.
If it happens that yA=0 and a division is not possible then PC is defined to be 0.

6.2.3.2 Point Addition on Curve25519

The point addition computation on Curve25519 or Montgomery curves in general, denoted as
PC := M-PADD(PA, PB, A, B, p) (6.67)
is mathematically defined in the following way:

Target Specification 131 Revision 2.0

2016-03-04
AURIX™ TC3xx Hardware Security Module

PKC Module Confidential

If PA = (xA,yA) , PB = (xB,yB) are different points on the elliptic curve M(A,B,p), represented by their affine
coordinates, then the sum point PC=(xC,yC) is given by:

xC := B * c2 - A - xA - xB mod p (6.68)

yC := (2xA+xB+A) * c -B * c3 - yA mod p. (6.69)

with

c := (yB-yA) * (xB-xA)-1 mod p. (6.70)

Downloaded by IFXDMZ\par-liaopeng 29/07/2019 09:08:44

If PA and PB lie on the curve M(a,b,p) then the sum of the point, PC, also lies on the curve.
If it happens that xB = xA and yA ≠ yB and therefore a division is not possible then PC is defined to be 0.

6.2.3.3 Scalar Multiplication on Curve25519

For any integer Point PA on Curve25519 or Montgomery curves in general and any integer k, the scalar
multiplication, denoted as
PC := SMULTcurve25519(k,PA) (6.71)
or in general
PC := M-SMULT(k,PA,A,B,p) (6.72)
is mathematically defined in the following way:
SMULT(k,PA,A,B,p) := k * PA. (6.73)

6.2.4 Elliptic Curve Operations on the Twisted Edwards Curve Ed25519.

If p>3 is a prime integer, and a, d, are two integers, preferably in Fp={0,...,p-1} or in ]-p,p[, such that in Fp
a * d * (a - d) mod p ≠ 0 (6.74)
then a twisted Edwards curve Ed(a,d,p) is defined. Ed(a,d,p) is an alternative representation for some elliptic
curve which can be represented by a subset of (Fp × Fp)} via

Ed(a,d,p) := { (x,y) in (Fp × Fp) : (a * x2 + y2 - 1 - dx2y2) mod p = 0}. (6.75)

The zero-point is given by the point (0,1).
The number of elements of the set Ed(a,d,p) is called the order of the curve and is often denoted by n.
An element of the set Ed(a,d,p) is called a point on the curve Ed(a,d,p). On this set, an addition of points PA,PB
is defined: PC= PA + PB:
This addition operation makes Ed(a,d,p) to an abelian group. Here the inverse point (or negative) of a point
PA=(xA,yA) is given by:
- PA = (-xA mod p, yA). (6.76)
Every abelian group is canonically a so called Z-module. I.e., the integers k operate on the points P of the
elliptic curve viz:
k * P := (...((P + P) + P) +... ) + P (k times), if k > 0 (6.77)
k * P := 0, if k = 0 (6.78)
k * P := 0 - ((-k) P), if k < 0 (6.79)

Target Specification 132 Revision 2.0

2016-03-04
AURIX™ TC3xx Hardware Security Module

PKC Module Confidential

This operation is called scalar multiplication.

Let P be a point on the elliptic curve Ed(a,b,p). The smallest positive integer n such that n*P=0 is called the
order of the point P. It is known, that the order always exists (and is finite). Furthermore, the order of a point
divides the order of the elliptic curve.
For the special case of the values:

p := 2255 - 19 (6.80)

Downloaded by IFXDMZ\par-liaopeng 29/07/2019 09:08:44

a := -1 (6.81)

d := 121666-1 - 1 mod p (6.82)

this curve is called Ed25519. The standard generator point P=(x,y) for applications is given by
x := 216936D3CD6E53FEC0A4E231FDD6DC5C692CC7609525A7B2C9562D608F25D51AH (6.83)
y := 6666666666666666666666666666666666666666666666666666666666666658H (6.84)
the order of the point is 2252+27742317777372353535851937790883648493.

6.2.4.1 Point Addition on Ed25519

The point addition computation on Ed25519 or on twisted Edwards curves in general, denoted as
PC := Ed-PADD(PA, PB, a, d, p) (6.85)
is mathematically defined in the following way:
If PA = (xA,yA) , PB = (xB,yB) are (not necessarily different) points on the elliptic curve Ed(a,d,p), represented by
their affine coordinates, then the sum point PC=(xC,yC) is given by:

xC := (xAyB+yAxB) (1+dxAxByAyB)-1 mod p (6.86)

yC := (yAyB-axAxB) (1-dxAxByAyB)-1 mod p. (6.87)

If PA and PB lie on the curve Ed(a,d,p) then the sum of the point, PC, also lies on the curve.

6.2.4.2 Scalar Multiplication on Ed25519

For any integer Point PA on Ed25519 or twisted Edwards curves in general and any integer k, the scalar
multiplication, denoted as
PC := SMULTEd25519(k,PA) (6.88)
or in general
PC := Ed-SMULT(k,PA,a,d,p) (6.89)
is mathematically defined in the following way:
Ed-SMULT(k,PA,a,d,p) := k * PA. (6.90)

Target Specification 133 Revision 2.0

2016-03-04
AURIX™ TC3xx Hardware Security Module

PKC Module Confidential

6.2.4.3 X Coordinate Recovery on Ed25519

If only the y-coordinate of a Point PA=(x,y) on Ed25519 is given, then the x-coordinate can be recovered - at
least up to the sign modulo p:
x := XrecoverEd25519(y) (6.91)
is mathematically evaluated in the following way:

u := y2 - 1 mod p. (6.92)

Downloaded by IFXDMZ\par-liaopeng 29/07/2019 09:08:44

v := d * y2 + 1 mod p (6.93)
e := (p-5)/8 (6.94)

x’ := u1+e * v3+7e mod p (6.95)

if (v * x2 + u mod p = 0) then x := x’ * J mod p (6.96)

else x:= x’. (6.97)
Here J is a square root of -1 mod p. In this case it is:
J := 2B8324804FC1DF0B2B4D00993DFBD7A72F431806AD2FE478C4EE1B274A0EA0B0H. (6.98)

6.2.5 Arithmetic Operations over F2[X] and F2[X]/(f)=GF(2d).

6.2.5.1 Addition in F2[X]

For any binary polynomial a and b, the addition in F2[X], denoted as
c := ADD(a,b) (6.99)
is mathematically defined in F2[X] as the addition of polynomials in the well known way:
ADD(a,b) := a + b. (6.100)

6.2.5.2 Subtraction in F2[X]

For any binary polynomial a and b, the subtraction in F2[X], denoted as
c := SUB(a,b) (6.101)
is mathematically defined in F2[X] as the subtraction of polynomials in the well known way:
SUB(a,b) := a - b. (6.102)

Note: In the case of characteristic 2 (as it is here) the subtraction is identical to the addition. More general, the
additive inverse (negative) of a polynomial a is the polynomial itself.

6.2.5.3 Multiplication in F2[X]

For any binary polynomial a and b, the addition in F2[X], denoted as
c := MULT(a,b) (6.103)

Target Specification 134 Revision 2.0

2016-03-04
AURIX™ TC3xx Hardware Security Module

PKC Module Confidential

is mathematically defined in F2[X] as the multiplication of polynomials in the well known way:
MULT(a,b) := a * b. (6.104)
To be precise: If
a = am Xm + am-1 Xm-1 + ... + a1 X1 + a0 X0
and
b = bn Xn + bn-1 Xn-1 + ... + b1 X1 + b0 X0

Downloaded by IFXDMZ\par-liaopeng 29/07/2019 09:08:44

Then
c = cn+m Xn+m + cn+m-1 Xn+m-1 + ... + c1 X1 + c0 X0
with
ci = ai * b0+ ai-1 * b1+ ... + a1 * bi-1 + a0 * bi .
Here the last computation takes place in F2.

6.2.5.4 Modular Reduction in F2[X]

For any binary polynomial b and non-zero binary polynomial f, the modular reduction, denoted as
c := RED(b,f) (6.105)
is mathematically defined in F2[X] as the reduction of polynomials in the following way:
RED(b,f) := b mod f. (6.106)
Note: Although, the input values may be arbitrary, the result always has degree < deg(f).

6.2.5.5 Modular Addition in F2[X], Addition in F2[X]/(f)

For any binary polynomial a and b and non-zero binary polynomial f, the modular addition, denoted as
c := ADDN(a,b,f) (6.107)
is mathematically defined in F2[X] as the modular addition of polynomials in the following way:
ADDN(a,b,f) := (a + b) mod f. (6.108)
This also induces a well defined addition on the ring F2[X]/(f).

Note: Although, the input values may be arbitrary, the result always has degree < deg(f).

6.2.5.6 Modular Subtraction in F2[X], Subtraction in F2[X]/(f)

For any binary polynomial a and b and non-zero binary polynomial f, the modular subtraction, denoted as
c := SUBN(a,b,f) (6.109)
is mathematically defined in F2[X] as the modular subtraction of polynomials in the following way:
SUBN(a,b,f) := (a - b) mod f. (6.110)
This also induces a well defined subtraction on the ring F2[X]/(f).

Note: Although, the input values may be arbitrary, the result always has degree < deg(f).

Note: Analogously to SUB, also SUBN is identical to ADDN.

Target Specification 135 Revision 2.0

2016-03-04
AURIX™ TC3xx Hardware Security Module

PKC Module Confidential

6.2.5.7 Modular Multiplication in F2[X], Multiplication in F2[X]/(f)

For any binary polynomial a and b and non-zero binary polynomial f, the modular addition, denoted as
c := MULTN(a,b,f) (6.111)
is mathematically defined in F2[X] as the modular multiplication of polynomials in the following way:
MULTN(a,b,f) := (a * b) mod f (6.112)
This also induces a well defined multiplication on the ring F2[X]/(f).

Downloaded by IFXDMZ\par-liaopeng 29/07/2019 09:08:44

Note: Although, the input values may be arbitrary, the result always has degree < deg(f).

6.2.5.8 Modular Inversion over F2[X]

For any non-zero binary polynomial f and any binary polynomial b such that the greatest common divisor of b
and f is 1, the modular inversion computation, denoted as
c := INV(b,f) (6.113)
is mathematically defined in F2[X] as the inversion operation of polynomials in the following way:

INV(b,f) := b-1 mod f. (6.114)

c is the unique binary polynomial of degree < deg(f), that has the property 1=c * b mod f. This inverse does not
exist if there exists a non-constant binary polynomial which divides b as well as f.
This also induces a well defined inverse operation in the ring F2[X]/(f) - but not for all of its elements.

Note: This can be realized by the extended Euclidean algorithm.

Note: If f is an irreducible polynomial, than the inverse exists for all b with b mod f ≠ 0.

Note: Although, the input values may be arbitrary, the result always has degree < deg(f).

6.2.5.9 Modular Division over F2[X]

For any non-zero binary polynomial f, any binary polynomial a, and any binary polynomial b such that the
greatest common divisor of b and f is 1, the modular division computation, denoted as
c := DIVN(a,b,f) (6.115)
is mathematically defined in F2[X] as the modular division of polynomials in the following way:

DIVN(a,b,f) := a * b-1 mod f = MULTN(a,INV(b,f),f). (6.116)

This quotient does not exist if there exists a non-constant binary polynomial which divides b as well as n.
This also induces a well defined division operation in the ring F2[X]/(f) - but not for all of its elements.

Note: Although, the input values may be arbitrary, the result always has degree < deg(f).

6.2.6 Elliptic Curve Operations over F2[X]/(f)=GF(2d).

If f is an irreducible binary polynomial, and a,b, are two binary polynomials, preferably of degree < deg(f), such
that,
b mod f ≠ 0 (6.117)

Target Specification 136 Revision 2.0

2016-03-04
AURIX™ TC3xx Hardware Security Module

PKC Module Confidential

then an elliptic curve E(a,b,f) is defined. E(a,b,f) is a mathematical object which can be represented by a
subset of (F2[X]/(f) × F2[X]/(f)) u { 0 } via

E(a,b,f) := { (x,y) in (F2[X]/(f) × F2[X]/(f)) : (x3 + a * x2 + b - y2 - x * y) mod f = 0} u {0} (6.118)

Additionally a formal element 0 will be added to this set. This element is called the point at infinity, or also
the zero-point.
The number of elements of the set E(a,b,f) is called the order of the elliptic curve and is often denoted by n.

Downloaded by IFXDMZ\par-liaopeng 29/07/2019 09:08:44

An element of the set E(a,b,f) is called a point on the elliptic curve E(a,b,f). On this set, an addition of points
PA,PB is defined. There are three cases for an addition PC= PA + PB:
• If PA or PB is 0 then PC := PB or PC := PA, respectively.
• If PA = PB, the addition is a doubling operation. (Section 6.2.6.1)
• Else if PA ≠ PB, then this is a (generic) addition operation. (Section 6.2.6.2)
This addition operation makes E(a,b,f) to an abelian group. Here the inverse point (or negative) of a point
PA=(xA,yA) is given by:
- PA = (xA,xA+yA mod p). (6.119)
Every abelian group is canonically a so called Z-module. I.e., the integers k operate on the points P of the
elliptic curve viz:
k * P := (...((P + P) + P) +... ) + P (k times), if k > 0 (6.120)
k * P := 0, if k = 0 (6.121)
k * P := 0 - ((-k) P), if k < 0 (6.122)
This operation is called scalar multiplication.
Let P be a point on the elliptic curve E(a,b,f). The smallest positive integer n such that n*P=0 is called the order
of the point P. It is known, that the order always exists (and is finite). Furthermore, the order of a point divides
the order of the elliptic curve.
Additionally, there are cryptographic operations on elliptic curves like ECDSA. See Section 6.2.6.4.

6.2.6.1 Point Doubling on an Elliptic Curve over F2[X]/(f)=GF(2d)

The point doubling computation, denoted as
PC := PDBL(PA,a,b,f) (6.123)
is mathematically defined in the following way:
If PA = (xA,yA) is a point on the elliptic curve E(a,b,f), represented by its affine coordinates, then the double
PC=(xC,yC) is given by:

xC := c2 + c + a mod f (6.124)

yC := c * xC + xC + xA2 mod f. (6.125)

with

c := (xA + yA) * (xA)-1 mod f. (6.126)

If PA lies on the curve E(a,b,f) then the double of the point, PC, also lies on the curve.
If it happens that xA=0 and a division is not possible then PC is defined to be 0.

Target Specification 137 Revision 2.0

2016-03-04
AURIX™ TC3xx Hardware Security Module

PKC Module Confidential

6.2.6.2 Point Addition on an Elliptic Curve over F2[X]/(f)=GF(2d)

The point addition computation, denoted as
PC := PADD(PA, PB, a, b, f) (6.127)
is mathematically defined in the following way:
If PA = (xA,yA) , PB = (xB,yB) are different points on the elliptic curve E(a,b,p), represented by their affine
coordinates, then the sum point PC=(xC,yC) is given by:

Downloaded by IFXDMZ\par-liaopeng 29/07/2019 09:08:44

xC := c2 + c + xA + xB + a mod f (6.128)
yC := c * (xA+xC) + xC + yA mod f. (6.129)
with

c := (yB+yA) * (xB+xA)-1 mod p. (6.130)

6.2.6.3 Scalar Multiplication on an Elliptic Curve over F2[X]/(f)=GF(2d)

For any integer Point PA on an elliptic curve and any integer k, the scalar multiplication, denoted as
PC := SMULT(k,PA,a,b,f) (6.131)
is mathematically defined in the following way:
SMULT(k,PA,a,b,f) := k * PA. (6.132)

6.2.6.4 ECDSA Signature Generation on an Elliptic Curve over F2[X]/(f)=GF(2d)

Given the following situation:
• Let E(a,b,f) be an elliptic curve, as shown above.
• Let further P=(x,y) be a Point on E(a,b,f); the order of the point is n (in many cases this is two or four times
of a prime).
• Let d be a random positive integer; this will be the (long term) private key for the signature.
• [Let Q := d * P be the scalar product of d with the point P; this will be the (long term) public key.]
• Let ek be a positive integer, chosen uniformly random from the interval ]1,n-1[; this will be the
(ephemeral) private key for the signature.
• Let h be the hash of a message m for which the signature should be generated.
Then the ECDSA signature, denoted as
(r,s) := ECDSASIG(h,ek,d,n,P,a,b,f) (6.133)
is mathematically defined in the following way:
(x1,y1) := P1 := ek * P. (6.134)
r := x1 mod n, (6.135)

kinv := ek-1 mod n (6.136)

s := kinv * (h + d * r) mod n (6.137)

Target Specification 138 Revision 2.0

2016-03-04
AURIX™ TC3xx Hardware Security Module

PKC Module Confidential

If it happens that r=0 or s=0 then no signature is generated with this ek. Then a new value for ek has to be
chosen and this process has to be done again.

Attention: The above description does not reflect a certain standard. It just states the mathematical
formula. E.g., which hash algorithm is used and how it is padded is ignored for this
description.

6.2.6.5 ECDSA Signature Verification on an Elliptic Curve over F2[X]/(f)=GF(2d)

Downloaded by IFXDMZ\par-liaopeng 29/07/2019 09:08:44

Given the following situation:
• Let E(a,b,f) be an elliptic curve, as shown above.
• Let further P=(x,y) be a Point on E(a,b,p); the order of the point is n (usually this is a prime).
• [Let d be a random positive integer; this will be the (long term) private key for the signature.]
• Let Q := d * P be the scalar product of d with the point P; this will be the (long term) public key.
• [Let ek be a positive integer, chosen uniformly random from the interval ]1,n-1[; this will be the
(ephemeral) private key for the signature.]
• Let h be the hash of a message m for which the signature should be verified.
• Given a pair (r,s) of integers from Z/n pretending to be a signature for the message m.
Then the ECDSA signature verification, denoted as
boolean := ECDSAVER(h,r,s,Q,n,P,a,b,f) (6.138)
is mathematically defined in the following way:

w = s-1 mod n. (6.139)

u2 := h * w mod n (6.140)
u3 := r * w mod n (6.141)
P2 := u2 * P mod n (6.142)
P3 := u3 * Q mod n (6.143)
(x1,y1) = P1 := P2 + P3 (6.144)
if P1 = 0 (point at infinity) then return false, (6.145)
v := x1 mod n (6.146)
if r = v then return true else return false. (6.147)
If it happens that r, s are not in [1,n-1] (in particular, if r=0 or s=0), then the signature is also rejected (false).

Attention: The above description does not reflect a certain standard. It just states the mathematical
formula. E.g., which hash algorithm is used and how it is padded is ignored for this
description.

Target Specification 139 Revision 2.0

2016-03-04
AURIX™ TC3xx Hardware Security Module

PKC Module Confidential

6.3 Register Architecture and Programming Model

The registers of the PKC module, which are relevant for the programmer, can be classified into two categories,
namely the SFRs which are directly accessible by the CPU and the Shared Crypto Memory [SCM].

The SFRs which are all 32 bit wide, are:

• The PKC Configuration Register PKC_CONFIG is used to determine certain input parameter used for the
command.

Downloaded by IFXDMZ\par-liaopeng 29/07/2019 09:08:44

• The PKC Command Register PKC_CMD is used to define the command.
• The PKC Control Register PKC_CTRL is used to start the operation of the command.
• The PKC Status Register PKC_STATUS is used to check whether the operation is finished and to get
additional output information. During the operation time no write to PKC_CMD and PKC_CONFIG is
allowed, otherwise this results in an undefined behavior.

The SCM is a 1 KB large memory block.

• The CPU as well as the core of the PKC-Module have r/w access to this memory block. However, no
simultaneous access is allowed. The CPU has to make sure that no conflicts occur. Cf. Chapter 6.4.2.
• The SCM is divided in 32 equally long sections, called Registers for long integers [LIR]. Each section can
contain a 256 bit long representation of an integer or binary polynomial.
After reset, all SCM registers have an undefined value.

The PKC module contains two additional internal memory areas. They are used for data processing during
operation of the commands and are not accessible by the CPU:
• The Tightly Coupled Memory [TCM] of size 1 KB.
• The internal µ-Code Memory ROM [µCM] of size 1 k 18-bit words.

The usual way to realize an operation, like the ones described in Section 6.2, is:
1. Write operands, parameters, and data to the SCM.
2. Write command into PKC_CMD and possible parameters to PKC_CONFIG.
3. Write PKC_CTRL to start the operation.
4. Wait until the operation is finished. E.g. by reading status from PKC_STATUS, or by waiting for interrupt.
5. Read data from SCM, and, if applicable, status/error information from PKC_STATUS. In case PKC_IRQEnd
was used, it is recommended to read PKC_STATUS first and then read data.
If some data or parameters are already present in the PKC-module, e.g., from the last operation, they may be
used for the next operation - if applicable.

6.3.1 Interrupts
The PKC module generates two interrupts:
• The IRQEnd [PKC_IRQEnd] indicates that the core has finished processing of the command and the results
of the operation are available in the SCM.
– This signal is level-sensitive, active high.
– This signal is cleared, when reading the status register PKC_STATUS.

Target Specification 140 Revision 2.0

2016-03-04
AURIX™ TC3xx Hardware Security Module

PKC Module Confidential

– It is also activated when an error has been detected (then PKC_IRQEnd and PKC_IRQErr are activated
simultaneaously.)
• The IRQErr [PKC_IRQErr] indicates that an error has been detected while executing parameter checking
procedures.
– This signal is level-sensitive, active high.
– This signal is cleared when reading the status register PKC_STATUS.
Furthermore note: If an interrupt service routine access the PKC-module, it has to make sure that it does not

Downloaded by IFXDMZ\par-liaopeng 29/07/2019 09:08:44

disturb former PKC operations by overwriting values in SCM. So, either these interrupts will be disabled, or it
is assured that the old values will be restored after such an intermediary interrupt.

Target Specification 141 Revision 2.0

2016-03-04
AURIX™ TC3xx Hardware Security Module

PKC Module Confidential

6.4 PKC SFRs

There are 4 SFRs in the PKC module:
• PKC_CONFIG,
• PKC_CMD,
• PKC_CTRL,
• PKC_STATUS,

Downloaded by IFXDMZ\par-liaopeng 29/07/2019 09:08:44

They are always accessible and will be defined in the present section.
Furthermore there is the Shared Crypto Memory (SCM). It is 1 KB in size and is structured in 32 registers. The
Shared Crypto Memory is accessible by the CPU. It will be described in Chapter 6.4.2.

Table 6-1 Register Address Space

Module Base Address End Address Note
PKC E800 3C00H E800 3FFFH

Table 6-2 Register Overview

Register Short Name Register Long Name Offset Address Reset Value
PKC SFRs, Control and Status Registers
PKC_CONFIG PKC Configuration Register 00H 0000 0000H
PKC_CMD PKC Command Register 04H 0000 0000H
PKC_CTRL PKC Control Register 08H 0000 0000H
PKC_STATUS PKC Status Register 0CH 0000 0000H
PKC SFRs, Shared Crypto Memory
PKC_SCM_R0 Shared Crypto Memory Register 0 0400H XH
PKC_SCM_R1 Shared Crypto Memory Register 1 0420H XH
PKC_SCM_R2 Shared Crypto Memory Register 2 0440H XH
PKC_SCM_R3 Shared Crypto Memory Register 3 0460H XH
PKC_SCM_R4 Shared Crypto Memory Register 4 0480H XH
PKC_SCM_R5 Shared Crypto Memory Register 5 04A0H XH
PKC_SCM_R6 Shared Crypto Memory Register 6 04C0H XH
PKC_SCM_R7 Shared Crypto Memory Register 7 04E0H XH
PKC_SCM_R8 Shared Crypto Memory Register 8 0500H XH
PKC_SCM_R9 Shared Crypto Memory Register 9 0520H XH
PKC_SCM_R10 Shared Crypto Memory Register 10 0540H XH
PKC_SCM_R11 Shared Crypto Memory Register 11 0560H XH
PKC_SCM_R12 Shared Crypto Memory Register 12 0580H XH
PKC_SCM_R13 Shared Crypto Memory Register 13 05A0H XH
PKC_SCM_R14 Shared Crypto Memory Register 14 05C0H XH
PKC_SCM_R15 Shared Crypto Memory Register 15 05E0H XH
PKC_SCM_R16 Shared Crypto Memory Register 16 0600H XH

Target Specification 142 Revision 2.0

2016-03-04
AURIX™ TC3xx Hardware Security Module

PKC Module Confidential

Table 6-2 Register Overview (cont’d)

Register Short Name Register Long Name Offset Address Reset Value
PKC_SCM_R17 Shared Crypto Memory Register 17 0620H XH
PKC_SCM_R18 Shared Crypto Memory Register 18 0640H XH
PKC_SCM_R19 Shared Crypto Memory Register 19 0660H XH
PKC_SCM_R20 Shared Crypto Memory Register 20 0680H XH

Downloaded by IFXDMZ\par-liaopeng 29/07/2019 09:08:44

PKC_SCM_R21 Shared Crypto Memory Register 21 06A0H XH
PKC_SCM_R22 Shared Crypto Memory Register 22 06C0H XH
PKC_SCM_R23 Shared Crypto Memory Register 23 06E0H XH
PKC_SCM_R24 Shared Crypto Memory Register 24 0700H XH
PKC_SCM_R25 Shared Crypto Memory Register 25 0720H XH
PKC_SCM_R26 Shared Crypto Memory Register 26 0740H XH
PKC_SCM_R27 Shared Crypto Memory Register 27 0760H XH
PKC_SCM_R28 Shared Crypto Memory Register 28 0780H XH
PKC_SCM_R29 Shared Crypto Memory Register 29 07A0H XH
PKC_SCM_R30 Shared Crypto Memory Register 30 07C0H XH
PKC_SCM_R31 Shared Crypto Memory Register 31 07E0H XH

The registers are addressed wordwise.

Target Specification 143 Revision 2.0

2016-03-04
AURIX™ TC3xx Hardware Security Module

PKC Module Confidential

6.4.1 Control and Status Registers

PKC_CONFIG
When executing primitive arithmetic operations (like c:=a+b) and exponentiation, then the location of the
input parameters a and b, as well as the location of the output parameter c will be defined by using this
register. Also some points PA, PB, PC, on elliptic curves are defined using this register.

Downloaded by IFXDMZ\par-liaopeng 29/07/2019 09:08:44

PKC_CONFIG Offset Reset Value
PKC Configuration Register 00H 0000 0000H

31 21 20 16 15 13 12 8 7 5 4 0

RFU OPPTRC RFU OPPTRB RFU OPPTRA

rw rw rw rw rw rw

Field Bits Type Description

RFU 31:21 rw RFU
OPPTRC 20:16 rw Pointer for Operand C
When executing primitive arithmetic operations, or certain elliptic
curve operations, this pointer defines the location, where the result
will be stored in memory SCM.
iD , Result c will be written into PKC_SCM_Ri.
Result Point PC will be written to PKC_SCM_Ri (x-coordinate)
and PKC_SCM_Ri+1 (y-coordinate).
Only values between 1(1H) and 15(FH) are allowed. Further
restrictions cf. the descriptions of the single commands.
All other values result in an undefined behavior.
RFU 15:13 rw RFU
OPPTRB 12:8 rw Pointer for Operand B
When executing primitive arithmetic operations, or certain elliptic
curve operations, this pointer defines the location, where the operand
B is located in memory SCM.
iD , Operand b will be read from PKC_SCM_Ri.
Point PB will be read from PKC_SCM_Ri (x-coordinate) and
PKC_SCM_Ri+1 (y-coordinate).
Only values between 1(1H) and 15(FH) are allowed. Further
restrictions cf. the descriptions of the single commands.
All other values result in an undefined behavior.
RFU 7:5 rw RFU

Target Specification 144 Revision 2.0

2016-03-04
AURIX™ TC3xx Hardware Security Module

PKC Module Confidential

Field Bits Type Description

OPPTRA 4:0 rw Pointer for Operand A
When executing primitive arithmetic operations, or certain elliptic
curve operations, this pointer defines the location, where the operand
A is located in memory SCM.
iD , Operand a will be read from PKC_SCM_Ri.
Point PA will be read from PKC_SCM_Ri (x-coordinate) and

Downloaded by IFXDMZ\par-liaopeng 29/07/2019 09:08:44

PKC_SCM_Ri+1 (y-coordinate).
Only values between 1(1H) and 15(FH) are allowed. Further
restrictions cf. the descriptions of the single commands.
All other values result in an undefined behavior.

Target Specification 145 Revision 2.0

2016-03-04
AURIX™ TC3xx Hardware Security Module

PKC Module Confidential

PKC_CMD
The Command Register specifies low level arithmetic operations as well as high-level cryptographic
algorithms. The available instructions are listed in the table.
Note the following abbreviations:
• “a = *PKC_CONFIG.OPPTRA” stands for:
a denotes the integer or binary polynomial represented by the LIRPKC_CONFIG.OPPTRA is pointing to.
• Similar for other variables instead of a and for OPPTRB, OPPTRC.

Downloaded by IFXDMZ\par-liaopeng 29/07/2019 09:08:44

• “a = *PKC_SCM_R0” stands for:
a denotes the integer or binary polynomial represented by the LIRPKC_SCM_R0.
• Similar for other variables instead of a and for PKC_SCM_R1, ....

PKC_CMD Offset Reset Value

PKC Command Register 04H 0000 0000H

PKC_CTRL
This Register is used to start the execution of the operation specified in PKC_CMD and possibly in
PKC_CONFIG.

PKC_CTRL Offset Reset Value

PKC Control Register 08H 0000 0000H

Downloaded by IFXDMZ\par-liaopeng 29/07/2019 09:08:44

31 1 0
ST
RFU A*

rw rw

Field Bits Type Description

RFU 31:1 rw RFU
START 0 rw Start Signal
The Start Signal can be set when all data and key inputs have been
loaded in the SCM and are available for processing. When the signal is
set, the Command present in the PKC_CMD register is initiated and
executed. The START signal is ignored when the module is already
processing data, and it is automatically cleared when the operation is
finished.

PKC_SCM_Ri

PKC_SCM_R0 Offset Reset Value

Shared Crypto Memory Register 0 0400H XH

255 224

Downloaded by IFXDMZ\par-liaopeng 29/07/2019 09:08:44

Data

rw
223 192

Data

rw
191 160

Data

rw
159 128

Data

rw
127 96

Data

rw
95 64

Data

rw
63 32

Data

rw
31 0

Data

Field Bits Type Description

Data 255:0 rw Parameters, keys, operands or results.

Target Specification 153 Revision 2.0

2016-03-04
AURIX™ TC3xx Hardware Security Module

PKC Module Confidential

Additional Shared Crypto Memory Registers

Additional Shared Crypto Memory Registers have the same layout and access rights as PKC_SCM_R0.

Table 6-3 Shared Crypto Memory Registers 1 to 31

Register Short Name Register Long Name Offset Address Reset Value
PKC_SCM_R1 Shared Crypto Memory Register 1 0420H XH
PKC_SCM_R2 Shared Crypto Memory Register 2 0440H XH

Downloaded by IFXDMZ\par-liaopeng 29/07/2019 09:08:44

PKC_SCM_R3 Shared Crypto Memory Register 3 0460H XH
PKC_SCM_R4 Shared Crypto Memory Register 4 0480H XH
PKC_SCM_R5 Shared Crypto Memory Register 5 04A0H XH
PKC_SCM_R6 Shared Crypto Memory Register 6 04C0H XH
PKC_SCM_R7 Shared Crypto Memory Register 7 04E0H XH
PKC_SCM_R8 Shared Crypto Memory Register 8 0500H XH
PKC_SCM_R9 Shared Crypto Memory Register 9 0520H XH
PKC_SCM_R10 Shared Crypto Memory Register 10 0540H XH
PKC_SCM_R11 Shared Crypto Memory Register 11 0560H XH
PKC_SCM_R12 Shared Crypto Memory Register 12 0580H XH
PKC_SCM_R13 Shared Crypto Memory Register 13 05A0H XH
PKC_SCM_R14 Shared Crypto Memory Register 14 05C0H XH
PKC_SCM_R15 Shared Crypto Memory Register 15 05E0H XH
PKC_SCM_R16 Shared Crypto Memory Register 16 0600H XH
PKC_SCM_R17 Shared Crypto Memory Register 17 0620H XH
PKC_SCM_R18 Shared Crypto Memory Register 18 0640H XH
PKC_SCM_R19 Shared Crypto Memory Register 19 0660H XH
PKC_SCM_R20 Shared Crypto Memory Register 20 0680H XH
PKC_SCM_R21 Shared Crypto Memory Register 21 06A0H XH
PKC_SCM_R22 Shared Crypto Memory Register 22 06C0H XH
PKC_SCM_R23 Shared Crypto Memory Register 23 06E0H XH
PKC_SCM_R24 Shared Crypto Memory Register 24 0700H XH
PKC_SCM_R25 Shared Crypto Memory Register 25 0720H XH
PKC_SCM_R26 Shared Crypto Memory Register 26 0740H XH
PKC_SCM_R27 Shared Crypto Memory Register 27 0760H XH
PKC_SCM_R28 Shared Crypto Memory Register 28 0780H XH
PKC_SCM_R29 Shared Crypto Memory Register 29 07A0H XH
PKC_SCM_R30 Shared Crypto Memory Register 30 07C0H XH
PKC_SCM_R31 Shared Crypto Memory Register 31 07E0H XH

Target Specification 154 Revision 2.0

2016-03-04
AURIX™ TC3xx Hardware Security Module

PKC Module Confidential

Note
• The SCM is r/w.
• The SCM can only be accessed 32-bit wise and 32-bit aligned. Using 8-bit, 16-bit or un-aligned accesses
lead to a bus error.
• The SCM will be accessed by the core of the PKC-Module during operation. No simultaneous access of the
core and the CPU is allowed. Hence:
• The SCM may only be accessed by the CPU if the PKC-module is in an idle mode, i.e., if

Downloaded by IFXDMZ\par-liaopeng 29/07/2019 09:08:44

PKC_STATUS.BUSY=0B. So, the software has to make sure that this condition holds when the CPU is
accessing the SCM.

Target Specification 155 Revision 2.0

2016-03-04
AURIX™ TC3xx Hardware Security Module

PKC Module Confidential

6.5 Further detailed definition/specification of commands

Note:

1. For all following commands: If the input conditions are not fulfilled this will result in an undefined behavior.
2. Notation will be Z-specific: Unlike the notation in Section 6.2.5 and Section 6.2.6, for modular operations, the
module will be denoted as “n” or “p”, but not as “f”.

Downloaded by IFXDMZ\par-liaopeng 29/07/2019 09:08:44

6.5.1 Arithmetic Operations.
The following table gives a short overview over the arithmetic operations:

Table 6-4 Overview over Arithmetic Operations

ADDN SUBN MULTN RED DIVN INV MULT INV2 RED2 EXP
Before
Operation:
CALCR2 has to X X X X
be set, if modul
is new.
Allowed values 2, 4 2, 4 2, 4 2, 4 2, 4 2, 4 2, 4 2, 4 2, 4 2, 4
for SIZE
Allowed values 0/1 0/1 0/1 0/1 0/1 0/1 0 0 0 0
for FIELD
Allowed values 1...15 1...15 1...15 1...15 1...15 1...15
for OPPTRA
Allowed values 1...15 1...15 1...15 1...15 1...15 1...15 1...15 1...15 1...15 1...15
for OPPTRB
Allowed values 1...15 1...15 1...15 1...15 1...15 1...15 1...15 1...15 1...15 1...15
for OPPTRC
module n (In R0) X X X X X
has to be odd.
Operation: ADDN SUBN MULTN RED DIV INV MULT INV DIV EXP
(a,b,n) (a,b,n) (a,b,n) (b,n) (a,b,n) (b,n) (a,b) (b,n) (b,n) (a,b,n)
After
Operation:
CALCR2 will be X X X X
reset
NOTINV may be X X
set

For more detailed information about the commans see the following subsections.

6.5.1.1 Modular Addition Command ADDN

The command ADDN realizes the mathematical operation

Target Specification 156 Revision 2.0

2016-03-04
AURIX™ TC3xx Hardware Security Module

PKC Module Confidential

c := ADDN(a,b,n)
in Z if PKC_CMD.FIELD=0B or F2[X] if PKC_CMD.FIELD=1B respectively.

• PKC_CMD.CALCR2 = 1B, if (R2mod N) was not computed yet, i.e., this is the first modular operation using
the module n.
• PKC_CMD.SIZE = 2, 4.
• PKC_CONFIG.OPPTRA = 1, ..., 15.
• PKC_CONFIG.OPPTRB = 1, ..., 15.
• PKC_CONFIG.OPPTRC = 1, ..., 15.
• - If PKC_CMD.FIELD=0B then 0 ≤ a,b < n < 2^(64*PKC_CMD.SIZE), n has to be odd.
- If PKC_CMD.FIELD=1B then deg(a),deg(b) < deg(n) < (64*PKC_CMD.SIZE), n0=1B.

Output: (After operation finished)

Target Specification 158 Revision 2.0

2016-03-04
AURIX™ TC3xx Hardware Security Module

PKC Module Confidential

6.5.1.4 Modular Reduction Command RED

The command RED realizes the mathematical operation
c := RED(b,n)
in Z if PKC_CMD.FIELD=0B or F2[X] if PKC_CMD.FIELD=1B respectively.

Input values:
• b: The integer or binary polynomial (depending on PKC_CMD.FIELD) is represented (according to the

Downloaded by IFXDMZ\par-liaopeng 29/07/2019 09:08:44

coding described in Chapter 6.4.2) by the value in PKC_SCM_Ri, where i is the value in
PKC_CONFIG.OPPTRB.
• n: The integer or binary polynomial (depending on PKC_CMD.FIELD) is represented (according to the
coding described in Chapter 6.4.2) by the value in PKC_SCM_R0.

Further Input conditions:

• PKC_CMD.CALCR2 = 1B, if (R2mod N) was not computed yet, i.e., this is the first modular operation using
the module n.
• PKC_CMD.SIZE = 2,4.
• PKC_CONFIG.OPPTRB = 1, ..., 15.
• PKC_CONFIG.OPPTRC = 1, ..., 15.
• - If PKC_CMD.FIELD=0B then 0 ≤ b,n < 2^(64*PKC_CMD.SIZE), n has to be odd.
- If PKC_CMD.FIELD=1B then deg(b),deg(n) < (64*PKC_CMD.SIZE), n0=1B.

Output: (After operation finished)

6.5.1.5 Modular Division Command DIVN

The command DIVN realizes the mathematical operation
c := DIVN(a,b,n)
in Z if PKC_CMD.FIELD=0B or F2[X] if PKC_CMD.FIELD=1B respectively.

Target Specification 159 Revision 2.0

2016-03-04
AURIX™ TC3xx Hardware Security Module

PKC Module Confidential

Further Input conditions:

• PKC_CMD.SIZE = 2, 4.
• PKC_CONFIG.OPPTRA = 1, ..., 15.
• PKC_CONFIG.OPPTRB = 1, ..., 15.
• PKC_CONFIG.OPPTRC = 1, ..., 15.
• - If PKC_CMD.FIELD=0B then 0 ≤ a,b < n < 2^(64*PKC_CMD.SIZE), n has to be odd.
- If PKC_CMD.FIELD=1B then deg(a),deg(b) < deg(n) < (64*PKC_CMD.SIZE), n0=1B.

Downloaded by IFXDMZ\par-liaopeng 29/07/2019 09:08:44

Output: (After operation finished)
• c: The integer or binary polynomial (depending on PKC_CMD.FIELD) is represented (according to the
coding described in Chapter 6.4.2) by the value in PKC_SCM_Ri, where i is the value in
PKC_CONFIG.OPPTRC.

6.5.1.6 Modular Inversion Command INV

Target Specification 161 Revision 2.0

2016-03-04
AURIX™ TC3xx Hardware Security Module

PKC Module Confidential

Output: (After operation finished)

• PKC_STATUS.NOTINV = 1B if b is not invertible modulo n, i.e., if the gcd of b and n is not 1. In this case c is
in an undefined state. Otherwise:
• c: The integer is represented (according to the coding described in Chapter 6.4.2) by the value in
PKC_SCM_Ri, where i is the value in PKC_CONFIG.OPPTRC.
• PKC_CMD.CALCR2 = 0B.

Downloaded by IFXDMZ\par-liaopeng 29/07/2019 09:08:44

6.5.1.9 Modular Reduction Command RED2
The command RED2 realizes the mathematical operation
c := RED(b,n)
in Z if PKC_CMD.FIELD=0B. Contrary to RED, this command works even in the case, when the LSB of n is 0B.

Attention: The case F2[X] with PKC_CMD.FIELD=1B is not supportet.

Further Input conditions:

• PKC_CMD.SIZE = 2, 4.
• PKC_CONFIG.OPPTRB = 1, ..., 15.
• PKC_CONFIG.OPPTRC = 1, ..., 15.
• 0 ≤ b,n < 2^(64*PKC_CMD.SIZE), n not 0.

Output: (After operation finished)

• c: The integer is represented (according to the coding described in Chapter 6.4.2) by the value in
PKC_SCM_Ri, where i is the value in PKC_CONFIG.OPPTRC.

6.5.1.10 Modular Exponentiation Command EXP

The command EXP realizes the mathematical operation
c := EXPN(a,b,n)
in Z independent of the value of PKC_CMD.FIELD.

Input values:
• a: The integer is represented (according to the coding described in Chapter 6.4.2) by the value in
PKC_SCM_Ri, where i is the value in PKC_CONFIG.OPPTRA.
• b: The integer is represented (according to the coding described in Chapter 6.4.2) by the value in
PKC_SCM_Ri, where i is the value in PKC_CONFIG.OPPTRB.
• n: The integer is represented (according to the coding described in Chapter 6.4.2) by the value in
PKC_SCM_R0.

Target Specification 162 Revision 2.0

2016-03-04
AURIX™ TC3xx Hardware Security Module

PKC Module Confidential

Further Input conditions:

Downloaded by IFXDMZ\par-liaopeng 29/07/2019 09:08:44

• PKC_CMD.FIELD=0B, if PKC_CMD.FIELD=1B this bit will be ignored.
• 0 ≤ a,b,n < 2^(64*PKC_CMD.SIZE), n has to be odd.

Output: (After operation finished)

• c: The integer is represented (according to the coding described in Chapter 6.4.2) by the value in
PKC_SCM_Ri, where i is the value in PKC_CONFIG.OPPTRC.
• PKC_CMD.CALCR2 = 0B

6.5.2 Elliptic Curve Operations.

For the description of elliptic curve comands, the following notation is used:
• a := ((-1)^PKC_CMD.SIGNA) * a,
b := ((-1)^PKC_CMD.SIGNB) * b,
if PKC_CMD.FIELD=0B or, with
• a := a,
b := b,
if PKC_CMD.FIELD=1B.
The following table gives a short overview:

Table 6-5 Overview over Elliptic Curve Operations

PDBL PADD SMULT CHECKAB CHECKN CHECKPXY
Before Operation:
CALCR2 has to be set, if X X X X
modul is new.
Allowed values for SIZE 4 4 4 4 4 4
Allowed values for FIELD 0/1 0/1 0/1 0/1 0/1 0/1
Allowed values for 6H, 8H, CH, EH 6H, 8H, CH, EH 6H, 8H, CH, EH 6H, 8H, CH, EH 6H, 8H, CH, EH 6H, 8H, CH, EH
OPPTRA
Allowed values for 6H, 8H, CH, EH 6H, 8H, CH, EH 6H, 8H, CH, EH 6H, 8H, CH, EH 6H, 8H, CH, EH
OPPTRB
Allowed values for 6H, 8H, CH, EH 6H, 8H, CH, EH 6H, 8H, CH, EH 6H, 8H, CH, EH 6H, 8H, CH, EH 6H, 8H, CH, EH
OPPTRC
p (In R0) has to be odd. X X X X X X
Operation: PDBL PADD SMULT a < p,b < p,... n != p xA, yA < p
(Pa,a,b,p) (Pa,Pb,a,b,p) (k,Pa,a,b,n)

Target Specification 163 Revision 2.0

2016-03-04
AURIX™ TC3xx Hardware Security Module

PKC Module Confidential

Table 6-5 Overview over Elliptic Curve Operations (cont’d)

PDBL PADD SMULT CHECKAB CHECKN CHECKPXY
After Operation:
CALCR2 will be reset X X X (X)1)
SIGNA will be reset and X X X (X)
R4 set to (a mod p)
SIGNB will be reset and X X X (X)

Downloaded by IFXDMZ\par-liaopeng 29/07/2019 09:08:44

R5 set to (b mod p)
ABNV may be set X
NNV may be set X
XYNV may be set X
INFTY may be set X X X
FLADD may be set X X X
1) The (X) means that this may happen or not. It definitely happens if the output of the test is positive. Otherwise it
depends on the error case.

For more detailed information about the commands see the following subsections.

6.5.2.1 Point Doubling Command PDBL

The command PDBL realizes the point doubling operation
PC := PDBL(PA,a,b,p)
on an elliptic curve E(a,b,p).

Input values:
• p: The integer or binary polynomial (depending on PKC_CMD.FIELD) is represented (according to the
coding described in Chapter 6.4.2) by the value in PKC_SCM_R0.
• a: The integer or binary polynomial (depending on PKC_CMD.FIELD) is represented (according to the
coding described in Chapter 6.4.2) by the value in PKC_SCM_R4.
• b: The integer or binary polynomial (depending on PKC_CMD.FIELD) is represented (according to the
coding described in Chapter 6.4.2) by the value in PKC_SCM_R5.
• PA=(xA,yA):
xA: The x-coordinate of PA is an integer or binary polynomial (depending on PKC_CMD.FIELD) which is
represented (according to the coding described in Chapter 6.4.2) by the value in PKC_SCM_Ri, where i is
the value in PKC_CONFIG.OPPTRA.
yA: The y-coordinate of PA is an integer or binary polynomial (depending on PKC_CMD.FIELD) which is
represented (according to the coding described in Chapter 6.4.2) by the value in PKC_SCM_Ri+1, where i
is the value in PKC_CONFIG.OPPTRA.

Further Input conditions:

• PKC_CMD.CALCR2 = 1B, if (R2mod N) was not computed yet, i.e., this is the first modular operation using
the module p.
• PKC_CMD.SIZE = 4.

Target Specification 164 Revision 2.0

2016-03-04
AURIX™ TC3xx Hardware Security Module

PKC Module Confidential

• PKC_CONFIG.OPPTRA = 6H, 8H, CH, EH.

• PKC_CONFIG.OPPTRC = 6H, 8H, CH, EH.
• - If PKC_CMD.FIELD=0B then 0 ≤ xA,yA,a,b < p < 2^(64*PKC_CMD.SIZE), p has to be odd.
- If PKC_CMD.FIELD=1B then deg(xA),deg(yA),deg(a),deg(b) < deg(p) < (64*PKC_CMD.SIZE), p0=1B.
• a, b, p are valid parameters such that an elliptic curve E(a,b,p) is defined.
• PA lies on the curve E(a,b,p).

Downloaded by IFXDMZ\par-liaopeng 29/07/2019 09:08:44

Output: (After operation finished)
• PC=(xC,yC):
xC: The x-coordinate of PC is an integer or binary polynomial (depending on PKC_CMD.FIELD) which is
represented (according to the coding described in Chapter 6.4.2) by the value in PKC_SCM_Ri, where i is
the value in PKC_CONFIG.OPPTRC.
yC: The y-coordinate of PC is an integer or binary polynomial (depending on PKC_CMD.FIELD) which is
represented (according to the coding described in Chapter 6.4.2) by the value in PKC_SCM_Ri+1, where i
is the value in PKC_CONFIG.OPPTRC.
• PKC_CMD.CALCR2 = 0B
• PKC_CMD.SIGNA = 0B, PKC_CMD.SIGNB = 0B, PKC_SCM_R4 = a, PKC_SCM_R5 = b,
• PKC_STATUS.INFTY = 1B, if a point at infinity occured.
In this case PKC_STATUS.FLADD shows the address of the point at infinity (i.e., OPPTRC).

6.5.2.2 Point Addition Command PADD

The command PADD realizes the point addition operation
PC := PADD(PA,PB,a,b,p)
on an elliptic curve E(a,b,p).

Target Specification 165 Revision 2.0

2016-03-04
AURIX™ TC3xx Hardware Security Module

• PKC_CMD.CALCR2 = 0B (sometimes).
• PKC_CMD.SIGNA = 0B, PKC_CMD.SIGNB = 0B, PKC_SCM_R4 = a, PKC_SCM_R5 = b (sometimes).
• PKC_STATUS.ABNV = 0B, if the check generates a TRUE.
• PKC_STATUS.ABNV = 1B, if the check generates a FALSE.

6.5.2.5 Parameter Check CHECKN

The command CHECKN checks the parameters n (some point order), for validity. The check goes for: n != p.

Input values:
• p: The integer or binary polynomial (depending on PKC_CMD.FIELD) is represented (according to the
coding described in Chapter 6.4.2) by the value in PKC_SCM_R0.
• n: The integer or binary polynomial (depending on PKC_CMD.FIELD) is represented (according to the
coding described in Chapter 6.4.2) by the value in PKC_SCM_R1.

Output: (After operation finished)

• PKC_STATUS.NNV = 0B, if the check generates a TRUE.
• PKC_STATUS.NNV = 1B, if the check generates a FALSE.

6.5.2.6 Parameter Check CHECKPXY

The command CHECKPXY checks the coordinates of point PA=(xA,yA) for validity:
• If PKC_CMD.FIELD = 0B the check goes for:
– xA < p AND
– yA < p .
• If PKC_CMD.FIELD = 1B the check is done for integers (i.e., xA,yA, p are interpreted as integers) and it goes
for:
– xA < p AND
– yA < p.

Target Specification 168 Revision 2.0

2016-03-04
AURIX™ TC3xx Hardware Security Module

PKC Module Confidential

Input values:
• p: The integer or binary polynomial (depending on PKC_CMD.FIELD) is represented (according to the
coding described in Chapter 6.4.2) by the value in PKC_SCM_R0.
• PA=(xA,yA):
xA: The x-coordinate of PA is an integer or binary polynomial (depending on PKC_CMD.FIELD) which is
represented (according to the coding described in Chapter 6.4.2) by the value in PKC_SCM_Ri, where i is
the value in PKC_CONFIG.OPPTRA.

Downloaded by IFXDMZ\par-liaopeng 29/07/2019 09:08:44

yA: The y-coordinate of PA is an integer or binary polynomial (depending on PKC_CMD.FIELD) which is
represented (according to the coding described in Chapter 6.4.2) by the value in PKC_SCM_Ri+1, where i
is the value in PKC_CONFIG.OPPTRA.

Output: (After operation finished)

• PKC_STATUS.XYNV = 0B, if the check generates a TRUE.
• PKC_STATUS.XYNV = 1B, if the check generates a FALSE.

6.5.2.7 Scalar Multiplication Command SMULT25519

The command SMULT25519 realizes the scalar multiplication operation
PC := SMULTcurve25519(k,PA) = M-SMULT(k,PA, A, B, p)
on the elliptic curve Montgomery Curve25519=M(A,B,p), for p=2255-19, A = 486662, B = 1.

Input values:
• p: The integer module 2255-19 is represented (according to the coding described in Chapter 6.4.2) by the
value in PKC_SCM_R0.
• xA: The x-coordinate of PA is an integer which is represented (according to the coding described in
Chapter 6.4.2) by the value in PKC_SCM_Ri, where i is the value in PKC_CONFIG.OPPTRA.
• (A-2)/4=1DB41H: The integer is represented (according to the coding described in Chapter 6.4.2) by the
value in PKC_SCM_Ri+1, where i is the value in PKC_CONFIG.OPPTRA.
• k: The integer is represented (according to the coding described in Chapter 6.4.2) by the value in
PKC_SCM_Ri, where i is the value in PKC_CONFIG.OPPTRB.

Further Input conditions:

• PKC_CMD.CALCR2 = 1B, if (R2mod N) was not computed yet, i.e., this is the first modular operation using
the module p.
• PKC_CMD.SIZE = 4.
• PKC_CONFIG.OPPTRA = 2H,4H,6H, 8H,AH,CH, EH.
• PKC_CONFIG.OPPTRC = 2H,4H,6H, 8H,AH,CH, EH.
• PKC_CONFIG.OPPTRB = 2H,4H,6H, 8H,AH,CH, EH.
• PKC_CMD.FIELD=0B.
• PA lies on the curve Curve25519.

Output: (After operation finished)

• xC: The x-coordinate of PC is an integer which is represented (according to the coding described in
Chapter 6.4.2) by the value in PKC_SCM_Ri, where i is the value in PKC_CONFIG.OPPTRC.

Target Specification 169 Revision 2.0

2016-03-04
AURIX™ TC3xx Hardware Security Module

PKC Module Confidential

• PKC_CMD.CALCR2 = 0B,

6.5.2.8 X-Coordinate Recovery XRECOVER

The command XRECOVER realizes the scalar multiplication operation
x := XrecoverEd25519(y).
on the elliptic curve Ed25519=Ed(a,d,p), for p=2255-19, a = -1, d = 121666-1 - 1 mod p.

Downloaded by IFXDMZ\par-liaopeng 29/07/2019 09:08:44

Input values:
• p: The integer module 2255-19 is represented (according to the coding described in Chapter 6.4.2) by the
value in PKC_SCM_R0.
• (p-5)/8 := 0FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFDH: This is a special
integer used for the computation which is represented (according to the coding described in
Chapter 6.4.2) by the value in PKC_SCM_R4.
• y: The y-coordinate of a point is an integer which is represented (according to the coding described in
Chapter 6.4.2) by the value in PKC_SCM_R8.
• d := 52036CEE2B6FFE738CC740797779E89800700A4D4141D8AB75EB4DCA135978A3H: The integer is
represented (according to the coding described in Chapter 6.4.2) by the value in PKC_SCM_R10.
• J := 2B8324804FC1DF0B2B4D00993DFBD7A72F431806AD2FE478C4EE1B274A0EA0B0H: The integer is the
square root modulo p and is represented (according to the coding described in Chapter 6.4.2) by the value
in PKC_SCM_R11.

Further Input conditions:

• PKC_CMD.CALCR2 = 1B, if (R2mod N) was not computed yet, i.e., this is the first modular operation using
the module p.
• PKC_CMD.SIZE = 4.
• PKC_CMD.FIELD=0B.

Output: (After operation finished)

• x: An x-coordinate of a point with coordinate y is an integer which is represented (according to the coding
described in Chapter 6.4.2) by the value in PKC_SCM_R6.
• PKC_CMD.CALCR2 = 0B,

6.5.2.9 Scalar Multiplication Command SMULTED25519

The command SMULTED25519 realizes the scalar multiplication operation
PC := SMULTEd25519(k,PA) = Ed-SMULT(k,PA, a, d, p)
on the elliptic curve Ed25519, for p=2255-19, a = -1, d = 121666-1 - 1 mod p.

Target Specification 170 Revision 2.0

2016-03-04
AURIX™ TC3xx Hardware Security Module

PKC Module Confidential

• PA=(xA,yA):
xA: The x-coordinate of PA is an integer which is represented (according to the coding described in
Chapter 6.4.2) by the value in PKC_SCM_Ri, where i is the value in PKC_CONFIG.OPPTRA.
yA: The y-coordinate of PA is an integer which is represented (according to the coding described in
Chapter 6.4.2) by the value in PKC_SCM_Ri+1, where i is the value in PKC_CONFIG.OPPTRA. .
• k: The integer is represented (according to the coding described in Chapter 6.4.2) by the value in
PKC_SCM_Ri, where i is the value in PKC_CONFIG.OPPTRB.

Downloaded by IFXDMZ\par-liaopeng 29/07/2019 09:08:44

Further Input conditions:
• PKC_CMD.CALCR2 = 1B, if (R2mod N) was not computed yet, i.e., this is the first modular operation using
the module p.
• PKC_CMD.SIZE = 4.
• PKC_CONFIG.OPPTRA = 2H,4H,6H, 8H,AH,CH, EH.
• PKC_CONFIG.OPPTRC = 2H,4H,6H, 8H,AH,CH, EH.
• PKC_CONFIG.OPPTRB = 2H,4H,6H, 8H,AH,CH, EH.
• PKC_CMD.FIELD=0B.
• PA lies on the curve Ed25519.

Output: (After operation finished)

• PC=(xC,yC):
xC: The x-coordinate of PC is an integer which is represented (according to the coding described in
Chapter 6.4.2) by the value in PKC_SCM_Ri, where i is the value in PKC_CONFIG.OPPTRC.
yC: The y-coordinate of PC is an integer which is represented (according to the coding described in
Chapter 6.4.2) by the value in PKC_SCM_Ri+1, where i is the value in PKC_CONFIG.OPPTRC.
• PKC_CMD.CALCR2 = 0B,

6.5.2.10 Signature Verification CHECKVALID

The command CHECKVALID checks the validity of the following equation on the curve Ed25519:
S*PB = h * PA + PR
on the elliptic curve Ed25519=Ed(a,d,p), for p=2255 - 19, a = -1, d = 121666-1 - 1 mod p.

Input values:
• p: The integer module 2255-19 is represented (according to the coding described in Chapter 6.4.2) by the
value in PKC_SCM_R0.
• D2 := d*2257 mod p = 590456B4E53F8A4DCB27240F78310D2021430EEF5F8C52E701DB17FDBE8FD3F4H is a
special integer used for the computation which is represented (according to the coding described in
Chapter 6.4.2) by the value in PKC_SCM_R1.
• PB=(xB,yB):
xB: The x-coordinate of PB is an integer which is represented (according to the coding described in
Chapter 6.4.2) by the value in PKC_SCM_R2.
yB: The y-coordinate of PB is an integer which is represented (according to the coding described in
Chapter 6.4.2) by the value in PKC_SCM_R3.

Target Specification 171 Revision 2.0

2016-03-04
AURIX™ TC3xx Hardware Security Module

PKC Module Confidential

• S: The integer is represented (according to the coding described in Chapter 6.4.2) by the value in
PKC_SCM_R4.
• h: The integer is represented (according to the coding described in Chapter 6.4.2) by the value in
PKC_SCM_R5.
• PA=(xA,yA):
xA: The x-coordinate of PA is an integer which is represented (according to the coding described in
Chapter 6.4.2) by the value in PKC_SCM_R6.
yA: The y-coordinate of PA is an integer which is represented (according to the coding described in

Downloaded by IFXDMZ\par-liaopeng 29/07/2019 09:08:44

Chapter 6.4.2) by the value in PKC_SCM_R7.
• PR=(xR,yR):
xR: The x-coordinate of PR is an integer which is represented (according to the coding described in
Chapter 6.4.2) by the value in PKC_SCM_R8.
yR: The y-coordinate of PR is an integer which is represented (according to the coding described in
Chapter 6.4.2) by the value in PKC_SCM_R9.

Further Input conditions:

• PKC_CMD.CALCR2 = 1B, if (R2mod N) was not computed yet, i.e., this is the first modular operation using
the module p.
• PKC_CMD.SIZE = 4.
• PKC_CMD.FIELD=0B.
• PA,PB,PR lie on the curve Ed25519.

Output: (After operation finished)

• PKC_CMD.CALCR2 = 0B,
• PKC_STATUS.SIGNV = 1B, if the equation is not valid.

Additional Output:
• P1=(x1,y1) := S*PB:
x1: The x-coordinate of P1 is an integer which is represented (according to the coding described in
Chapter 6.4.2) by the value in PKC_SCM_R10.
y1: The y-coordinate of P1 is an integer which is represented (according to the coding described in
Chapter 6.4.2) by the value in PKC_SCM_R11.
• P2=(x2,y2) := h*PA:
x2: The x-coordinate of P2 is an integer which is represented (according to the coding described in
Chapter 6.4.2) by the value in PKC_SCM_R12.
y2: The y-coordinate of P2 is an integer which is represented (according to the coding described in
Chapter 6.4.2) by the value in PKC_SCM_R13.
• P3=(x3,y3) := PR+P2:
x3: The x-coordinate of P3 is an integer which is represented (according to the coding described in
Chapter 6.4.2) by the value in PKC_SCM_R14.
y3: The y-coordinate of P3 is an integer which is represented (according to the coding described in
Chapter 6.4.2) by the value in PKC_SCM_R15.

Target Specification 172 Revision 2.0

2016-03-04
AURIX™ TC3xx Hardware Security Module

PKC Module Confidential

6.5.2.11 ECDSA Signature generation ECDSASIG

Attention: This command may not be included in the delivery. Whether it is included, this can be seen
in the list of PKC_CMD.TYPE in “Control and Status Registers” on Page 144.
The command ECDSASIG realizes the ECDSA signature generation of a message,
(r,s) := ECDSASIG(h,ek,d,n,P,a,b,p)
on an elliptic curve E(a,b,p). See Chapter 6.2.2.4 and Chapter 6.2.6.4 for notation and more details.

Downloaded by IFXDMZ\par-liaopeng 29/07/2019 09:08:44

Input values:
• p: The integer or binary polynomial (depending on PKC_CMD.FIELD) is represented (according to the
coding described in Chapter 6.4.2) by the value in PKC_SCM_R0.
• n: The integer is represented (according to the coding described in Chapter 6.4.2) by the value in
PKC_SCM_R1.
• a: The integer or binary polynomial (depending on PKC_CMD.FIELD) is represented (according to the
coding described in Chapter 6.4.2) by the value in PKC_SCM_R4.
• b: The integer or binary polynomial (depending on PKC_CMD.FIELD) is represented (according to the
coding described in Chapter 6.4.2) by the value in PKC_SCM_R5.
• d: The integer is represented (according to the coding described in Chapter 6.4.2) by the value in
PKC_SCM_R6.
• ek: The integer is represented (according to the coding described in Chapter 6.4.2) by the value in
PKC_SCM_R7.
• h: The integer is represented (according to the coding described in Chapter 6.4.2) by the value in
PKC_SCM_R12.
• P=(xP,yP):
xP: The x-coordinate of PA is an integer or binary polynomial (depending on PKC_CMD.FIELD) which is
represented (according to the coding described in Chapter 6.4.2) by the value in PKC_SCM_R2.
yP: The y-coordinate of PA is an integer or binary polynomial (depending on PKC_CMD.FIELD) which is
represented (according to the coding described in Chapter 6.4.2) by the value in PKC_SCM_R3.

Further Input conditions:

• PKC_CMD.CALCR2 = 1B, if (R2mod N) was not computed yet, i.e., this is the first modular operation using
the module p.
• PKC_CMD.SIZE = 4.
• - If PKC_CMD.FIELD=0B then 0 ≤ x,y,a,b < p < 2^(64*PKC_CMD.SIZE), p has to be odd.
- If PKC_CMD.FIELD=1B then deg(x),deg(y),deg(a),deg(b) < deg(p) < (64*PKC_CMD.SIZE), p0=1B.
• a, b, p are valid parameters such that an elliptic curve E(a,b,p) is defined.
• P lies on the curve E(a,b,p).
• n is the order of the Point P.
• 0 < ek < n-1 is a random number, generated uniformly in the intervall ]1, n-1[.
• h is a hash value of the message that has to be signed, generated according to the signature standard
which is going to be used. h has to be interpreted as an integer. 0 ≤ h < n.
• d is the secret key, 0 < d < n.

Target Specification 173 Revision 2.0

2016-03-04
AURIX™ TC3xx Hardware Security Module

PKC Module Confidential

Output: (After operation finished)

• Signature (r,s):
r: The integer is represented (according to the coding described in Chapter 6.4.2) by the value in
PKC_SCM_R10.
s: The integer is represented (according to the coding described in Chapter 6.4.2) by the value in
PKC_SCM_R11.
• PKC_CMD.CALCR2 = 0B.

Downloaded by IFXDMZ\par-liaopeng 29/07/2019 09:08:44

• PKC_CMD.SIGNA = 0B, PKC_CMD.SIGNB = 0B, PKC_SCM_R4 = a, PKC_SCM_R5 = b.

Additional Output:
• P1 = (x1,y1) := SMULT(ek,P,a,b,p):
x1: The x-coordinate of P1 is an integer or binary polynomial (depending on PKC_CMD.FIELD) which is
represented (according to the coding described in Chapter 6.4.2) by the value in PKC_SCM_R14.
y1: The y-coordinate of P1 is an integer or binary polynomial (depending on PKC_CMD.FIELD) which is
represented (according to the coding described in Chapter 6.4.2) by the value in PKC_SCM_R15.
• kinv := INV(ek,n) : The integer is represented (according to the coding described in Chapter 6.4.2) by the
value in PKC_SCM_R13.

Programming example, for ECDSA Signature Generation without this command:

If this command is not included in the delivery then it still can be implemented by using the following code:
This is illustrated for the settings with PKC_CMD.SIZE = 4 and PKC_CMD.SIGNA = PKC_CMD.SIGNB = 0B. If
(SIGNA,SIGNB) is not (0B, 0B) then the bits have to be taken into account only for the SMULT-operation.
Input: p, n, a, b, d, ek, h, P=(xP,yP), as defined above.
Output: Signature r,s
Additional Output: P1 := ek*P, r, d*r, d*r+h, kinv.
R0 <-- p
R1 <-- 0
R2 <-- h
R3 <-- d
R4 <-- a
R5 <-- b
R6 <-- xP
R7 <-- yP
R8 <-- ek
R9 <-- 0
R10<-- 0
R11<-- 0
R12<-- 0
R13<-- 0
R14<-- 0
R15<-- 0
// ek*P:
PKC_CONFG <-- 0x000C0806 // A=6, B=8, C=12
PKC_CMD <-- 0x80000422 // CALC2 | 256 bit | SMULT
[PKC_CMD <-- 0x800004A2 // CALC2 | 256 bit | SMULT for field=1]
PKC_CTRL <-- 0x00000001
Wait until PKC_STATUS.BUSY = 0
Check that PKC_STATUS = 0 // No error

Target Specification 174 Revision 2.0

2016-03-04
AURIX™ TC3xx Hardware Security Module

PKC Module Confidential

// load R0 with value n

R0 <-- n
// r:= xP mod n
PKC_CONFG <-- 0x00090C00 // B=12, C=9
PKC_CMD <-- 0x80000404 // CALC2 | 256 bit | RED
PKC_CTRL <-- 0x00000001
Wait until PKC_STATUS.BUSY = 0
Check that PKC_STATUS = 0 // No error

Downloaded by IFXDMZ\par-liaopeng 29/07/2019 09:08:44

// d*r mod n:
PKC_CONFG <-- 0x000B0903 // A=3, B=9, C=11
PKC_CMD <-- 0x00000403 // 256 bit | MULTN
PKC_CTRL <-- 0x00000001
Wait until PKC_STATUS.BUSY = 0
Check that PKC_STATUS = 0 // No error
// (h + ek*d) mod n:
PKC_CONFG <-- 0x000E0B02 // A=2, B=11, C=14
PKC_CMD <-- 0x00000401 // 256 bit | ADDN
PKC_CTRL <-- 0x00000001
Wait until PKC_STATUS.BUSY = 0
Check that PKC_STATUS = 0 // No error
// kinv:
PKC_CONFG <-- 0x00010800 // B=8, C=1
PKC_CMD <-- 0x00000406/9 // 256 bit | INV/INV2 if ek even
PKC_CTRL <-- 0x00000001
Wait until PKC_STATUS.BUSY = 0
Check that PKC_STATUS = 0 // No error
// s:
PKC_CONFG <-- 0x000A0E01 // A=1, B=14, C=10
PKC_CMD <-- 0x00000403 // 256 bit | MULTN
PKC_CTRL <-- 0x00000001
Wait until PKC_STATUS.BUSY = 0
Check that PKC_STATUS = 0 // No error
R9 = r
R10 = s

6.5.2.12 ECDSA Signature Verification ECDSAVER

Attention: This command may not be included in the delivery. Whether it is included, this can be seen
in the list of PKC_CMD.TYPE in “Control and Status Registers” on Page 144.
The command ECDSAVER realizes the ECDSA signature generation of a message,
Status := ECDSAVER(h,r,s,Q,n,P,a,b,p)
on an elliptic curve E(a,b,p). See Chapter 6.2.2.5 and Chapter 6.2.6.5 for notation and more details.

Input values:
• p: The integer or binary polynomial (depending on PKC_CMD.FIELD) is represented (according to the
coding described in Chapter 6.4.2) by the value in PKC_SCM_R0.

Target Specification 175 Revision 2.0

2016-03-04
AURIX™ TC3xx Hardware Security Module

PKC Module Confidential

• n: The integer is represented (according to the coding described in Chapter 6.4.2) by the value in
PKC_SCM_R1.
• a: The integer or binary polynomial (depending on PKC_CMD.FIELD) is represented (according to the
coding described in Chapter 6.4.2) by the value in PKC_SCM_R4.
• b: The integer or binary polynomial (depending on PKC_CMD.FIELD) is represented (according to the
coding described in Chapter 6.4.2) by the value in PKC_SCM_R5.
• r: The integer is represented (according to the coding described in Chapter 6.4.2) by the value in

Downloaded by IFXDMZ\par-liaopeng 29/07/2019 09:08:44

PKC_SCM_R10.
• s: The integer is represented (according to the coding described in Chapter 6.4.2) by the value in
PKC_SCM_R11.
• h: The integer is represented (according to the coding described in Chapter 6.4.2) by the value in
PKC_SCM_R12.
• P=(xP,yP):
xP: The x-coordinate of PA is an integer or binary polynomial (depending on PKC_CMD.FIELD) which is
represented (according to the coding described in Chapter 6.4.2) by the value in PKC_SCM_R2.
yP: The y-coordinate of PA is an integer or binary polynomial (depending on PKC_CMD.FIELD) which is
represented (according to the coding described in Chapter 6.4.2) by the value in PKC_SCM_R3.
• Q=(xQ,yQ):
xQ: The x-coordinate of PQ is an integer or binary polynomial (depending on PKC_CMD.FIELD) which is
represented (according to the coding described in Chapter 6.4.2) by the value in PKC_SCM_R8.
yQ: The y-coordinate of PQ is an integer or binary polynomial (depending on PKC_CMD.FIELD) which is
represented (according to the coding described in Chapter 6.4.2) by the value in PKC_SCM_R9.

Further Input conditions:

• PKC_CMD.CALCR2 = 1B, if (R2mod N) was not computed yet, i.e., this is the first modular operation using
the module p.
• PKC_CMD.SIZE = 4.
• - If PKC_CMD.FIELD=0B then 0 ≤ x,y,a,b < p < 2^(64*PKC_CMD.SIZE), p has to be odd.
- If PKC_CMD.FIELD=1B then deg(x),deg(y),deg(a),deg(b) < deg(p) < (64*PKC_CMD.SIZE), p0=1B.
• a, b, p are valid parameters such that an elliptic curve E(a,b,p) is defined.
• P lies on the curve E(a,b,p).
• n is the order of the Point P.
• Q lies on the curve E(a,b,p).
• h is a hash value of the message that has to be signed, generated according to the signature standard
which is going to be used. h has to be interpreted as an integer. 0 ≤ h < n.

Output: (After operation finished)

• PKC_CMD.CALCR2 = 0B.
• PKC_CMD.SIGNA = 0B, PKC_CMD.SIGNB = 0B, PKC_SCM_R4 = a, PKC_SCM_R5 = b.
• PKC_STATUS.XYNV = 1B, if the signature is not valid: This happens, if:
– xQ, yQ are not valid
– s ≥ n (In this case PKC_STATUS.FLADD = AH),
– r ≥ n (In this case PKC_STATUS.FLADD = AH).

Target Specification 176 Revision 2.0

2016-03-04
AURIX™ TC3xx Hardware Security Module

PKC Module Confidential

• PKC_STATUS.INFTY = 1B, if the signature is not valid: This happens, if:

– P1 = 0. (In this case PKC_STATUS.FLADD = 8H).

PKC_SCM_R2[2] = 0x1D75D094
PKC_SCM_R2[3] = 0x0352A1F0
PKC_SCM_R2[4] = 0x00000000
PKC_SCM_R2[5] = 0x00000000
PKC_SCM_R2[6] = 0x00000000
PKC_SCM_R2[7] = 0x00000000

Downloaded by IFXDMZ\par-liaopeng 29/07/2019 09:08:44

c := MULTN(a,b,n)
======================================================================
INPUT:
a = 0x00000083141AE94B361C9779CE5FC74C529B6005A0E755662FFB52733649ABCC
b = 0x000000BD332F16ED5E7B5B4A2DD1C0A0AC6A7BEBF78409DBEFE2A44BF1EDE8AE
n = 0x000002C352DC107EB45AC407A196F9C8889F77F1F1D2EEBAA9E01F0F0000C3CD
in Z
size = 4
OPPTRA = 13
OPPTRB = 11
OPPTRC = 9
OUTPUT:
c = 0x0000018A570FAD7E8C669A34591FBBE5C24C6EF2DFAC11258D521902A3548D79
======================================================================

R0 <-- 0x2C352DC107EB45AC407A196F9C8889F77F1F1D2EEBAA9E01F0F0000C3CD
R13<-- 0x83141AE94B361C9779CE5FC74C529B6005A0E755662FFB52733649ABCC
R11<-- 0xBD332F16ED5E7B5B4A2DD1C0A0AC6A7BEBF78409DBEFE2A44BF1EDE8AE
PKC_CONFG <-- 0x00090B0D
PKC_CMD <-- 0x80000403
PKC_CTRL <-- 0x00000001
Wait until PKC_STATUS.BUSY = 0

Now, the result is:

PKC_SCM_R9[0] = 0xA3548D79
PKC_SCM_R9[1] = 0x8D521902
PKC_SCM_R9[2] = 0xDFAC1125
PKC_SCM_R9[3] = 0xC24C6EF2
PKC_SCM_R9[4] = 0x591FBBE5
PKC_SCM_R9[5] = 0x8C669A34
PKC_SCM_R9[6] = 0x570FAD7E
PKC_SCM_R9[7] = 0x0000018A

Target Specification 181 Revision 2.0

2016-03-04
AURIX™ TC3xx Hardware Security Module

PKC Module Confidential

OPPTRB = 11
OPPTRC = 9
OUTPUT:
c = 0x000001C0F8520023C2B232CD9B99BF289B0D80AA4333D3A894242B3C0289D0B0
======================================================================

R0 <-- 0x2C352DC107EB45AC407A196F9C8889F77F1F1D2EEBAA9E01F0F0000C3CD
R13<-- 0x83141AE94B361C9779CE5FC74C529B6005A0E755662FFB52733649ABCC

Downloaded by IFXDMZ\par-liaopeng 29/07/2019 09:08:44

R11<-- 0xBD332F16ED5E7B5B4A2DD1C0A0AC6A7BEBF78409DBEFE2A44BF1EDE8AE
PKC_CONFG <-- 0x00090B0D
PKC_CMD <-- 0x80000483
PKC_CTRL <-- 0x00000001
Wait until PKC_STATUS.BUSY = 0

Now, the result is:

PKC_SCM_R9[0] = 0x0289D0B0
PKC_SCM_R9[1] = 0x94242B3C
PKC_SCM_R9[2] = 0x4333D3A8
PKC_SCM_R9[3] = 0x9B0D80AA
PKC_SCM_R9[4] = 0x9B99BF28
PKC_SCM_R9[5] = 0xC2B232CD
PKC_SCM_R9[6] = 0xF8520023
PKC_SCM_R9[7] = 0x000001C0

c := RED(b,n)
======================================================================
INPUT:
b = 0x0000000000000000000000000000000052DC107EB45AC407A196F9C8889F77F1
n = 0x000000000000000000000000000000000000000000000001A9E01F0F0000C3CD
in Z
size = 2
OPPTRB = 9
OPPTRC = 11
OUTPUT:
c = 0x000000000000000000000000000000000000000000000000AEF08CBBD7A2EF3C
======================================================================

R0 <-- 0x1A9E01F0F0000C3CD
R9 <-- 0x52DC107EB45AC407A196F9C8889F77F1
PKC_CONFG <-- 0x000B0900
PKC_CMD <-- 0x80000204
PKC_CTRL <-- 0x00000001
Wait until PKC_STATUS.BUSY = 0

Now, the result is:

PKC_SCM_R11[0] = 0xD7A2EF3C
PKC_SCM_R11[1] = 0xAEF08CBB
PKC_SCM_R11[2] = 0x00000000

Target Specification 182 Revision 2.0

2016-03-04
AURIX™ TC3xx Hardware Security Module

PKC Module Confidential

PKC_SCM_R11[3] = 0x00000000
PKC_SCM_R11[4] = 0x00000000
PKC_SCM_R11[5] = 0x00000000
PKC_SCM_R11[6] = 0x00000000
PKC_SCM_R11[7] = 0x00000000

c := INV(b,n)
======================================================================

Downloaded by IFXDMZ\par-liaopeng 29/07/2019 09:08:44

Now, the result is:

PKC_SCM_R14[0] = 0x0CFFEDB9
PKC_SCM_R14[1] = 0x81A9CB7C
PKC_SCM_R14[2] = 0xE34E05B5
PKC_SCM_R14[3] = 0x52736E45
PKC_SCM_R14[4] = 0xB9556A41
PKC_SCM_R14[5] = 0x83D722A4
PKC_SCM_R14[6] = 0xFAFFCB17
PKC_SCM_R14[7] = 0x32575AB9

x := Xrecovered25519(y,a,d,p)
ed25519
======================================================================
INPUT:
p = 0x7FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFED
a = 0x7FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEC
d = 0x52036CEE2B6FFE738CC740797779E89800700A4D4141D8AB75EB4DCA135978A3
D2= 0x0000000000000000000000000000000000000000000000000000000000000000
(p-5)/8= 0x0FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFD
I = 0x2B8324804FC1DF0B2B4D00993DFBD7A72F431806AD2FE478C4EE1B274A0EA0B0
PAy=0x6666666666666666666666666666666666666666666666666666666666666658

Target Specification 188 Revision 2.0

2016-03-04
AURIX™ TC3xx Hardware Security Module

PKC Module Confidential

OUTPUT:
PCx=0x216936D3CD6E53FEC0A4E231FDD6DC5C692CC7609525A7B2C9562D608F25D51A
PCy=0x6666666666666666666666666666666666666666666666666666666666666658
======================================================================

R0 <-- 0x7FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFED
R4 <-- 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFD
R8 <-- 0x6666666666666666666666666666666666666666666666666666666666666658

Downloaded by IFXDMZ\par-liaopeng 29/07/2019 09:08:44

R10<-- 0x52036CEE2B6FFE738CC740797779E89800700A4D4141D8AB75EB4DCA135978A3
R11<-- 0x2B8324804FC1DF0B2B4D00993DFBD7A72F431806AD2FE478C4EE1B274A0EA0B0
PKC_CONFG <-- 0x00000000
PKC_CMD <-- 0x80000429 // CALC2 | xxx bit | XRecoverED25519
PKC_CTRL <-- 0x00000001
Wait until PKC_STATUS.BUSY = 0
Check that PKC_STATUS = 0 // No error

Now, the result is:

PKC_SCM_R6[0] = 0x8F25D51A
PKC_SCM_R6[1] = 0xC9562D60
PKC_SCM_R6[2] = 0x9525A7B2
PKC_SCM_R6[3] = 0x692CC760
PKC_SCM_R6[4] = 0xFDD6DC5C
PKC_SCM_R6[5] = 0xC0A4E231
PKC_SCM_R6[6] = 0xCD6E53FE
PKC_SCM_R6[7] = 0x216936D3
OR:
PKC_SCM_R6[0] = 0x70DA2AD3
PKC_SCM_R6[1] = 0x36A9D29F
PKC_SCM_R6[2] = 0x6ADA584D
PKC_SCM_R6[3] = 0x96D3389F
PKC_SCM_R6[4] = 0x022923A3
PKC_SCM_R6[5] = 0x3F5B1DCE
PKC_SCM_R6[6] = 0x3291AC01
PKC_SCM_R6[7] = 0x5E96C92C

PC := SMULTed25519(k,PB,a,d,p)
ed25519
======================================================================
INPUT:
p = 0x7FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFED
a = 0x-0000000000000000000000000000000000000000000000000000000000000001
d = 0x52036CEE2B6FFE738CC740797779E89800700A4D4141D8AB75EB4DCA135978A3
D2= 0x590456B4E53F8A4DCB27240F78310D2021430EEF5F8C52E701DB17FDBE8FD3F4
k = 0x633D67A11A64AE974822A985F1958D4B58C333568F1D419EFE3147D74B312EA5
PAx=0x216936D3CD6E53FEC0A4E231FDD6DC5C692CC7609525A7B2C9562D608F25D51A
PAy=0x6666666666666666666666666666666666666666666666666666666666666658
OPPTRA = 2
OPPTRB = 6
OPPTRC = 12
OUTPUT:

Target Specification 189 Revision 2.0

2016-03-04
AURIX™ TC3xx Hardware Security Module

PKC Module Confidential

PCx=0x262A841805591EAFA9AF969F3550BF33282A4EC6091C110FCBCF7B286FDDCDBA
PCy=0x0F2888207764F26EDD8E98C43CDAF43BCC5E1BA75114BDB49135B1CD303C5E0F
======================================================================

Downloaded by IFXDMZ\par-liaopeng 29/07/2019 09:08:44

R6 <-- 0x633D67A11A64AE974822A985F1958D4B58C333568F1D419EFE3147D74B312EA5
PKC_CONFG <-- 0x000C0602
PKC_CMD <-- 0x8000042A // CALC2 | xxx bit | SMULTED25519
PKC_CTRL <-- 0x00000001
Wait until PKC_STATUS.BUSY = 0
Check that PKC_STATUS = 0 // No error

Now, the result is:

PKC_SCM_R12[0] = 0x6FDDCDBA
PKC_SCM_R12[1] = 0xCBCF7B28
PKC_SCM_R12[2] = 0x091C110F
PKC_SCM_R12[3] = 0x282A4EC6
PKC_SCM_R12[4] = 0x3550BF33
PKC_SCM_R12[5] = 0xA9AF969F
PKC_SCM_R12[6] = 0x05591EAF
PKC_SCM_R12[7] = 0x262A8418
PKC_SCM_R13[0] = 0x303C5E0F
PKC_SCM_R13[1] = 0x9135B1CD
PKC_SCM_R13[2] = 0x5114BDB4
PKC_SCM_R13[3] = 0xCC5E1BA7
PKC_SCM_R13[4] = 0x3CDAF43B
PKC_SCM_R13[5] = 0xDD8E98C4
PKC_SCM_R13[6] = 0x7764F26E
PKC_SCM_R13[7] = 0x0F288820

Ed25519CheckValid(...)
ed25519
======================================================================
INPUT:
p = 0x7FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFED
a = 0x-0000000000000000000000000000000000000000000000000000000000000001
d = 0x52036CEE2B6FFE738CC740797779E89800700A4D4141D8AB75EB4DCA135978A3
D2= 0x590456B4E53F8A4DCB27240F78310D2021430EEF5F8C52E701DB17FDBE8FD3F4
Ax=0x24257A24D1A9664345F24E9668E9C83E11EC6B9BC9E44C64F1F3CB39540FC550
Ay=0x70286A0D4646B3E5FA1616FFE3BBDB72E079B8492464A3287AACA4ADDB67FF68
Bx=0x216936D3CD6E53FEC0A4E231FDD6DC5C692CC7609525A7B2C9562D608F25D51A
By=0x6666666666666666666666666666666666666666666666666666666666666658
Rx=0x129FCC11297110E87C11F0B26AB909BB122B5FD96F348C90F8045A38B6990B98
Ry=0x069F0246816B8CB596DCD3C1B422E8971CD5839A50CDB4796ACADB43CF6EE94C
S = 0x0CA7EAF57C70635EBD00C41EE52621AA76A905E66D30F341360F5CAD27177FA3
h = 0x029C71EA0F94997BFC46D4F1644D7B0BE7FE147345EE60A475063703431B0392
OUTPUT:

Target Specification 190 Revision 2.0

2016-03-04
AURIX™ TC3xx Hardware Security Module

PKC Module Confidential

P1x=0x4CFE7900DE559A72A6FE6BB2649215113B13E6895F3AF9EDD76CDB2CD5469FEC
P1y=0x2168FA7908509972A32C4EE46BEEFDCA5C132EB69B6FB7102690E796BB88AB2B
P2x=0x176DC8053F6F41DA2C3CFD1D40774A8588BD9CCA424CAD7223A8C8490703080A
P2y=0x1F3D9DA2A6CB92DFCFB31787E1181D6F1646703A910BD170DDDAD58F3177FCA9
P3x=0x4CFE7900DE559A72A6FE6BB2649215113B13E6895F3AF9EDD76CDB2CD5469FEC
P3y=0x2168FA7908509972A32C4EE46BEEFDCA5C132EB69B6FB7102690E796BB88AB2B
======================================================================

Downloaded by IFXDMZ\par-liaopeng 29/07/2019 09:08:44

R0 <-- 0x7FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFED
R1 <-- 0x590456B4E53F8A4DCB27240F78310D2021430EEF5F8C52E701DB17FDBE8FD3F4
R2 <-- 0x216936D3CD6E53FEC0A4E231FDD6DC5C692CC7609525A7B2C9562D608F25D51A
R3 <-- 0x6666666666666666666666666666666666666666666666666666666666666658
R4 <-- 0xCA7EAF57C70635EBD00C41EE52621AA76A905E66D30F341360F5CAD27177FA3
R5 <-- 0x29C71EA0F94997BFC46D4F1644D7B0BE7FE147345EE60A475063703431B0392
R6 <-- 0x24257A24D1A9664345F24E9668E9C83E11EC6B9BC9E44C64F1F3CB39540FC550
R7 <-- 0x70286A0D4646B3E5FA1616FFE3BBDB72E079B8492464A3287AACA4ADDB67FF68
R8 <-- 0x129FCC11297110E87C11F0B26AB909BB122B5FD96F348C90F8045A38B6990B98
R9 <-- 0x69F0246816B8CB596DCD3C1B422E8971CD5839A50CDB4796ACADB43CF6EE94C
PKC_CMD <-- 0x8000042B // CALC2 | xxx bit | CHECKVALIDED25519
PKC_CTRL <-- 0x00000001
Wait until PKC_STATUS.BUSY = 0
Check that PKC_STATUS = 0 // No error

Now, the result is:

PKC_SCM_R10[0] = 0xD5469FEC
PKC_SCM_R10[1] = 0xD76CDB2C
PKC_SCM_R10[2] = 0x5F3AF9ED
PKC_SCM_R10[3] = 0x3B13E689
PKC_SCM_R10[4] = 0x64921511
PKC_SCM_R10[5] = 0xA6FE6BB2
PKC_SCM_R10[6] = 0xDE559A72
PKC_SCM_R10[7] = 0x4CFE7900
PKC_SCM_R11[0] = 0xBB88AB2B
PKC_SCM_R11[1] = 0x2690E796
PKC_SCM_R11[2] = 0x9B6FB710
PKC_SCM_R11[3] = 0x5C132EB6
PKC_SCM_R11[4] = 0x6BEEFDCA
PKC_SCM_R11[5] = 0xA32C4EE4
PKC_SCM_R11[6] = 0x08509972
PKC_SCM_R11[7] = 0x2168FA79
PKC_SCM_R12[0] = 0x0703080A
PKC_SCM_R12[1] = 0x23A8C849
PKC_SCM_R12[2] = 0x424CAD72
PKC_SCM_R12[3] = 0x88BD9CCA
PKC_SCM_R12[4] = 0x40774A85
PKC_SCM_R12[5] = 0x2C3CFD1D
PKC_SCM_R12[6] = 0x3F6F41DA
PKC_SCM_R12[7] = 0x176DC805
PKC_SCM_R13[0] = 0x3177FCA9
PKC_SCM_R13[1] = 0xDDDAD58F

Target Specification 191 Revision 2.0

2016-03-04
AURIX™ TC3xx Hardware Security Module

PKC Module Confidential

PKC_SCM_R13[2] = 0x910BD170
PKC_SCM_R13[3] = 0x1646703A
PKC_SCM_R13[4] = 0xE1181D6F
PKC_SCM_R13[5] = 0xCFB31787
PKC_SCM_R13[6] = 0xA6CB92DF
PKC_SCM_R13[7] = 0x1F3D9DA2
PKC_SCM_R14[0] = 0xD5469FEC
PKC_SCM_R14[1] = 0xD76CDB2C

Downloaded by IFXDMZ\par-liaopeng 29/07/2019 09:08:44

PKC_SCM_R14[2] = 0x5F3AF9ED
PKC_SCM_R14[3] = 0x3B13E689
PKC_SCM_R14[4] = 0x64921511
PKC_SCM_R14[5] = 0xA6FE6BB2
PKC_SCM_R14[6] = 0xDE559A72
PKC_SCM_R14[7] = 0x4CFE7900
PKC_SCM_R15[0] = 0xBB88AB2B
PKC_SCM_R15[1] = 0x2690E796
PKC_SCM_R15[2] = 0x9B6FB710
PKC_SCM_R15[3] = 0x5C132EB6
PKC_SCM_R15[4] = 0x6BEEFDCA
PKC_SCM_R15[5] = 0xA32C4EE4
PKC_SCM_R15[6] = 0x08509972
PKC_SCM_R15[7] = 0x2168FA79
If any of the input variables is changed (by e.g. flipping one bit)
then PKC_STATUS != 0 // Signature not valid
i.e. PKC_STATUS.9 = 1 // Signature not valid

Target Specification 192 Revision 2.0

2016-03-04
AURIX™ TC3xx Hardware Security Module

Timer Module Confidential

7 Timer Module

7.1 Introduction
The timer module contains two independent 16-bit general purpose timers. The two timers are denoted
timer 0 and timer 1.

Downloaded by IFXDMZ\par-liaopeng 29/07/2019 09:08:44

7.2 Overview
The timer module offers the following set of features:

Feature List
• Two independent 16-bit up counting timers.
• Four selectable clock sources per timer.
• Individually configurable prescaler.
• Reload capability on overflow.
• Interrupt capability.

7.3 Functional Description

Figure 7-1 shows an overview block diagram of the two timer implementations.

TPR_DIS0

Timer 0 Clk0
Timer 0 Clk1 Overflow Timer 0 Overflow
Prescaler TIM_CNT0
Timer 0 Clk2 Interrupt
Timer 0 Clk3
reload

reset
TF0

TSRC0 TPR0 TR0 TIM_RLD0

TPR_DIS1

Timer 1 Clk0
Timer 1 Clk1 Overflow Timer 1 Overflow
Prescaler TIM_CNT1
Timer 1 Clk2 Interrupt
Timer 1 Clk3
reload

reset
TF1

TSRC1 TPR1 TR1 TIM_RLD1

Figure 7-1 Timer Overview

Target Specification 193 Revision 2.0

2016-03-04
AURIX™ TC3xx Hardware Security Module

Timer Module Confidential

7.3.1 Timer Clock Selection

Each timer provides up to four clock inputs. The required clock source can be selected independently for each
timer by setting the TSRC bits in the timer control register TIM_CTRL appropriately. The respective timer must
be stopped before the clock source is changed (otherwise, the result may be undefined), which is done by
clearing TIM_CTRL.TR0 or TR1.

Table 7-1 Clock Sources for Timer 01)

Downloaded by IFXDMZ\par-liaopeng 29/07/2019 09:08:44

Source Input Name and Description Available in TSRC0 Value
Sleep Mode
Timer Clk0 HSM System clock (100 / 50 / 25 MHz2)) Yes 00B
2)
Timer Clk1 HSM System clock (100 / 50 / 25 MHz ) No 01B
Timer Clk2 - - 10B
Timer Clk3 - - 11B
1) Empty fields indicate “no clock source connected”
2) The frequency depends on the setting of the clock divider CLKCTRL.CLKDIV

Table 7-2 Clock Sources for Timer 11)

Source Input Name and Description Available in TSRC1 Value
Sleep Mode
Timer Clk0 HSM System clock (100 / 50 / 25 MHz2)) Yes 00B
Timer Clk1 HSM System clock (100 / 50 / 25 MHz2)) No 01B
Timer Clk2 Overflow of Timer 0. This clock source is used to construct a Yes 10B
32-bit timer. Note, that the prescaler of timer 1 should be
disabled in this case.
Timer Clk3 - - 11B
1) Empty fields indicate “no clock source connected”
2) The frequency depends on the setting of the clock divider CLKCTRL.CLKDIV

7.3.1.1 Timer Clocks in Sleep and Halt Mode

Each timer gets two clock source for selection, one running during sleep mode and another one being stopped
during sleep mode. If the clock source running during sleep is selected, a timer interrupt can be used to wake-
up the system.
In debug or halt mode the timers will be stopped regardless of the selected clock source.

7.3.2 Prescaler
The frequency of the selected input clock can be divided by a programmable prescaler factor. The TPR bits in
the timer configuration register TIM_CFG determine whether the input clock will be divided by 4, 16, 64 or 512.
A prescaler factor of ’n’ means that the counter register will be incremented by every nth input clock cycle. If
no prescaler is needed, it may be disabled using the TPR_DIS bit (which effectively gives a prescaler factor of
1).
The timer must be stopped before modifying the prescaler factor. Attempts to alter the prescaler factor while
the timer is running will be ignored – the TPR value will be changed, but the current prescaler factor will be

Target Specification 194 Revision 2.0

2016-03-04
AURIX™ TC3xx Hardware Security Module

Timer Module Confidential

retained (which implies that the newly set prescaler value will be read back even though the timer is still
running on the old factor). The prescaler is reset when the timer is started. This means that a change of the
prescaler factor while the timer is running will become effective when that timer is stopped and started again.

7.3.3 Timer Reload

The key elements of the timer module are the 16-bit counter registers TIM_CNT0 and TIM_CNT1 and the 16-
bit timer reload registers TIM_RLD0 and TIM_RLD1 containing the initial value for the timer counter registers.

Downloaded by IFXDMZ\par-liaopeng 29/07/2019 09:08:44

When a timer is started by setting bit TR in the timer control register TIM_CTRL, i.e. with the transition “timer
stopped” to “timer start”, the content of the timer reload register will be copied into the counter register. The
timer then starts counting upwards using the prescaled clock source. When the counter value overflows from
FFFFH to 0000H, an overflow event will be generated. This event sets the overflow flag TF and may cause an
interrupt. Furthermore, the counter register will be initialized again with the value of the timer reload register
TIM_RLD0 or TIM_RLD1 and the timer continues counting.
It is recommended to change the reload value only when the timer is stopped. However, it is possible to write
a new reload value at any time, but for proper functionality it must be ensured that the reload value remains
stable at the point in time when the reload takes place. Therefore modifications of the reload register content
have to be done a sufficient period of time before or after the timer overflow event. If the reload value is
changed at the time of the reload the behavior will be undefined. A newly written reload value always
becomes effective for the timer counter at the next overflow condition.

7.3.4 Timer Overflow and Interrupts

The overflow flag TIM_CTRL.TF is set by hardware when an overflow event occurs and stays set until it is
cleared by software. To modify the status of the overflow flag by software, bit TIM_CTRL.UNLOCK_TF has to
be set during the write access.
Independently of the overflow flag the timer generates an interrupt request each time an overflow event
occurs.

Target Specification 195 Revision 2.0

2016-03-04
AURIX™ TC3xx Hardware Security Module

Timer Module Confidential

7.4 Timer Register Description

A number of special function registers is implemented to control the timer operation, as listed in Table 7-4.

Table 7-3 Register Address Space

Module Base Address End Address Note
TIM EC00 0000H EC00 00FFH Timer module

Downloaded by IFXDMZ\par-liaopeng 29/07/2019 09:08:44

Table 7-4 Register Overview
Register Short Name Register Long Name Offset Address Reset Value
Timer Register Description, Timer Registers
TIM_CTRL Timer Control Register 00H 0000H
TIM_CFG Timer Configuration Register 04H 0000H
TIM_CNT0 Timer Counter 0 Register 10H XXXXH
TIM_CNT1 Timer Counter 1 Register 14H XXXXH
TIM_RLD0 Timer Reload 0 Register 20H XXXXH
TIM_RLD1 Timer Reload 1 Register 24H XXXXH

The registers are addressed wordwise.

Target Specification 196 Revision 2.0

2016-03-04
AURIX™ TC3xx Hardware Security Module

Timer Module Confidential

7.4.1 Timer Registers

These special function registers control the timer module’s functions and present status.

Timer Control Register

This register controls the clock sources, overflow flag and provides status for two timers.

Notes

Downloaded by IFXDMZ\par-liaopeng 29/07/2019 09:08:44

1. Start and stop requests require that the timer is provided with a running clock. If this is not ensured in a
particular situation, the TR can be read to obtain the actual status.
2. If a TR bit is cleared and an overflow event from the corresponding timer is already in the process of
synchronization from the timer to the system clock domain it is possible that the TF flag is set even a short time
after the timer has been requested to stop.

TIM_CTRL Offset Reset Value

Timer Control Register 00H 0000H

15 13 12 11 10 9 8 7 5 4 3 2 1 0
UNLO UNLO
Res TSRC1 CK_* TF1 TR1 Res TSRC0 CK_* TF0 TR0

rw w rwh rw rw w rwh rw

Field Bits Type Description

TSRC1 12:11 rw Timer 1 Clock Source
Selects the clock source of timer 1
00B T1CLK0, Timer 1 clock source 0.
01B T1CLK1, Timer 1 clock source 1.
10B T1CLK2, Timer 1 clock source 2.
11B T1CLK3, Timer 1 clock source 3.
UNLOCK_TF1 10 w Unlock TF1
On a write access this bit controls the access to the TF1 bit. Reading returns
always ’0’.
0B T1NC, write protection for TF1 is enabled
1B T1WE, write enable for TF1 is set
TF1 9 rwh Timer 1 Overflow Flag
This bit can be set by software and hardware. Software can only write this
bit if UNLOCK_TF1 is set as well.
0B T1NO, No overflow occurred / clear overflow
1B T1OV, Overflow occurred / set overflow
In case of simultaneous changes, the priority is software over hardware.
TR1 8 rw Timer 1 Run
0B T1S, Timer is off / stop timer
1B T1R, Timer is running / start timer

Target Specification 197 Revision 2.0

2016-03-04
AURIX™ TC3xx Hardware Security Module

Timer Module Confidential

Field Bits Type Description

TSRC0 4:3 rw Timer 0 Clock Source
Selects the clock source of timer 0
00B T0CLK0, Timer 0 clock source 0.
01B T0CLK1, Timer 0 clock source 1.
10B T0CLK2, Timer 0 clock source 2.
11B T0CLK3, Timer 0 clock source 3.

Downloaded by IFXDMZ\par-liaopeng 29/07/2019 09:08:44

UNLOCK_TF0 2 w Unlock TF0
On a write access this bit controls the access to the TF0 bit. Reading returns
always ’0’.
0B T0NC, write protection for TF0 is enabled
1B T0WE, write enable for TF0 is set
TF0 1 rwh Timer 0 Overflow Flag
This bit can be set by software and hardware. Software can only write this
bit if UNLOCK_TF0 is set as well.
0B T0NO, No overflow occurred / clear overflow
1B T0OV, Overflow occurred / set overflow
In case of simultaneous changes, the priority is software over hardware.
TR0 0 rw Timer 0 Run
0B T0S, Timer is off / stop timer
1B T0R, Timer is running / start timer

Target Specification 198 Revision 2.0

2016-03-04
AURIX™ TC3xx Hardware Security Module

Timer Module Confidential

Timer Configuration Register

This register controls the external reload and prescaler behavior.

Note: The prescaler factors can only be changed if the corresponding timer is stopped.

TIM_CFG Offset Reset Value

Timer Configuration Register 04H 0000H

Downloaded by IFXDMZ\par-liaopeng 29/07/2019 09:08:44

15 12 11 10 9 8 7 4 3 2 1 0
TPR_ TPR_
Res DIS1 RFU TPR1 Res DIS0 RFU TPR0

rw rw rw rw rw rw

Field Bits Type Description

TPR_DIS1 11 rw Timer 1 Prescaler Disable
0B T1PENB, prescaler for timer 1 is enabled
1B T1PDIS, prescaler for timer 1 is disabled
RFU 10 rw Reserved for Future Use
The bit shall be written as “0”
TPR1 9:8 rw Timer 1 Prescaler Adjust
The prescaler factor definition can be found in Table 7-5. If bit TPR_DIS1
is set, these bits are don’t care.
TPR_DIS0 3 rw Timer 0 Prescaler Disable
0B T0PENB, prescaler for timer 0 is enabled
1B T0PDIS, prescaler for timer 0 is disabled
RFU 2 rw Reserved for Future Use
The bit shall be written as “0”
TPR0 1:0 rw Timer 0 Prescaler Adjust
The prescaler factor definition can be found in Table 7-5. If bit TPR_DIS0
is set, these bits are don’t care.

Prescaler Adjustment

Table 7-5 Prescaler Adjustment

Prescaler Division Factor TPR_DISx TPRx
1 (prescaler is disabled) 1B xxB
4 0B 00B
16 0B 01B
64 0B 10B
512 0B 11B

Target Specification 199 Revision 2.0

2016-03-04
AURIX™ TC3xx Hardware Security Module

Timer Module Confidential

Timer Counter 0 Register

This register holds the current counter value of timer 0. The counter value can be modified by software
through TIM_RLD0, see Section 7.3.3.

TIM_CNT0 Offset Reset Value

Timer Counter 0 Register 10H XXXXH

Downloaded by IFXDMZ\par-liaopeng 29/07/2019 09:08:44

15 0

COUNTER_VALUE

Field Bits Type Description

COUNTER_VALUE 15:0 r Timer 0 Counter Value
Current content of counter register for timer 0.

Timer Counter 1 Register

This register holds the current counter value of timer 1. The counter value can be modified by software
through TIM_RLD1, see Section 7.3.3.

TIM_CNT1 Offset Reset Value

Timer Counter 1 Register 14H XXXXH

15 0

COUNTER_VALUE

Field Bits Type Description

COUNTER_VALUE 15:0 r Timer 1 Counter Value
Current content of counter register for timer 1.

Target Specification 200 Revision 2.0

2016-03-04
AURIX™ TC3xx Hardware Security Module

Timer Module Confidential

Timer Reload 0 Register

Updating the reload register does not affect the counter register immediately. The counter register is
automatically loaded with the contents of the reload register when one of the conditions described in
Section 7.3.3 occurs.

TIM_RLD0 Offset Reset Value

Timer Reload 0 Register 20H XXXXH

Downloaded by IFXDMZ\par-liaopeng 29/07/2019 09:08:44

15 0

RELOAD_VALUE

Field Bits Type Description

RELOAD_VALUE 15:0 rw Timer 0 Reload Value
Reload Value for timer 0.

Timer Reload 1 Register

TIM_RLD1 Offset Reset Value

Timer Reload 1 Register 24H XXXXH

15 0

RELOAD_VALUE

Field Bits Type Description

RELOAD_VALUE 15:0 rw Timer 1 Reload Value
Reload Value for timer 1.

Target Specification 201 Revision 2.0

2016-03-04
AURIX™ TC3xx Hardware Security Module

Timer Module Confidential

7.5 Programming Model

The timers can be used for various applications:
• single shot event triggered by software
• periodic multi-shot events
• software triggered watchdog
For all of the above applications the configuration of the timer resolution and period is done in an identical
way.

Downloaded by IFXDMZ\par-liaopeng 29/07/2019 09:08:44

7.5.1 Timer Resolution and Period
The resolution of a timer in clock cycles of the input clock matches the prescaler factor nprescaler. The prescaler
factor can be set to one with bit TIM_CFG.TPR_DIS0 or TIM_CFG.TPR_DIS1 respectively (this effectively
disables the prescaler). Note that the prescaler value as well as the prescaler disable bits should only be
written when the respective timer is not running.
Assuming a stable frequency of the input clock, the resolution of the timer is:

n prescaler
t res [ µs ] =
f [ MHz ]
(7.1)
The timer period in clock cycles, i.e. the number of cycles of the selected input clock between two overflow
events when the timer is running without external reloads is:

n period = n prescaler ⋅ (65536 − RELOAD _ VALUE )

(7.2)
With a stable input clock frequency the time between two overflow events when the timer is running without
external reloads is:

n prescaler ⋅ (65536 − RELOAD _ VALUE )

t period [ µs ] = t res [ µs ] ⋅ (65536 − RELOAD _ VALUE ) =
f [ MHz]
(7.3)

Note: For some timer periods the values of the prescaler factor and the reload value are not well defined, i.e.
different settings of nprescaler and RELOAD_VALUE produce the same timer period.

7.5.2 Polling vs. Interrupt Handling

A timer overflow event can be handled by polling the timer overflow flag or by an interrupt service routine.

Polling mode
In polling mode the timer overflow flag TF has to be checked periodically by software. If the flag is set a timer
overflow event has occurred since the last time the flag was cleared (by software). To detect a further overflow
event TF has to be cleared first.
To clear an overflow flag the value 0B has to be written to TF while 1B is written to the corresponding unlock
bit UNLOCK_TF in the same write access.

Target Specification 202 Revision 2.0

2016-03-04
AURIX™ TC3xx Hardware Security Module

Timer Module Confidential

Interrupt mode
In interrupt mode the timer overflow event triggers an interrupt request. If the corresponding interrupt is
configured and enabled an interrupt service routine is executed in case of an overflow event.
The timer itself is prepared for interrupt mode and needs no additional configuration.
Note that the timer overflow flag and timer overflow interrupt generation are independent, so there is no need
to check or clear the timer overflow flag by the interrupt service routine. However, the overflow flag is only a
valid indication that the timer has generated an interrupt if it has been cleared before (see Polling mode

Downloaded by IFXDMZ\par-liaopeng 29/07/2019 09:08:44

above).
It is recommended to configure and enable the interrupt before starting the timer.

7.5.3 Single Shot Event Triggered by Software

A timer is configured for a single overflow event by the following steps:
• Stop the timer by clearing the timer run bit TR if it is not already stopped. This is necessary since the
prescaler factor can be changed only if the timer is not running. Also the reload value is loaded into the
counter register only if the timer run bit is changed from 0B to 1B (or if an overflow occurs).
• Select the appropriate clock source by configuring TSRC.
• Configure the prescaler factor and reload value for the desired time according to Section 7.5.1.
• For interrupt mode only: configure and enable the timer overflow interrupt. An interrupt service routine
has to be available.
• Clear the overflow flag TF if not already cleared, see Section 7.5.2. This is mandatory for polling mode and
optional for interrupt mode.
• Start the timer by setting TR: the reload value is loaded into the counter register automatically.
• After detection of the overflow event by polling or by the interrupt service routine the timer has to be
stopped by clearing TR.

7.5.4 Periodic Multi-shot Events

The configuration of a timer for periodic timer overflow events is almost identical to the software triggered
single shot event configuration, see Section 7.5.3. Periodic timer overflow events are normally handled in
interrupt mode.
• Stop the timer by clearing the timer run bit TR if it is not already stopped. This is necessary since the
prescaler factor can be changed only if the timer is not running.
• Select the appropriate clock source by configuring TSRC.
• Configure the prescaler factor and reload value for the desired timer period according to Section 7.5.1.
• For interrupt mode only: configure and enable the timer overflow interrupt. An interrupt service routine
has to be available.
• Clear the overflow flag TF if not already cleared, see Section 7.5.2. This is mandatory for polling mode and
optional for interrupt mode.
• Start the timer by setting TR: the reload value is loaded into the counter register.
In contrast to the software triggered single shot event case the timer is not stopped after the first overflow
event.

Target Specification 203 Revision 2.0

2016-03-04
AURIX™ TC3xx Hardware Security Module

Timer Module Confidential

To avoid missing an overflow event the timer period must be longer than the worst case overflow handling
time. This includes the time for entering the interrupt service routine, execution of the service routine, return
from the service routine and runtime of all interrupts and exceptions with higher priority.

7.5.5 Software Triggered Watchdog

To use a timer as watchdog the same timer configuration as for a periodic multi-shot events can be used, see
Section 7.5.4. The difference is that the timer counter value is loaded with a new value by software without

Downloaded by IFXDMZ\par-liaopeng 29/07/2019 09:08:44

generation of any overflow events. As the counter registers TIM_CNT0 and TIM_CNT1 are read only the
counter value has to be changed via the reload register TIM_RLD0 or TIM_RLD1:
• Stop the timer by clearing the timer run bit TR. This is necessary since the reload value is loaded into the
counter register only in case of an overflow event or if the timer run bit is changed from 0B to 1B.
• Write the new counter value in TIM_RLD0 or TIM_RLD1 respectively. For calculation of the timer period,
see Section 7.5.1.
• Start the timer again by setting TR, the reload value will be loaded into the counter register.

7.5.6 Cascading of Timers

Two timers can be cascaded to construct a 32-bit timer, whereas timer 0 represents the lower 16 bits and
timer 1 represents the upper 16 bits. The following configuration must be set to construct a proper 32-bit
timer:
• The overflow of timer 0 must be fed to the clock input of timer 1.
Select clock source 2 for timer 1 TIM_CTRL.TSRC1 = 10B
• The prescaler for timer 1 must be disabled (TIM_CFG.TPR_DIS1 = 1B).
• The reload value for timer 0 must be set to 0 (TIM_RLD0.RELOAD_VALUE = 0000H).
• The overflow interrupt for timer 0 must be disabled in the NVIC.

Target Specification 204 Revision 2.0

2016-03-04
AURIX™ TC3xx Hardware Security Module

Watchdog Timer Confidential

8 Watchdog Timer

8.1 Introduction
The timer module features a watchdog timer to monitor system operation for possible time-outs and to check
for the correct order of operations.

Downloaded by IFXDMZ\par-liaopeng 29/07/2019 09:08:44

8.2 Overview
The watchdog timer module offers the following set of features:

Feature List
• One 16-bit upcounting watchdog timer.
• Two selectable clock sources.
• Fixed prescaler.
• Checkpoint functionality.
• Separate watchdog time-out and checkpoint mismatch events.

8.3 Functional Description

Figure 8-1 shows an overview block diagram of the watchdog timer implementation. The grey boxes are
registers or bit fields which can be read or written by software. The watchdog time-out and checkpoint
mismatch outputs trigger an interrupt when asserted.

WDT Clk0 :8 inc Overflow

WDT_VAL
WDT Clk1 :8
reload

WDT_SRV
timeout
interrupt
CLK_SEL ACT_WDT WDT_RELOAD OR
inc =
Checkpoint
INC_SRV WDT_SRV_INI load Register mismatch

Const 000AH

Figure 8-1 Watchdog timer overview

Target Specification 205 Revision 2.0

2016-03-04
AURIX™ TC3xx Hardware Security Module

Watchdog Timer Confidential

8.3.1 Clock Selection

The watchdog timer provides two clock inputs. The required clock source can be selected by setting the
CLK_SEL bits in the watchdog timer control register WDT_CTRL appropriately.

Table 8-1 Clock Sources for Watchdog Timer Module

Name and Description Available during CLK_SEL
Sleep Mode Value

Downloaded by IFXDMZ\par-liaopeng 29/07/2019 09:08:44

HSM System clock (100 / 50 / 25 MHz1)) divided by 128 Yes 0B
1)
HSM System clock (100 / 50 / 25 MHz ) divided by 128 No 1B
1) The frequency depends on the setting of the clock divider CLKCTRL.CLKDIV

The frequency of the selected input clock is divided by another fixed factor of “8” (see also Figure 8-1).
Effectively, the HSM system clock is divided by a factor of 1024 (128 * 8). Assuming a system frequency of
100 MHz the watchdog timer can realize time out periods up to ~ 670 ms.

8.3.1.1 Timer Clocks in Sleep and Halt Mode

The watchdog timer gets two clock source for selection, one running during sleep mode and another one
being stopped during sleep mode. If the clock source running during sleep is selected, the watchdog timer can
expire during sleep mode and can generate a non-maskable interrupt, which then wakes up the system.
In debug or halt mode the watchdog timer will be stopped regardless of the selected clock source.

8.3.2 Watchdog Timer Operation

The key elements of the watchdog timer are a counter register WDT_VAL and a watchdog timer reload register
WDT_RELOAD containing the initial value for the counter register. When the watchdog timer is started by
setting bit WDT_CTRL.ACT_WDT, i.e. by the transition from cleared to set, the content of the reload register
will be copied to the counter register and the watchdog timer starts counting upwards using the prescaled
clock source. The counter register WDT_VAL is also reset to the value of WDT_RELOAD every time the
watchdog is “serviced” by writing to the service register WDT_SRV.
When the counter value switches from FFFFH to 0000H an overflow occurs. This time-out of the watchdog
causes an interrupt.

8.3.3 Watchdog Service

The watchdog timer is serviced by writing to the service register WDT_SRV. Two modes can be distinguished
depending on the setting of control bit WDT_CTRL.INC_SRV:
• If bit INC_SRV is cleared, the watchdog timer has to be serviced by writing the constant value 000AH to
register WDT_SRV. Any other value results in a checkpoint mismatch event.
• If bit INC_SRV is set, the value which will be written to the service count register WDT_SRV must be
incremented by one each time the register is written, otherwise an interrupt is triggered. The initial value
of the service counter (contained in WDT_SRV_INI) has to be set by software before operation of the
watchdog is started. For example, if the value of WDT_SRV_INI is 000AH, the first value to be written to
WDT_SRV for serving the watchdog timer must be 000BH. The next value must be 000CH, and so on.

Target Specification 206 Revision 2.0

2016-03-04
AURIX™ TC3xx Hardware Security Module

Watchdog Timer Confidential

8.3.4 Service Counter Period

When the control bit WDT_CTRL.INC_SRV is set the value which should be written to the service count register
WDT_SRV must be incremented each time the service register is accessed. The period respectively the length
of the service counter can be configured by the control bits WDT_CTRL.PERIOD. With these control bits the
period can be restricted to 2PERIOD. WDT_CTRL.PERIOD should only be changed while control bit
WDT_CTRL.INC_SRV is cleared. WDT_SRV_INI is not affected by WDT_CTRL.PERIOD. However, the value of
WDT_SRV_INI must be smaller than 2PERIOD. This has to be considered when changing the period value.

Downloaded by IFXDMZ\par-liaopeng 29/07/2019 09:08:44

Target Specification 207 Revision 2.0

2016-03-04
AURIX™ TC3xx Hardware Security Module

Watchdog Timer Confidential

8.4 Watchdog Timer Register Description

A set of special function registers is implemented to control the watchdog timer operation, as listed in
Table 8-3.

Table 8-2 Register Address Space

Module Base Address End Address Note
WDT EC00 0100H EC00 01FFH Watchdog module

Downloaded by IFXDMZ\par-liaopeng 29/07/2019 09:08:44

Table 8-3 Register Overview
Register Short Name Register Long Name Offset Address Reset Value
Watchdog Timer Register Description, Watchdog Timer Registers
WDT_CTRL Watchdog Timer Control Register 00H C000H
WDT_VAL Watchdog Timer Value Register 10H XXXXH
WDT_RELOAD Watchdog Timer Reload Register 14H XXXXH
WDT_SRV Watchdog Service Register 18H 000AH
WDT_SRV_INI Watchdog Service Initialization Register 1CH XXXXH
WDT_ACC_CTRL Watchdog Timer Access Control Register 40H 0003H

The registers are addressed wordwise.

Target Specification 208 Revision 2.0

2016-03-04
AURIX™ TC3xx Hardware Security Module

Watchdog Timer Confidential

8.4.1 Watchdog Timer Registers

These special function registers control the watchdog timer functions and present status.

Watchdog Timer Control Register

WDT_CTRL Offset Reset Value

Downloaded by IFXDMZ\par-liaopeng 29/07/2019 09:08:44

Watchdog Timer Control Register 00H C000H

15 12 11 9 8 7 5 4 3 1 0
INC_ CLK_ ACT_
PERIOD Res SRV Res SEL Res WDT

rw rw rw rw

Field Bits Type Description

PERIOD 15:12 rw Watchdog Period
These bits define the period (= length of the service counter register).
INC_SRV 8 rw Increment Service
Increment service counter flag that determines how the watchdog timer is
serviced.
Writing an incorrect value will cause a checkpoint mismatch event.
0B ISN, The value 000AH must be used to service the watchdog.
1B IS1, The value to service the watchdog must be incremented by one with
each access.
CLK_SEL 4 rw Clock Select
Selects the clock source of the watchdog timer. Note, the watchdog timer
must be stopped before changing the clock source.
0B WDTCLK0, Watchdog timer clock source 0.
1B WDTCLK1, Watchdog timer clock source 1.
ACT_WDT 0 rw Active Watchdog Timer
Whenever ACT_WDT is changed from 0 to 1, the value in WDT_RELOAD is
loaded into WDT_VAL.
0B WTS, Watchdog timer is stopped.
1B WTR, Watchdog timer is running.

Target Specification 209 Revision 2.0

2016-03-04
AURIX™ TC3xx Hardware Security Module

Watchdog Timer Confidential

Watchdog Timer Value Register

WDT_VAL Offset Reset Value

Watchdog Timer Value Register 10H XXXXH

15 0

Downloaded by IFXDMZ\par-liaopeng 29/07/2019 09:08:44

WDT_VAL

Field Bits Type Description

WDT_VAL 15:0 r Watchdog Timer Value
Current value of the watchdog timer. The initial value is obtained from the
reload register WDT_RELOAD each time the timer is serviced (provided that
the watchdog timer is active with WDT_CTRL.ACT_WDT set).

Target Specification 210 Revision 2.0

2016-03-04
AURIX™ TC3xx Hardware Security Module

Watchdog Timer Confidential

Watchdog Timer Reload Register

WDT_RELOAD Offset Reset Value

Watchdog Timer Reload Register 14H XXXXH

15 0

Downloaded by IFXDMZ\par-liaopeng 29/07/2019 09:08:44

RELOAD_VAL

Field Bits Type Description

RELOAD_VAL 15:0 rw Watchdog Timer Reload Value
Value to be loaded into the watchdog timer value register (WDT_VAL) each
time the timer is (re)started.

Target Specification 211 Revision 2.0

2016-03-04
AURIX™ TC3xx Hardware Security Module

Watchdog Timer Confidential

Watchdog Service Register

This register is used to “service” the watchdog timer. An interrupt due to a checkpoint mismatch will be
triggered if a wrong value is written to the WDT_SRV register.

Note: This register shall not be updated via read-increment-write operations, as this compromises the
checkpoint functionality for which this register is intended.

WDT_SRV Offset Reset Value

Downloaded by IFXDMZ\par-liaopeng 29/07/2019 09:08:44

Watchdog Service Register 18H 000AH

15 12 11 0

Res SRV_CNT

Field Bits Type Description

SRV_CNT 11:0 rw Service Counter
Watchdog service counter that needs to be written with an ascending
value to reload the watchdog timer. For a detailed description see
“Watchdog Service” on Page 206.

Target Specification 212 Revision 2.0

2016-03-04
AURIX™ TC3xx Hardware Security Module

Watchdog Timer Confidential

Watchdog Service Initialization Register

WDT_SRV_INI Offset Reset Value

Watchdog Service Initialization Register 1CH XXXXH

15 12 11 0

Downloaded by IFXDMZ\par-liaopeng 29/07/2019 09:08:44

Res SRV_CNT_INI

Field Bits Type Description

SRV_CNT_INI 11:0 w Service Counter Initialization Value
The initial value for the WDT_SRV register is defined by this SFR. If the
WDT_CTRL.INC_SRV bit is ‘0’, writing to this register changes the initial value
of WDT_SRV, which will be used as soon as WDT_CTRL.INC_SRV is set. If
WDT_CTRL.INC_SRV is ‘0', the service value is always 000AH.

Note: The initial value has to be written before enabling WDT_CTRL.INC_SRV.

Target Specification 213 Revision 2.0

2016-03-04
AURIX™ TC3xx Hardware Security Module

Watchdog Timer Confidential

Watchdog Timer Access Control Register

The WDT_ACC_CTRL register determines the access rights to the watchdog timer registers. These are
separated into two groups: control and data registers.
This register can only be written at privilege level. User level can only read WDT_ACC_CTRL.
The reset value of the register allows the user level to access the watchdog timer registers. Privilege access
rights to watchdog data registers and to watchdog control registers can be assigned separately.
For instance, setting WDT_ACC_CTRL = 0002H disables user level access to the control registers of the

Downloaded by IFXDMZ\par-liaopeng 29/07/2019 09:08:44

watchdog while the service register WDT_SRV can still be accessed.

WDT_ACC_CTRL Offset Reset Value

Watchdog Timer Access Control Register 40H 0003H

15 2 1 0
DATA CTRL
Res _ACC _ACC

rw rw

Field Bits Type Description

DATA_ACC 1 rw Data Access
Privilege level required to get access to the data registers of the module
(WDT_SRV):
0B PRIV, Privilege level.
1B USER, User level.
CTRL_ACC 0 rw Control Access
Privilege level required to get access to the control registers of the module
(WDT_CTRL, WDT_VAL, WDT_RELOAD, WDT_SRV_INI):
0B PRIV, Privilege level.
1B USER, User level.

Target Specification 214 Revision 2.0

2016-03-04
AURIX™ TC3xx Hardware Security Module

Watchdog Timer Confidential

8.5 Programming Model

The watchdog timer supports two main applications:
• watchdog operation and
• checkpoint operation.
As the watchdog and checkpoint operations are independent of each other, different modes of operation are
possible as listed in Table 8-4.

Downloaded by IFXDMZ\par-liaopeng 29/07/2019 09:08:44

Table 8-4 Watchdog Checkpoint Operations
WDT_CTRL Effect
ACT_WDT INC_SRV
0 0 Watchdog timer is not running, the value 000AH must be used whenever
writing to WDT_SRV.
1 0 Watchdog timer operation: the value 000AH must be used whenever writing to
WDT_SRV.
0 1 Checkpoint operation: the value written to WDT_SRV must be incremented
by one each time.
1 1 Combined Watchdog and Checkpoint operation: the watchdog timer is
running, the value written to WDT_SRV must be incremented by one each
time.

8.5.1 Watchdog Timer Resolution and Period

As the prescaler of the watchdog is fixed the resolution of a watchdog timer is always 8 clock cycles of the
selected input clock.
Assuming a stable frequency of the input clock the resolution of the timer is:

128 ⋅ 8
t res [µs] =
f [M H z ] (8.1)
The time-out of the watchdog in clock cycles, i.e. the maximum number of cycles of the selected input clock
between a watchdog service and watchdog timer overflow is:

n period = 128 ⋅ 8 ⋅ (65536 − RELOAD _ VALUE)

(8.2)
or:

t period [µs] = t res [µs] ⋅ (65536 − RELOAD _ VALUE)

128 ⋅ 8 ⋅ (65536 − RELOAD _ VALUE) (8.3)
=
f[MHz]

8.5.2 Watchdog Operation

The basic application of a watchdog timer is to “service” it periodically such that a time-out of the watchdog
will be avoided. The watchdog timer is serviced by writing to the service register WDT_SRV causing a restart

Target Specification 215 Revision 2.0

2016-03-04
AURIX™ TC3xx Hardware Security Module

Watchdog Timer Confidential

of the watchdog timer with the value of WDT_RELOAD. Serving the watchdog during execution of critical code
monitors that the code is executed in a certain time.
The watchdog is configured for this operation by the following steps:
• Disable checkpoint operation by clearing bit INC_SRV.
• Stop the watchdog by clearing the timer run bit ACT_WDT if it is not already stopped. This is necessary
since the reload value is loaded into the counter register only if the watchdog activation bit is changed
from 0 to 1.

Downloaded by IFXDMZ\par-liaopeng 29/07/2019 09:08:44

• Select the appropriate clock source by configuring CLK_SEL.
• Configure the reload value for the desired time according to Section 8.5.1.
• Start the watchdog operation by setting ACT_WDT.
The watchdog is serviced by writing the constant value 000AH to register WDT_SRV before watchdog time-out.

8.5.3 Checkpoint Operation

For checkpoint operation the watchdog is serviced by writing ascending values into the service counter
register WDT_SRV. This approach is used to check that the service points are handled in the correct order
allowing software to make use of a hardware supported flow control.
• Disable watchdog operation by clearing bit ACT_WDT.
• Clear bit INC_SRV. This is necessary since the initial value for the service counter is only loaded from
WDT_SRV_INI if INC_SRV changes from 0 to 1.
• Configure the initial value for the service counter by writing to WDT_SRV_INI.
• Enable checkpoint operation by setting INC_SRV: the first valid service value is the value of
WDT_SRV_INI + 1.
The watchdog is serviced in checkpoint operation mode by writing ascending values to WDT_SRV starting
with the value of WDT_SRV_INI + 1.

Target Specification 216 Revision 2.0

2016-03-04
AURIX™ TC3xx Hardware Security Module

Bridge Module Confidential

9 Bridge Module
This chapter describes the HSM’s bridge module. It contains the following sections:
• Introduction.
• Functional Description.
• Bridge Registers.

9.1 Introduction

Downloaded by IFXDMZ\par-liaopeng 29/07/2019 09:08:44

The main purpose of the bridge module is to connect the Hardware Security Module (HSM) subsystem to the
host system and to enable communication between the two systems. All interaction between HSM and host
runs through the bridge module.
The bridge module includes some Special Function Registers (SFRs) which allow synchronization of the
communication between the host and HSM. This includes interrupt generation for both sides, see
Section 9.2.2.
The HSM has principally full access to the host system, i.e. to memories and peripherals.
The host system has only restricted access to the HSM resources. While not in HSM debug mode or memory
testing, access to all internal HSM memories and peripherals is not possible. Some of the HSM bridge registers
are accessible for the host system, namely the communication registers (Section 9.3.1).
The bridge module allows control of the clock frequency for the HSM independent of the host system
(Section 9.2.3) and provides a means to recognize and handle specific system errors like bus faults, access
violations and ECC errors, see Section 9.2.4.
For debugging purposes the HSM internal resources can be made visible to a debugging module in the host
system through a memory window, see Section 9.2.5. Both debugging of the host system and debugging of
the HSM has to be authenticated by the HSM.
The bridge module maps up to 32 external interrupts to one interrupt node of the NVIC, see Section 9.2.6.
After system reset the local RAM and cache can be tested by the host system. After testing, this mode is
irreversibly locked and is not available during normal operation, see Section 9.2.7.
Figure 9-1 on the next page gives an illustration of the bridge module architecture. Special function registers
are colored in green, memory windows in light blue. Units that are accessible for the HSM only are colored
yellow, the units accessible by the host only grey and units that both sides can access in orange.

Target Specification 217 Revision 2.0

2016-03-04
AURIX™ TC3xx Hardware Security Module

Bridge Module Confidential

Host side HSM side

Clk-Div
SPB clock HSM Clock
CLKCTRL

Ext. Int.
External interrupts EXTIE External peripheral interrupt
EXTIF

Downloaded by IFXDMZ\par-liaopeng 29/07/2019 09:08:44

Sens.+Reset
System reset
SENSSYSRST
App. reset
SENSAPPRST
Sensor inputs SENSIE Sensor interrupt
SENSIF

RSTPWD
RSTCTRL

Comm. Unit
HT2HSMF
HT2HSMIE Communication Interrupt
HT2HSMS

Interrupt0 HSM 2HTF Error Unit memory errors

HSM2HTIE ERRADDR
Interrupt1 HSM2HTIS ERRIE
HSM2HTS ERRCTRL Error interrupt
HSM _ID

Bus error
AHB lite
Firewall AHB lite
slave

FPI Bus Single Access

SPB
Interface SAHMEM
System
PINCTRL
SAHBASE DBGCTRL
AXI Bus
AXI
slave
Chip pin control
Host Debug enable
HSM Debug enable

Debug

DBGMEM Debug Access

CPU debug
master
HSMOTGB
DBGBASE

Reset
HSMCTRL
Reset
HSM Bridge

HSM accessible SFR

HSM and host accessible Memory window
Host accessible Bridge_arch.vsd

Figure 9-1 HSM bridge overview

Target Specification 218 Revision 2.0

2016-03-04
AURIX™ TC3xx Hardware Security Module

Bridge Module Confidential

Number Source
8 SPB (fast) over-clocking detection configured with SCU_CCUCONSM
9 SPB over- and under-clocking detection configured with SCU_CCUCON4

Additionally the HSM allows triggering of application and system reset by software: first the correct password
has to be written to register RSTPWD (prevents unintentional changes of RSTCTRL). After that RSTCTRL can

Downloaded by IFXDMZ\par-liaopeng 29/07/2019 09:08:44

be written. for details see Section 9.3.7.
The source of a chip reset is stored in the SCU register SCU_RSTSTAT:
• if bit 26 is set the last reset was a system reset triggered by the HSM.
• if bit 27 is set the last reset was an application reset triggered by the HSM.

Note: Trigger of application and system reset by the HSM (either via a sensor or by software) can be disabled by
host configuration, see [10].

Target Specification 225 Revision 2.0

2016-03-04
AURIX™ TC3xx Hardware Security Module

Bridge Module Confidential

9.3 Bridge Registers

Table 9-3 Register Address Space

Module Base Address End Address Note
Bridge F004 0000H F005 FFFFH

Downloaded by IFXDMZ\par-liaopeng 29/07/2019 09:08:44

Table 9-4 Register Overview
Register Short Name Register Long Name Offset Address Reset Value
Bridge Registers, Communication Unit
HSM_ID Module Identifier Register 008H 00BE C002H
HT2HSMF Host to HSM Flag Register 020H 0000 0000H
HT2HSMIE Host to HSM Interrupt Enable 024H 0000 0000H
HSM2HTF HSM to Host Flag Register 028H 0000 0000H
HSM2HTIE HSM to Host Interrupt Enable 02CH 0000 0000H
HSM2HTIS HSM to Host Interrupt Select 030H 0000 0000H
HSM2HTS HSM to Host Status 034H 0000 0000H
HT2HSMS Host to HSM Status 038H 0000 0000H
Bridge Registers, Clock Divider
CLKCTRL Clock Control Register 040H 0000 0000H
Bridge Registers, System Control
DBGCTRL Debug Control Register 060H 0000 0XXXH
PINCTRL Pin Control Register 064H 0000 0000H
Bridge Registers, Error Unit
ERRCTRL Error Control Register 080H 0000 0000H
ERRIE Error Interrupt Enable Register 084H 0000 0000H
ERRADDR Error Address Register 088H 0000 0000H
Bridge Registers, External Interrupts
EXTIF External Interrupt Flag Register 0A0H 0000 0000H
EXTIE External Interrupt Enable 0A4H 0000 0000H
Bridge Registers, Single Access to Host Memories
SAHBASE Single Access to Host Base Address Register 0C0H F000 0000H
SAHMEM Single Access to Host Memory Window 10000H to 1FFFFH UndefinedH
Bridge Registers, Sensor Interrupts and Reset
RSTCTRL Reset Control Register 0E0H 0000 0000H
RSTPWD Reset Password Register 0E4H 0000 0000H
SENSIF Sensor Interrupt Flag Register 0F0H 0000 0000H
SENSIE Sensor Interrupt Enable Register 0F4H 0000 0000H

Target Specification 226 Revision 2.0

2016-03-04
AURIX™ TC3xx Hardware Security Module

Bridge Module Confidential

Table 9-4 Register Overview (cont’d)

Register Short Name Register Long Name Offset Address Reset Value
SENSAPPRST Sensor Application Reset Enable Register 0F8H 0000 0000H
SENSSYSRST Sensor System Reset Enable Register 0FCH 0000 0000H

The registers are addressed wordwise.

Downloaded by IFXDMZ\par-liaopeng 29/07/2019 09:08:44

Table 9-5 Register Access Types
Type Symbol Description
no access - Register is not accessible, an exception is triggered.
write only w Register is write-only, the register reads as ‘0’.
read only ro Register is read-only, a write access is ignored
read/write rw Register is read and writable
read/reset rr Register is readable. Writing ‘1’ to register bits reset them, writing
‘0’ do not modify the corresponding bits.
read/set rs Register is readable. Writing ‘1’ to register bits sets them, writing
‘0’ do not modify the corresponding bits
read/lockable rl Register is readable. Register is also writable after reset until it is
locked. After locking register is read only until reset if not
otherwise noted.

Parts of the bridge registers can be accessed from both the HSM and the host. For this reason there are two
independent access types for each register. The first symbol in the registers type description defines the HSM
access rights, the second the host access rights. Access to unused addresses results in a bus error.
Registers and debug memory window can only be accessed 32-bit wise and 32-bit aligned from both sides.
Using 8-bit, 16-bit or un-aligned accesses lead to a bus error.

Target Specification 227 Revision 2.0

2016-03-04
AURIX™ TC3xx Hardware Security Module

Bridge Module Confidential

9.3.1 Communication Unit

The following registers are accessible from both host and HSM system. The first symbol in the registers type
description defines the HSM access rights, the second the host access rights.
Besides the Module Identifier Register the registers in this section are used to synchronize the communication
between HSM and host system.

HSM_ID

Downloaded by IFXDMZ\par-liaopeng 29/07/2019 09:08:44

The HSM Module Identifier register contains an identification number and revision number not only for the
bridge, but for the whole HSM. Its main purpose is for identification in the host system, nevertheless it is also
readable from the HSM.

HSM_ID Offset Reset Value

Module Identifier Register 008H 00BE C002H

31 16 15 8 7 0

MOD_NUMBER MOD_TYPE MOD_REV

ro/ro ro/ro ro/ro

Field Bits Type Description

MOD_NUMBER 31:16 ro/ro Module Number Value
This bit field defines a module identification number. The value for
the HSM module is 00BEH.
MOD_TYPE 15:8 ro/ro Module Type
The bit field is set to C0H which defines the module as a 32-bit module.
MOD_REV 7:0 ro/ro Module Revision Number
This bit field defines the module revision number.

Target Specification 228 Revision 2.0

2016-03-04
AURIX™ TC3xx Hardware Security Module

Bridge Module Confidential

HT2HSMF
This register holds flags allowing the host to request an interrupt for the HSM.

HT2HSMF Offset Reset Value

Host to HSM Flag Register 020H 0000 0000H

31 0

Downloaded by IFXDMZ\par-liaopeng 29/07/2019 09:08:44

HT2HSMS

ro/rw

Field Bits Type Description

HT2HSMS 31:0 ro/rw Host to HSM Status
32 bits of information to signal the host software status to the HSM .

Target Specification 235 Revision 2.0

2016-03-04
AURIX™ TC3xx Hardware Security Module

Bridge Module Confidential

9.3.2 Clock Divider

The register in this section is accessible by the HSM only. Access by the host results in a bus error. Access types
are valid for HSM access.

CLKCTRL
This register contains only one bitfield to control the clock frequency of the HSM subsystem.

Downloaded by IFXDMZ\par-liaopeng 29/07/2019 09:08:44

CLKCTRL Offset Reset Value
Clock Control Register 040H 0000 0000H

31 2 1 0
CLKD
Res IV

rw/-

Field Bits Type Description

CLKDIV 1:0 rw/- Clock Divider
Controls the clock divider for the HSM subsystem
00B DIV1, HSM runs with maximum possible clock frequency.
01B DIV2, HSM runs with half of the maximum possible clock
frequency.
10B DIV4, HSM runs with a quarter of the maximum possible clock
frequency.
11B RFU, Reserved for other clock division factors. HSM runs with
maximum possible clock frequency.

Note: In case a data transfer between the HSM and the host is ongoing while the setting of the clock divider is
being changed, the change of the clock frequency becomes effective only after the data transfer has been
finished.

Target Specification 236 Revision 2.0

2016-03-04
AURIX™ TC3xx Hardware Security Module

Bridge Module Confidential

9.3.3 System Control

This section collects registers to control host resources like pins and debug access.
The registers in this section are accessible by the HSM only. Access by the host results in a bus error. Access
types are valid for HSM access.

DBGCTRL
This register controls the debug and trace accesses for both the host system and the HSM (including debug

Downloaded by IFXDMZ\par-liaopeng 29/07/2019 09:08:44

memory window). For security reasons the debug access bits are encoded redundantly.

DBGCTRL Offset Reset Value

Debug Control Register 060H 0000 0XXXH

31 11 10 9 8 7 6 5 4 3 2 1 0
TR
Res D* TREN Res HOST Res HSM

rw/- rw/- rw/- rw/-

Field Bits Type Description

TRDATA 10 rw/- Type of trace information
This information is only valid if tracing is enabled via TREN.
0B TRADDR, Trace addresses only.
1B TRDATA, Trace addresses and data.
TREN 9:8 rw/- Enables host side tracing of HSM accesses on SPB bus
00B TRACEDIS0, Tracing disabled.
01B TRACEDIS1, Tracing disabled.
10B TRACEDIS2, Tracing disabled.
11B TRACEEN, Tracing enabled.
HOST 5:4 rw/- Debug control for host system

Note: To enable host debugging, these bits must be set as described

below and, in addition, the debug lock bit must be cleared, as
explained in the Cerberus module description. See [10].

00B HTDDIS0, Host debug disabled.

01B HTDDIS1, Host debug disabled.
10B HTDDIS2, Host debug disabled.
11B HTDEN, Host debug enabled.
HSM 1:0 rw/- Debug control for HSM subsystem and debug memory window
00B HSMDDIS0, HSM debug disabled.
01B HSMDDIS1, HSM debug disabled.
10B HSMDDIS2, HSM debug disabled.
11B HSMDEN, HSM debug enabled.

Target Specification 237 Revision 2.0

2016-03-04
AURIX™ TC3xx Hardware Security Module

Bridge Module Confidential

PINCTRL
This register allows direct control of output pins of the chip. To read the level of the pins the corresponding
registers in the host system have to be accessed. The register is writable after reset until it is locked by setting
PINCTRL.LOCK.

PINCTRL Offset Reset Value

Pin Control Register 064H 0000 0000H

Downloaded by IFXDMZ\par-liaopeng 29/07/2019 09:08:44

31 30 16

LOCK Res

rl/-
15 4 3 2 1 0

Res OEN1 VAL1 OEN0 VAL0

rl/- rl/- rl/- rl/-

Field Bits Type Description

LOCK 31 rl/- Pin control register lock
0B UNLOCKED, PINCTRL is not locked. all register bits can be written.
1B LOCKED, Register is readonly until next reset. A write access will be
ignored.
OEN1 3 rl/- Pin 1 output enable
0B P1DIS, Pin 1 output of HSM disabled, pin has normal functionality.
1B P1EN, Pin 1 output of HSM enabled, the value of VAL1 is driven.
VAL1 2 rl/- Pin 1 output value
The value is only driven if OEN1 is set.
0B P1L, low level.
1B P1H, high level.
OEN0 1 rl/- Pin 0 output enable
0B P0DIS, Pin 0 output of HSM disabled, pin has normal functionality.
1B P0EN, Pin 0 output of HSM enabled, the value of VAL0 is driven.
VAL0 0 rl/- Pin 0 output value
The value is only driven if OEN0 is set.
0B P0L, low level.
1B P0H, high level.

Note: The bits VAL0 and OEN0 control port pin HSM1, VAL1 and OEN1 control port pin HSM2. Direct control of
these pins by the HSM can be disabled by host configuration.

Target Specification 238 Revision 2.0

2016-03-04
AURIX™ TC3xx Hardware Security Module

Bridge Module Confidential

9.3.4 Error Unit

The registers in this section are accessible by the HSM only. Access by the host results in a bus error. Access
types are valid for HSM access.

ERRCTRL
Control register for error handling. The flags are set by error conditions and have to be reset by software by
writing a ‘1’ to the corresponding bit. The register also holds the external debugger state and allows switching

Downloaded by IFXDMZ\par-liaopeng 29/07/2019 09:08:44

off the ROM after leaving the boot software. The ROM switch bits can only be cleared. For reasons of
robustness the ROM switch bits are encoded redundantly.

Note: The HSM startup software must clear the error bits before use as they may be set during initialization of
the memories.

ERRCTRL Offset Reset Value

Error Control Register 080H 0000 0000H

2016-03-04
AURIX™ TC3xx Hardware Security Module

ERRADDR
Holds the address of the last bus error. In case of any ECC error ERRADDR is not updated. ERRADDR saves no
history, i.e. in case of multiple errors the address of the last error is shown. Address information about
previous errors is lost.

ERRADDR Offset Reset Value

Error Address Register 088H 0000 0000H

Downloaded by IFXDMZ\par-liaopeng 29/07/2019 09:08:44

31 0

ADDR

ro/-

Field Bits Type Description

ADDR 31:0 ro/- Error Address
Holds the address of the last bus error.

Note: If two bus errors occur nearly at the same time (e.g. due to simultaneous cache (AXI) and register (AHB)
accesses to the host system) and the clock divider (CLKCTRL.CLKDIV) is set to a value larger than 1 , it
could happen that ERRADDR does not show the last error but the previous error address.

Target Specification 244 Revision 2.0

2016-03-04
AURIX™ TC3xx Hardware Security Module

Bridge Module Confidential

9.3.5 External Interrupts

The registers in this section are accessible by the HSM only. Access by the host results in a bus error. Access
types are valid for HSM access.

EXTIF
This register holds the interrupt request flags of the external interrupt sources. An interrupt request to the
NVIC is only triggered if the corresponding interrupt enable bit is set.

Downloaded by IFXDMZ\par-liaopeng 29/07/2019 09:08:44

EXTIF Offset Reset Value
External Interrupt Flag Register 0A0H 0000 0000H

31 0

EXTIF

rr/-

Field Bits Type Description

EXTIF 31:0 rr/- External Flags
Each flag can be individually set by the external interrupt signal to
generate an interrupt request if the corresponding interrupt enable
flag is set. The HSM can reset the flags individually. If a simultaneous
set and reset occurs, the value of the flag is ‘1’

Target Specification 245 Revision 2.0

2016-03-04
AURIX™ TC3xx Hardware Security Module

Bridge Module Confidential

EXTIE
This register controls enabling of the HSM external peripheral interrupt for each flag of EXTIF.

EXTIE Offset Reset Value

External Interrupt Enable 0A4H 0000 0000H

31 0

Downloaded by IFXDMZ\par-liaopeng 29/07/2019 09:08:44

EXTIE

rw/-

Field Bits Type Description

EXTIE 31:0 rw/- External Interrupt Enable
Each set bit enables the interrupt for the corresponding flags in
register EXTIF. If cleared bit disables the interrupt.

Target Specification 246 Revision 2.0

2016-03-04
AURIX™ TC3xx Hardware Security Module

Bridge Module Confidential

9.3.6 Single Access to Host Memories

SAHBASE is accessible by the HSM only. Access by the host results in a bus error. Access types are valid for HSM
access.

SAHBASE
This register controls the base address of the single access to host memory window.
The single access to host memory window can be switched off by setting the upper 4 bits of SAHBASE, i.e. by

Downloaded by IFXDMZ\par-liaopeng 29/07/2019 09:08:44

writing Fxxx xxxxH

SAHBASE Offset Reset Value

Single Access to Host Base Address Register 0C0H F000 0000H

31 16 15 0

BASE Res

rw/-

Field Bits Type Description

BASE 31:16 rw/- Base Address.
Base address for single access to host memory window. The effective
address of a single access to the host address space is
SAHBASE.BASE+offset of access address to base of the memory
window.
FxxxH SAHOFF, Single access to host memory window is switched off.

Target Specification 247 Revision 2.0

2016-03-04
AURIX™ TC3xx Hardware Security Module

Bridge Module Confidential

SAHMEM
This is the memory window for single access to the host address space from the HSM. The window is only
available if it is enabled in register SAHBASE.
Access types in the register descriptions are valid for HSM access. It is not visible to the host.

SAHMEM Offset Reset Value

Single Access to Host Memory Window 10000H to 1FFFFH UndefinedH

Downloaded by IFXDMZ\par-liaopeng 29/07/2019 09:08:44

31 0

DATA

rw/-

Field Bits Type Description

DATA 31:0 rw/- Data for single access to host address space.
Byte, halfword and word access are possible (if supported by the target
in the host system).

Target Specification 248 Revision 2.0

2016-03-04
AURIX™ TC3xx Hardware Security Module

Bridge Module Confidential

9.3.7 Sensor Interrupts and Reset

This section covers the registers to control sensor interrupts, trigger of application and system reset, and
trigger sources for the temperature sensor .
The registers in this section are accessible by the HSM only. Access by the host results in a bus error. Access
types are valid for HSM access.

RSTCTRL

Downloaded by IFXDMZ\par-liaopeng 29/07/2019 09:08:44

Allows to trigger either a system or application reset for the chip by the HSM software. This register is write-
protected unless RSTPWD holds the correct password value. Otherwise it is readonly and a write access is
ignored.

RSTCTRL Offset Reset Value

Reset Control Register 0E0H 0000 0000H

31 2 1 0
SY AP
Res S* P*

rw/-rw/-

Field Bits Type Description

SYSRST 1 rw/- System reset
If set by software a system reset is triggered.
APPRST 0 rw/- Application reset
If set by software an application reset is triggered.

Note: If both bits are set simultaneously a system reset is triggered.

Target Specification 249 Revision 2.0

2016-03-04
AURIX™ TC3xx Hardware Security Module

Bridge Module Confidential

RSTPWD
Password register to allow write access to RSTCTRL.

RSTPWD Offset Reset Value

Reset Password Register 0E4H 0000 0000H

31 0

Downloaded by IFXDMZ\par-liaopeng 29/07/2019 09:08:44

PASSWD

w/-

Field Bits Type Description

PASSWD 31:0 w/- Password value for RSTCTRL.
If RSTPWD contains the constant 55AA 00FFH, RSTCTRL is writable.
Reading this field always returns 0000 0000H.

Target Specification 250 Revision 2.0

2016-03-04
AURIX™ TC3xx Hardware Security Module

Bridge Module Confidential

SENSIF
Interrupt flags of the sensor signals. Can be used to trigger either an interrupt, application or system reset. For
the mapping of sensor signals, see Table 9-2.

SENSIF Offset Reset Value

Sensor Interrupt Flag Register 0F0H 0000 0000H

Downloaded by IFXDMZ\par-liaopeng 29/07/2019 09:08:44

Downloaded by IFXDMZ\par-liaopeng 29/07/2019 09:08:44

Res SREN

rw/-

Field Bits Type Description

SREN 9:0 rw/- System Reset Enable.
Each set bit enables triggering of an system reset for the
corresponding flags in register SENSIF. If cleared no system reset is
triggered by the corresponding sensor source.

Target Specification 254 Revision 2.0

2016-03-04
AURIX™ TC3xx Hardware Security Module

Bridge Module Confidential

9.4 Bridge Registers (Host side access only)

Table 9-6 Register Address Space

Module Base Address End Address Note
Bridge_EXT F004 0000H F005 FFFFH

Downloaded by IFXDMZ\par-liaopeng 29/07/2019 09:08:44

Table 9-7 Register Overview
Register Short Name Register Long Name Offset Address Reset Value
Bridge Registers (Host side access only), HSM Reset
HSMCTRL HSM Control Register 1000H 0000 0003H
Bridge Registers (Host side access only), Debug Registers
DBGBASE Debug Base Address Register 1010H 0000 0000H
HSMOTGB OCDS Suspend and Trigger Bus Control 1020H 0000 0000H
DBGMEM Debug Memory Window 10000H to 1FFFFH UndefinedH

The registers are addressed wordwise.

Table 9-8 Register Access Types

Type Symbol Description
no access - Register is not accessible, an exception is triggered.
write only w Register is write-only, the register reads as ‘0’.
read only ro Register is read-only, a write access is ignored
read/write rw Register is read and writable
read/reset rr Register is readable. Writing ‘1’ to register bits reset them, writing
‘0’ do not modify the corresponding bits.
read/set rs Register is readable. Writing ‘1’ to register bits sets them, writing
‘0’ do not modify the corresponding bits
read/lockable rl Register is readable. Register is also writable after reset until it is
locked. After locking register is read only until reset if not
otherwise noted.

Target Specification 255 Revision 2.0

2016-03-04
AURIX™ TC3xx Hardware Security Module

Bridge Module Confidential

9.4.1 HSM Reset

The register in this section is accessible by the host only. Access by the HSM results in a bus error. Access types
are valid for host access.

HSMCTRL
This register controls the reset of the HSM subsystem. The HSM must only be started when MBIST mode is not
active.

Downloaded by IFXDMZ\par-liaopeng 29/07/2019 09:08:44

HSMCTRL Offset Reset Value
HSM Control Register 1000H 0000 0003H

31 2 1 0
EOMB
Res T

-/rs

Field Bits Type Description

EOMBT 1:0 -/rs End of Memory BIST test.
For security reasons this functionality is encoded redundantly.
00B MON, MBIST mode activated.
01B MOFF1, MBIST mode deactivated. See below.
10B MOFF2, MBIST mode deactivated. See below.
11B MOFF3, MBIST mode deactivated. Start of HSM subsystem.
Cannot be reset by software

Target Specification 256 Revision 2.0

2016-03-04
AURIX™ TC3xx Hardware Security Module

Bridge Module Confidential

9.4.2 Debug Registers

This section describes the interface for debugging. This address region is available in the host system only and
only if HSM debugging is enabled (DBGCTRL.HSM set).
If HSM debugging is disabled access by the host results in a bus error. Access to the registers by the HSM results
in a bus error. Access types in the register descriptions are valid for host access.

DBGBASE

Downloaded by IFXDMZ\par-liaopeng 29/07/2019 09:08:44

This register controls the base address of the debug memory window.

DBGBASE Offset Reset Value

Debug Base Address Register 1010H 0000 0000H

31 16 15 0

BASE Res

-/rw

Field Bits Type Description

BASE 31:16 -/rw Base Address.
Base address for debug memory window. The effective address of a
debug access is DBGBASE.BASE+offset of access address to base of
the memory window.

Target Specification 257 Revision 2.0

2016-03-04
AURIX™ TC3xx Hardware Security Module

Bridge Module Confidential

HSMOTGB
The HSMOTGB control register is cleared by the application reset.

HSMOTGB Offset Reset Value

OCDS Suspend and Trigger Bus Control 1020H 0000 0000H

31 4 3 2 1 0

Downloaded by IFXDMZ\par-liaopeng 29/07/2019 09:08:44

TG TG
Res _P B TGS

-/w -/rw -/rw

Field Bits Type Description

TG_P 3 -/w TGS, TGB Write Protection
TGS and TGB are only overwritten if TG_P is set at the same access,
otherwise unchanged. Reads as 0.
0B NC, No change.
1B WE, Write enable for the current access.
TGB 2 -/rw OTGB0/1 Bus Select
0B BUS0, Trigger Set is output on OTGB0.
1B BUS1, Trigger Set is output on OTGB1.
TGS 1:0 -/rw Trigger Set for OTGB0/1
This module supports only one Trigger Set. The following values are
defined:
00B NOTS, No Trigger Set output.
01B TS1, Trigger Set 1.
10B TS2, No Trigger Set output.
11B TS3, Trigger Set 1.

Target Specification 258 Revision 2.0

2016-03-04
AURIX™ TC3xx Hardware Security Module

Bridge Module Confidential

DBGMEM
This is the memory window for debug access from the host to the HSM. The window is only available if HSM
debug is enabled.
Access types in the register descriptions are valid for host access. It is not visible to the HSM.

DBGMEM Offset Reset Value

Debug Memory Window 10000H to 1FFFFH UndefinedH

Downloaded by IFXDMZ\par-liaopeng 29/07/2019 09:08:44

31 0

DATA

-/rw

Field Bits Type Description

DATA 31:0 -/rw Data for debug access.
Only word access to word-aligned addresses are supported.

Target Specification 259 Revision 2.0

2016-03-04
AURIX™ TC3xx Hardware Security Module

Memories Confidential

10 Memories
The HSM utilizes three types of physical memories:
• ROM.
• RAM.
• Shared Flash (please refer to the AURIX™ Target Specification [10]).

10.1 ROM

Downloaded by IFXDMZ\par-liaopeng 29/07/2019 09:08:44

The Hardware Security Module contains a Boot ROM for the CPU and a µ-code ROM for the PKC engine.

10.1.1 Boot ROM

The Boot ROM contains code and read-only data that is necessary for the start up of the HSM subsystem after
reset. The ROM can be switched off when the boot software is finished via DBGCTRL. This enhances the
security protection and reduces the power consumption.
The ROM data is protected with a single bit error correction, double bit error detection code. ECC errors in ROM
are signaled to the Bridge module.
The size of the boot ROM is 4 KB.
The ROM is tested by a checksum.

10.1.2 PKC µ-Code ROM

The µ-Code ROM of the PKC module contains µ-code for the PKC engine. The code is not accessible by the CPU.
The µ-Code ROM data is protected with a single bit error correction, double bit error detection code. ECC
errors in ROM are signaled to the Bridge module.
The size of the µ-Code ROM is 1 K x 18 bits (excluding ECC).

10.2 RAM
The Hardware Security Module contains a local RAM for the CPU and two RAM modules for the PKC engine.

10.2.1 Local RAM

The RAM data is protected with a single bit error correction, double bit error detection code. ECC errors in RAM
are signaled to the Bridge module.
The size of the local RAM (excluding ECC) is 96 KB.
The RAM is tested via MBIST.
The contents of the local RAM is not preserved over all types of reset:
• it is completely cleared in case of a cold “power-on reset”. This is done by the MBISTs triggered by the
startup software running on the host before the HSM is released. See also [10].
• in case of a system reset or a warm “power-on” reset the contents of the local RAM can be preserved. This
depends on the settings for the boot process.
• Parts of the local RAM are cleared for any reset type by the HSM startup software, for details see
Section 11.2.3.2.

Target Specification 260 Revision 2.0

2016-03-04
AURIX™ TC3xx Hardware Security Module

Memories Confidential

10.2.2 PKC RAMs

The PKC module uses two RAM modules, a Shared Crypto Memory (SCM) which can be accessed by the CPU
and by the PKC engine, and a Tightly Coupled Memory (TCM) which is used for data processing during
operation of commands. The TCM is not accessible by the CPU.
Both RAMs use a single bit error correction, double bit error detection code. ECC errors are signaled to the
Bridge module.
The size of the SCM is 1 KB (excluding ECC) logically organized as 256 x 32 bits.

Downloaded by IFXDMZ\par-liaopeng 29/07/2019 09:08:44

The size of the TCM is 1 KB (excluding ECC) logically organized as 256 x 32 bits.
The RAMs are tested via MBIST.

Target Specification 261 Revision 2.0

2016-03-04
AURIX™ TC3xx Hardware Security Module

Firmware Architecture Confidential

11 Firmware Architecture
This chapter describes the HSM low-level firmware architecture:
• HSM Firmware Overview
• Boot System
• Information Exchange between the Host and BOS

11.1 HSM Firmware Overview

Downloaded by IFXDMZ\par-liaopeng 29/07/2019 09:08:44

A boot system (BOS) is provided for HSM. All mandatory BOS functions for internal testing, production usage
and startup behavior are stored in the boot ROM of the HSM. No patch functionality is available for this code.
The BOS is the only HSM software component provided by Infineon.
Certain configuration information, such as module-specific configurations, security keys for AES, etc. is stored
in the HSM Config Area that is located in an HSM-exclusive 1 KB sector of the Flash memory. This configuration
information is encrypted with a mask-individual key stored in the BOS-ROM. Additionally, the configuration
data is protected by a cryptographic checksum. For further details refer to Figure 11-1.

HSM Boot ROM / BOS Other HSM

Components

Flash Driver RAM Driver

HSM System

Read/Write Read/Write

Host System

Host Flash Host RAM Other

Components
HSM Code

HSM Config Area

HSM Data

Figure 11-1 HSM-embedded software overview

Target Specification 262 Revision 2.0

2016-03-04
AURIX™ TC3xx Hardware Security Module

Firmware Architecture Confidential

11.2 Boot System

This chapter describes the boot system of the HSM.

11.2.1 Introduction
The secure boot system (BOS) has to fulfill a number of tasks on the HSM, as listed below:
• Full hardware access of HSM to the HSM Config Area for testing and configuration during chip production
• Life cycle management after reset

Downloaded by IFXDMZ\par-liaopeng 29/07/2019 09:08:44

• Lock of debug functionality (if enabled)
• Update of security settings (e.g. AES keys, ...)
• Consistency check for used BOS configuration data
• Initialization of SFRs for certain HSM modules during startup
• Evaluation of host RAM and execution of the appropriate Testmode command, if available and requested
• Configuration and start of TRNG
• Fill local RAM regions used by the BOS during startup with logical 00H before entering Usermode1)
Following additional tasks are performed for security reasons:
• All security-critical information (e.g. in cache, register file, ...) used during BOS startup is invalidated before
entering user code.
• Security critical bits are re-checked after change (e.g. BOS bits, locking of HSM Config Area)
• Secure coding measures are implemented for flow and data control.
• Stack overflow protection via MPU
• The following 2 lock mechanisms are provided for the HSM Config Area:
– read lock: always enabled during Usermode startup at an early point
– write lock: enabled after finally programming the HSM Config Area which also blocks the Testmode!
For each kind of HSM reset, the HSM hardware performs the following steps in order to properly start the BOS:
• reset all registers (according to the applicable cold or warm reset condition)
• read the BOS vector table located in the BOS-ROM at offset 0. Based on that information, the HSM
hardware initializes the stack pointer and jumps to the reset vector location.
Thus the BOS is executed first after every HSM reset. Therefore the BOS is responsible for a correct startup
sequence of the HSM. First a basic Boot Initialization is performed. If the content of HT2HSMS is valid, the
BOS reads HT2HSMS.REQ_MODE (refer to Chapter 11.3 for details) in order to distinguish between following
two different startup modes:
• Testmode and
• Usermode
If the content of HT2HSMS is not valid, the BOS always jumps to the Usermode path. If the Testmode is
requested but blocked via UCB (because of enabled write lock for the HSM Config Area) an error is issued after
locking the HSM-Config Area and the Sleep Mode is entered. Figure 11-2 provides a rough overview of this
flow.

1) Only in cases of a power-on reset the whole local RAM is filled with 00H during the MBIST before the BOS starts running.

Target Specification 263 Revision 2.0

2016-03-04
AURIX™ TC3xx Hardware Security Module

Firmware Architecture Confidential

Reset

Boot Initialization

Downloaded by IFXDMZ\par-liaopeng 29/07/2019 09:08:44

HT2HSMS no
content valid?

yes

Read
HT2HSMS.REQ_MODE

yes no
Testmode requested?

no
Testmode allowed? Lock HSM-Config Area

yes
Update HSM2HTS
STATUS_CODE = FF03H
ACT_MODE = 11B

Testmode Path Sleep Usermode Path

Figure 11-2 BOS startup overview

11.2.2 Boot Initialization

During boot initialization (see Figure 11-3) the basic preparation is done by the BOS which is needed for both
the Testmode and Usermode paths. First the interrupt and exception handling is configured according to
Table 11-1. Then the BOS checks the correctness of the cryptographic checksum of the HSM Config Area. To
this end, a 16-byte hash value is calculated using the AES module for the used encrypted HSM configuration
data, starting from the offset address 010H. The AES is used in CBC mode where the key and the initial vector
are taken from the BOS-ROM.
If the HSM Config Area hash value is invalid, the TRNG is started with the hardware reset values and the
appropriate status code is set in HSM2HTS register. Before exiting the boot initialization in this case the debug
locking is configured.
If the HSM Config Area is valid, all used data bytes are decrypted with the AES module in ECB mode with the
mask-individual key stored in the BOS-ROM. Then the TRNG configuration is loaded and the TRNG is started.

Target Specification 264 Revision 2.0

2016-03-04
AURIX™ TC3xx Hardware Security Module

Firmware Architecture Confidential

Afterwards the first two AES keys (AesKey0 and AesKey1) are copied from the plain HSM Config Area into the
AES hardware module and the AES is locked. The implementation shall be in a way that the AES keys do not
have to be stored in local RAM temporarily. Then the HSM Config Area is locked against further read accesses.
Before exiting boot initialization in this case, debug locking is also configured. In this regard, the BOS
evaluates bits HSMDBGDIS and DBGIFLCK of register DMU_SP_PROCONHSM and respectively updates the
HSM and HOST bits in the debug control register DBGCTRL.

Table 11-1 Configuration of Interrupts and Exception Handling

Downloaded by IFXDMZ\par-liaopeng 29/07/2019 09:08:44

Exception Type Pos. Interrupt Handler
- 0 -
Reset 1 - BOS reset vector
Non-maskable interrupt 2 - Generic Exception Handler
Hard Fault 3 - Generic Exception Handler
Memory Management 4 - Generic Exception Handler
Bus Fault 5 - Special Exception Handler
Usage Fault 6 - Generic Exception Handler
- 7-10 - Generic Exception Handler
SVCall 11 disabled Generic Exception Handler
Debug Monitor 12 disabled Generic Exception Handler
- 13 - Generic Exception Handler
PendSV 14 disabled Generic Exception Handler
SysTick 15 disabled Generic Exception Handler
Timer 0 16 disabled Generic Exception Handler
Timer 1 17 disabled Generic Exception Handler
TRNG 18 disabled Generic Exception Handler
Bridge Service 19 disabled Generic Exception Handler
Bridge Error 20 enabled see details below for position 20
Bridge Error (ECCPKCROM) 20 ECCPKCROMIE = 10B Special Exception Handler
Bridge Error (ADPKCSCM) 20 ADPKCSCMIE = 1B Special Exception Handler
Bridge Error (ECCPKCSCM) 20 ECCPKCSCMIE = 10B Special Exception Handler
Bridge Error (ADPKCTCM) 20 ADPKCTCMIE = 1B Special Exception Handler
Bridge Error (ECCPKCTCM) 20 ECCPKCTCMIE = 10B Special Exception Handler
Bridge Error (ADCT) 20 ADCTIE = 1B Special Exception Handler
Bridge Error (ECCCT) 20 ECCCTIE = 10B Special Exception Handler
Bridge Error (ADCD) 20 ADCDIE = 1B Special Exception Handler
Bridge Error (ECCCD) 20 ECCCDIE = 10B Special Exception Handler
Bridge Error (ADRAM) 20 ADRAMIE = 1B Special Exception Handler
Bridge Error (ECCRAM) 20 ECCRAMIE = 10B Special Exception Handler
Bridge Error (ECCROM) 20 ECCROMIE = 10B Special Exception Handler

Target Specification 265 Revision 2.0

2016-03-04
AURIX™ TC3xx Hardware Security Module

Firmware Architecture Confidential

Table 11-1 Configuration of Interrupts and Exception Handling (cont’d)

Exception Type Pos. Interrupt Handler
Bridge Error (BERR) 20 BERRIE = 1B Special Exception Handler
Sensor Interrupt 21 disabled Generic Exception Handler
External Interrupt 22 disabled Generic Exception Handler
- 23 - Generic Exception Handler

Downloaded by IFXDMZ\par-liaopeng 29/07/2019 09:08:44

PKC Ready Interrupt 24 disabled Generic Exception Handler
PKC Error Interrupt 25 disabled Generic Exception Handler

Generic Exception Handler:

• This exception handler shall lock the read access to the HSM Config Area and indicate to the host system
the following information via the register HSM2HTS (for details refer to Table 11-4)
– proper 16-bit status information in STATUS_CODE in following format EExxH, where xx defines the
interrupt that occurred
– set ACT_MODE to 11B and enter Sleep Mode
Special Exception Handler:
The behavior of this exception handler depends on the “CHECK_OS_VEC_TABLE” marker, which is to be set by
the BOS only during evaluation of the valid user boot segment.
If this marker is set and the cause of the exception is a bus error, then:
• ignore interrupt and clear interrupt request
• return from interrupt
If this marker is NOT set:
• lock the read access to the HSM Config Area and indicate to the host system the following information via
the register HSM2HTS1) (for details refer to Table 11-4):
– proper 16-bit status information in STATUS_CODE. In the case of a bus fault EF00H is used; in the case
of a bridge error the following format is used: 100xxxxx xxxxxxxxB, where the last 13 bits indicate the
error case taken from register ERRCTRL.
– set ACT_MODE to 11B and enter Sleep Mode

1) Interrupts are configured in a way that they only enter the service function in case that more than a 1-bit error occurred for ECCCT,
ECCCD, ECCRAM, ECCROM or ADCT, ADCD, ADRAM.

Target Specification 266 Revision 2.0

2016-03-04
AURIX™ TC3xx Hardware Security Module

Firmware Architecture Confidential

Boot Initialization

Configure Interrupt and Exception

Handling

Downloaded by IFXDMZ\par-liaopeng 29/07/2019 09:08:44

Calculate Hash of
HSM-Config Area

no
Hash Valid?

yes

Decrypt HSM-Config Area Start TRNG

Configure & Start TRNG Update HSM2HTS

STATUS_CODE = FFFFH

Load AES Keys 0,1 into

AES module & Lock AES

Lock HSM-Config Area

Destroy Critical Keys in AES

Configure Debug Locks

Return

Figure 11-3 Boot initialization

Target Specification 267 Revision 2.0

2016-03-04
AURIX™ TC3xx Hardware Security Module

Firmware Architecture Confidential

11.2.3 User Mode

If the Usermode path is selected, the BOS first checks the correctness of the cryptographic checksum of the
HSM Config Area by evaluating the status code in HSM2HTS. If the hash value is wrong, the BOS locks read
access to the HSM Config Area (for security reasons) and stops execution after updating HSM2HTS, otherwise
the Usermode path is continued to be followed. In this case the BOS checks whether the two AES keys are
properly locked in the AES module. All security-relevant data in local RAM is overwritten at this point.
Afterwards the BOS looks for the proper User code segment in order to determine the stack pointer value, the

Downloaded by IFXDMZ\par-liaopeng 29/07/2019 09:08:44

reset vector and the VTOR address. For details about the mechanism, please refer to Chapter 11.2.3.1. If no
valid User-Code is found, the BOS ends up in an error, else the BOS sets the Usermode active flag in HSM2HTS
to signal to the host firmware that the BOS is prepared for entering Usermode. For synchronization with the
host the BOS waits until HT2HSMS.OS_ENTRY_ALLOWED is set.
Then the BOS checks whether the “HALT After Reset” (HAR) feature is requested by checking if
HT2HSMS.HAR_ENABLE (refer to Chapter 11.3 for details) is set. Additionally the HSM debug mode has to be
activated for HAR mode. If these conditions are fulfilled, the BOS configures via debug registers that a BREAK
is triggered by hardware when executing the first User-OS instruction (boot vector). If HSM debug mode is not
enabled, the HAR request will be ignored. For further details also refer to Chapter 12.3.4. Then the RAM
content used by the BOS during startup is filled with a logical 00H pattern for security reasons in order to avoid
that it can be read by the User-OS later. Afterwards bridge interrupts are disabled, the User-OS stack pointer
is loaded and the vector table offset address (VTOR) is set in order to point to the valid User-OS vector table,
followed by the transition to the User-OS which is prepared in the cache and executed from there. This also
includes disabling of the HSM ROM via ERRCTRL.ROMON.
In the case of an error during BOS startup, the detailed error information is updated in the register HSM2HTS
(refer to Chapter 11.3 for details) and the HSM is set to sleep mode. In case of no error HSM2HTS is cleared
before entering the user code.
The basic initialization steps performed by the BOS are also illustrated in Figure 11-4 and Figure 11-6.

Target Specification 268 Revision 2.0

2016-03-04
AURIX™ TC3xx Hardware Security Module

Firmware Architecture Confidential

Usermode

HSM-Config no
Lock HSM-Config Area
Hash Valid?

Downloaded by IFXDMZ\par-liaopeng 29/07/2019 09:08:44

yes
Update HSM2HTS
Sleep
ACT_MODE = 11B

no
AES Keys locked ?

yes

Clear BOS Bits & Update HSM2HTS

Destroy Confidential Data STATUS_CODE = F003H Sleep
ACT_MODE = 11B

Check & Setup User Code

no Update HSM2HTS
User-Code Valid? STATUS_CODE = F002H Sleep
ACT_MODE = 11B

yes

Update HSM2HTS
ACT_MODE = 01B

yes

HT2HSMS.OS_ no
ENTRY_ALLOWED?

yes

Usermode (Part 2)

Figure 11-4 BOS Usermode flow (part 1)

Target Specification 269 Revision 2.0

2016-03-04
AURIX™ TC3xx Hardware Security Module

Firmware Architecture Confidential

Usermode (Part 2)

yes

HT2HSMS. no
HAR_ENABLE?

Downloaded by IFXDMZ\par-liaopeng 29/07/2019 09:08:44

yes

Configure
„HALT After Reset“

Clear Used RAM

Clear Cache

Set User-OS Stack Pointer

Disable Bridge Interrupt

Setup VTOR

HSM2HTS = 00000000H

This code has to be

Disable ROM executed from cache!

Jump to User-OS
Reset Vector

Figure 11-5 BOS Usermode flow (part 2)

Target Specification 270 Revision 2.0

2016-03-04
AURIX™ TC3xx Hardware Security Module

Firmware Architecture Confidential

11.2.3.1 User-OS Code Check

The user code is located in the lower 640 KB of the Program Flash 0 (see memory map, Table 2-1). It consists
of 40 sectors of 16 KB each. As protection against resets during e.g. HSM software updates, the BOS has
implemented a 4-step approach to select the valid User-OS boot segment. The host register
DMU_SP_PROCONHSMCBS defines four bit fields BOOTSEL0 .. BOOTSEL3 which can point to any of the
potential HSM exclusive PFlash sectors. The coding for BOOTSELx is shown in Table 11-2.

Downloaded by IFXDMZ\par-liaopeng 29/07/2019 09:08:44

Table 11-2 Boot Sector Selection
BOOTSELx (x = 0-3) Description Address
00H Sector HSM0X is searched 8000 0000H
01H Sector HSM1X is searched. 8000 4000H
02H Sector HSM2X is searched. 8000 8000H
: :
25H Sector HSM37X is searched. 8009 4000H
26H Sector HSM38X is searched. 8009 8000H
27H Sector HSM39X is searched. 8009 C000H

The 4-step approach to find a valid User-OS boot segment as shown in Figure 11-6 is performed as follows:
• Step 0:
Set marker “CHECK_OS_VEC_TABLE” indicating that ECC errors are allowed and need a special handling
• Step 1:
Determine address of potential boot sector based on DMU_SP_PROCONHSMCBS.BOOTSEL0 and check
whether it is a valid sector (BOOTSEL0 values larger than 27H are not allowed). If sector is not valid continue
with step 2.
Search for boot code: Read vector table at the beginning of the sector and perform the actions in following
order:
– check if ECC error occurred1). Jump to Step 2 in case of an error
– check that stack pointer points into internal RAM. Jump to Step 2 in case of an error
– check that reset vector points into a valid HSM PFlash sector (sector HSM0X to HSM39X).
Jump to Step 2 in case of an error
– Jump to Step “PASS”
• Step 2:
Determine address of potential boot sector based on DMU_SP_PROCONHSMCBS.BOOTSEL1 and check
whether it is a valid sector (BOOTSEL1 values larger than 27H are not allowed). If sector is not valid continue
with step 3.
Search for boot code: Read vector table at the beginning of the sector and perform the actions in following
order:
– perform same three checks as in Step 1. Jump to Step 3 in case of an error
– Jump to Step “PASS”

1) An ECC error in the flash that it signalled via an FPI bus error can lead to both, a bus error interrupt and a bus Fault exception!

Target Specification 271 Revision 2.0

2016-03-04
AURIX™ TC3xx Hardware Security Module

Firmware Architecture Confidential

• Step 3:
Determine address of potential boot sector based on DMU_SP_PROCONHSMCBS.BOOTSEL2 and check
whether it is a valid sector (BOOTSEL2 values larger than 27H are not allowed). If sector is not valid continue
with step 4.
Search for boot code: Read vector table at the beginning of the sector and perform the actions in following
order:
– perform same three checks as in Step 1. Jump to Step 4 in case of an error
– Jump to Step “PASS”

Downloaded by IFXDMZ\par-liaopeng 29/07/2019 09:08:44

• Step 4:
Determine address of potential boot sector based on DMU_SP_PROCONHSMCBS.BOOTSEL3 and check
whether it is a valid sector (BOOTSEL3 values larger than 27H are not allowed). If sector is not valid exit
function with “FAIL”.
Search for boot code: Read vector table at the beginning of the sector and perform the actions in following
order:
– perform same three checks as in Step 1. Exit function with “FAIL” in case of an error
– Jump to Step “PASS”
• Step “PASS”:
A valid User-OS boot segment has been found. The BOS stores the stack pointer, the User-Code start
address as well as the vector table base address in order to be able to enter the User-OS later on. Finally
the marker “CHECK_OS_VEC_TABLE” is cleared and the function exits with a “PASS”.

Target Specification 272 Revision 2.0

2016-03-04
AURIX™ TC3xx Hardware Security Module

Firmware Architecture Confidential

Check & Setup User Code

Check Vector Table in Sector 1)

see Host SFR
defined by BOOTSEL01) DMU_SP_PROCONHSMCBS

Downloaded by IFXDMZ\par-liaopeng 29/07/2019 09:08:44

yes
Vector Table Valid?

Check Vector Table in Sector

defined by BOOTSEL11)

yes
Vector Table Valid?

Check Vector Table in Sector

defined by BOOTSEL21)

yes
Vector Table Valid?

Check Vector Table in Sector

defined by BOOTSEL31)

yes
Vector Table Valid?

no
Save Stack Pointer , User Code Start
Address and Vector Table Base
Addr.

Return FAIL Return PASS

Figure 11-6 BOS User-OS code check

Target Specification 273 Revision 2.0

2016-03-04
AURIX™ TC3xx Hardware Security Module

Firmware Architecture Confidential

11.2.3.2 RAM Memory Layout in User Mode

At each HSM startup in user mode the BOS needs a certain amount of RAM for stack and variables. Therefore
the first 384 bytes of the physical local RAM are reserved for the BOS. Before entering the user-OS, the RAM
used by the BOS is filled with logical 00H for security reasons. The rest of the local RAM is not touched by the
BOS at all. For further details please refer to Figure 11-7.

Note: In User Mode the whole physical local RAM can be used by the User-OS

Downloaded by IFXDMZ\par-liaopeng 29/07/2019 09:08:44

Local RAM
(not touched rest
by BOS)

Physical RAM
0180H
Can be fully reused in User-OS
Used during HSM Startup

BOS Stack 128 byte

0100H

Stack Protection Area 32 byte

00E0H

rfu 156 byte Content not modified by BOS

0044H
Content filled with 00H on each HSM startup
BOS variables 68 byte
0000H

Figure 11-7 RAM Memory Layout (User Mode)

11.2.4 Test Mode

At the beginning of its life cycle the chip including HSM will be tested after wafer production. During this test
phase all logical units and memory areas will be checked. In addition to structural tests (scan, MBIST) the HSM
offers a Testmode for functional testing and analysis.
For security reasons this mode can only be entered when the HSM-Config Area is not write protected and the
host system indicates the mode via HT2HSMS and in addition provides the correct mask-individual signature
in the host RAM after reset. This signature is a ROM mask-individual 128-bit pattern located in the BOS-ROM.
The Testmode functionality is available only if all 16 bytes match the values provided via the host RAM.
After successful verification of the signature the BOS checks the requested command by evaluating the
command identifier. Depending on the result, either the execution of a Downloadable Test (DLT) or one single
test command is requested. After execution the result is stored again in the host RAM; HSM2HTS is updated in
order to indicate to the host system that the operation has finished, and finally the HSM enters sleep mode.
The BOS uses the host RAM of CPU0 for Testmode commands as well as DLTs. The address range is 7000 0000H
to 7001 FFFFH.

Target Specification 274 Revision 2.0

2016-03-04
AURIX™ TC3xx Hardware Security Module

Firmware Architecture Confidential

11.3 Information Exchange between the Host and BOS

As the BOS on the one hand has to evaluate conditions like the reset type provided by the host system and, on
the other hand, has to provide the host system with certain information like the current mode and some status
information, the BOS uses the 32-bit registers HT2HSMS and HSM2HTS as communication channels between
the host system and BOS.
Table 11-3 describes the format of HT2HSMS set by the host system before booting the HSM.

Downloaded by IFXDMZ\par-liaopeng 29/07/2019 09:08:44

Table 11-3 Information Exchange Format from the Host to the BOS (via HT2HSMS)
Field Bits Description
HAR_ENABLE 31:28 “Halt After Reset” (HAR) mode configuration.
Only bit combination 0101B enables HAR, in all other cases HAR is disabled
which is also the default value if CONT_VALID = 0.
HAR can only be enabled if HSM debug mode is activated, otherwise the
HAR request will be ignored.
REQ_MODE 27:24 Requested BOS mode (Testmode/Usermode) by host system
Only bit combination 0101B activates Testmode, in all other cases
Usermode is active which is also the default value if CONT_VALID = 0
RFU 23:5 Reserved for future use
Bits are not evaluated by the BOS
OS_ENTRY_ALLOWED 4 Synchronization mechanism between host and HSM to allow the host to
configure when the User-OS entry is allowed
0B , User-OS entry not allowed (default if CONT_VALID = 0)
1B , User-OS entry allowed
RFU 3:2 Reserved for future use
Bits are not evaluated by the BOS
RST_TYPE 1 Information about type of reset1) that has occurred
0B , Power-on reset (default if CONT_VALID = 0)
1B , Application reset
CONT_VALID 0 Indication as to whether the HT2HSMS register contents are valid. Only if
this bit is 1 can the other bits in this register be evaluated by the BOS.
0B , Register contents are not valid
1B , Register contents are valid
1) In the current concept there is no difference anymore between power-on or application reset from the BOS’s point of
view!

Table 11-4 describes the format of HSM2HTS set by the BOS during operation. This information can be
evaluated by the host system during and after booting and by the User-OS after booting.

Target Specification 275 Revision 2.0

2016-03-04
AURIX™ TC3xx Hardware Security Module

Firmware Architecture Confidential

Table 11-4 Information Exchange Format from the BOS to the Host (via HSM2HTS)
Field Bits Description
RFU 31:25 Reserved for future use
All bits must be set to 0
TM_CMD_FINISHED 24 Indication for host as to whether the BOS Testmode command execution
has finished (and the response is available in the host RAM).
0B , Command execution not finished

Downloaded by IFXDMZ\par-liaopeng 29/07/2019 09:08:44

1B , Command execution finished
RFU 23:18 Reserved for future use
All bits must be set to 0
ACT_MODE 17:16 Information about active mode
00B , Boot process ongoing
01B , Usermode Entry prepared
10B , Testmode active
11B , Error occurred during BOS operation
STATUS_CODE 15:0 16-bit status code
0000H, No error occurred so far
F001H, Security attack detected
F002H, User OS reset vector or stack pointer is invalid (Usermode only)
F003H, AES key locking failed (Usermode only)
F004H, HSM Config Area locking failed (Usermode only)
F005H, CACHE CONFIG BOS bit locking failed (Usermode only)
F006H, PAU BOS bit locking failed (Usermode only)
FF01H, Testmode signature is invalid (Testmode only)
FF02H, DLT execution permission check failed (Testmode only)
FF03H, Testmode functionality blocked
FFFFH, HSM Config Area hash is invalid
C000H, Special Exception - Bus Fault
C000H | (bridgeStatus)H, Special Exception - Bridge Error
EE00H | (isrNumber)H, Generic Exception - Active ISR number

Notes regarding error handling

The error handling required in the event that any kind of sanity check fails (due to errors, attacks, ...) during
startup is a very sensitive point for the automotive market as the host system must be able to analyze the
problem and select a mechanism to recover from that state. For this reason, the BOS writes detailed error
information into the bits 15:0 of the HSM2HTS register in the case of an error and also sets
HSM2HTS.ACT_MODE to 11B. The BOS then enters the sleep mode.

Target Specification 276 Revision 2.0

2016-03-04
AURIX™ TC3xx Hardware Security Module

Firmware Architecture Confidential

11.4 Information Exchange between Host SSW and HSM User Code
If secure boot is enabled for the device (DMU_SP_PROCONHSMCFG.SSWWAIT is set) and no halt after reset is
requested, the SSW delays execution of host user code and waits for an acknowledge by the HSM.
SSW flow and respectively the host behavior in this start-up phase is completely handled by the HSM user
code.
Depending on whether a foreground or background secure boot is done the user code
• sets HSM2HTF.0 immediately (background secure boot). The SSW will jump to the host user code and the

Downloaded by IFXDMZ\par-liaopeng 29/07/2019 09:08:44

secure boot checks are done in parallel to the host user code execution.
• performs the secure boot checks and sets HSM2HTF.0 after the checks and only in case no security
violations are detected (foreground secure boot). The host user code is delayed until the checks are
finished. In case of a detected security violation the host user code is not started at all.
In case of foreground secure boot the HSM user code can optionally write a seed value to HSM2HTS. This seed
value is used by the SSW to generate some noise in order to obscure the power profile. The noise generation
ends once HSM2HTF.0 is set.

Target Specification 277 Revision 2.0

2016-03-04
AURIX™ TC3xx Hardware Security Module

System Debug Confidential

12 System Debug
This chapter covers the debug system of the HSM. The HSM debug system consists of:
• Flash Patch & Breakpoint unit (FPB) providing hardware breakpoints
• Data Watchpoint and Trace Unit (DWT) providing watch points
• ROM Table providing information about the available debug modules
The modules provide together with the core debug functionality the following debugging features:

Downloaded by IFXDMZ\par-liaopeng 29/07/2019 09:08:44

• HSM memories
– read of HSM boot ROM (only before jump to NVM hasn’t been done and ROM hasn’t been switched off)
– read/write of HSM local RAM
• read/write of HSM core registers
• read/write of bridge module registers
• read/write of HSM internal (memory mapped) peripherals
• 6x (fast) hardware breakpoints
• 4x trigger serving as
– watch points
– one value compare (data breakpoint has certain value)
The debug system does not contain the units of the CortexTM M3 known as Instrumentation Trace Macrocell
(ITM), Embedded Trace MacroCell (ETM) and the Trace Port Interface Unit (TPIU). That means that the HSM has
no trace capabilities.

Target Specification 278 Revision 2.0

2016-03-04
AURIX™ TC3xx Hardware Security Module

System Debug Confidential

AXI AXI
CACHE Mem
BusMaster

CacheInterface

Downloaded by IFXDMZ\par-liaopeng 29/07/2019 09:08:44

D-Code D-Code
CoreSys
MPU DWT FPB

I-Code BMU I-Code

BusMatrix

NVIC Internal Private Peripheral Bus (PPB),(AHBLite)

CPU
PPB
AHB2APB

OCDS Trigger
Debug AHB External Private Peripheral Bus (PPB), (APB)
Interface
HSMBridge
HSMcontrol

HSMstatus

ROM
Table

hsm_DebugSystem.vsd

Figure 12-1 HSM debug block diagram

To have at least a minimum trace support the OCDS trigger interface provides some status information of the
HSM sub system to the host OCDS.
Figure 12-1 shows a block diagram of the debug relevant part. The FPB and DWT are connected to the internal
private peripheral bus (PPB) which is connected via the BMU bus matrix to the core. The ROM table is
connected to the external PPB.
As mentioned in Section 9.2.5 the HSM address space is mapped through a 64 KB window in the host system
address space. A debugger can read and write the HSM internal resources via the host’s OCDS through this
window. The debugger has to create the correct addresses to access the DWT, FPB, core debug register or boot
ROM and local RAM addresses.

Target Specification 279 Revision 2.0

2016-03-04
AURIX™ TC3xx Hardware Security Module

System Debug Confidential

12.1 Debug Modules

This sub chapter describes the involved debug modules in more detail.

12.1.1 Flash Patch & Breakpoint unit (FPB)

The Flash Patch & Breakpoint (FPB) unit provides six hardware breakpoints. This is done by 6 comparator
registers FP_COMPx (x=0..5). The comparators can be configured to serve either as breakpoint or as patch
address. For the HSM the flash patch mechanism is disabled and therefore the flash patch functionality and

Downloaded by IFXDMZ\par-liaopeng 29/07/2019 09:08:44

the literal load comparators can’t be used. Beside this the CortexTM M3 FPB module is unchanged for the HSM.
The Flash Patch Control Register FP_CTRL is configured with NUM_CODE2 = 000B, NUM_LIT = 0010B and
NUM_CODE1 = 0110B. Note that there is no flag to indicate that the flash patch mechanism is not available and
the number of literal loads is two although no literal load comparators are supported. The compare address
is extended to 32 bit to support breakpoints for HSM Code in the Pflash memory (see Chapter 12.4.1) above
512 MB addresses.
A match of a HW breakpoint will cause a debug event before the instruction is executed and the system will
enter the debug state or Debug Monitor exception depending on the configuration of the Debug Halting
Control and Status Register (DHCSR). Note that for the HSM the debug monitor mode shall not be used by the
debugger.
The FPB is described in more detail in ARM Cortex M3 Technical Reference Manual [2], chapter 11.4 “FPB”.

12.1.2 Data Watchpoint and Trace Unit (DWT)

The Data Watchpoint and Trace unit (DWT) provides four comparators that can be configured either:
• as a hardware watchpoint (read, write or read/write)
• the first comparator against the clock cycle count register
• the second comparator together with another one as data comparator
The other configurations only make sense in combination with the ETM and are not mentioned here. In
addition the DWT contains counter for:
• clock cycles CYCCNT
• folded instructions
• Load-Store-Unit operations
• sleep cycles
• cycles per instructions CPI (all instruction cycles except for the first cycle)
• interrupt overhead
In case a DWT debug event occurs, this is indicated by setting the Debug Fault Status Register bit
DFSR.DWTTRAP.
The DWT module is taken from the CortexTM M3 without any changes.
The DWT is described in more detail in ARM Cortex M3 Technical Reference Manual [2], chapter 11.5 “DWT”.

12.1.3 ROM Table

The ROM Table is used to provide information about debug components, e.g. the addresses of the debug
components connected to the interface and whether a certain module is available or not.
The ROM table will only contain the entries for NVIC, DWT and FPB and all other modules marked as not
present. For the content of the ROM table see ARM Cortex M3 Technical Reference Manual [2], chapter 4.3

Target Specification 280 Revision 2.0

2016-03-04
AURIX™ TC3xx Hardware Security Module

System Debug Confidential

“ROM memory table”, Tab 4-3 and ARM Debug Interface v5 Architecture Specification [11], chapter 14 “ROM
Tables”.

12.2 OCDS Interface

The OCDS Trigger Switch (OTGS) of the host allows to route trigger sources to trigger targets. The following
trigger signals are defined:
• break request from host system (BRKIN)

Downloaded by IFXDMZ\par-liaopeng 29/07/2019 09:08:44

• suspend request from host system (SUSIN)
• HSM is in halt mode (HALT)
• break request from HSM to host system (BRKOUT)
The OCDS Trigger Mux (OTGM) of the host routes Trigger Sets and interrupt requests from peripherals to the
OCDS Trigger Switch (OTGS) and the MCDS. Trigger Sets are a collection of signals, which support a specific
debug use case for a certain peripheral. For the HSM up to 16 core status bits may be used as on Trigger Set.
The following signals are defined for the HSM Trigger Set:
• current interrupt priority (CURRPR)
• interrupt status (INTSTAT)
• HSM is in sleep mode (SLEEPING)
• HSM is in halt mode (HALTED)
To enable the trigger signal INTSTAT for the HSM interrupt status it is necessary to set the Trace Enable bit in
the Debug Exception and Monitor Control Register (DEMCR.TRCENA).

Target Specification 281 Revision 2.0

2016-03-04
AURIX™ TC3xx Hardware Security Module

System Debug Confidential

12.3 Debug System

This sub chapter summarizes the debugger relevant topics for the HSM debug system.

12.3.1 Reset Handling

The bridge module generates the Reset signal for the HSM (Application \ Class3 reset). This HSM Reset resets
the entire HSM subsystem including the debug components (similar to the Power-on reset of the standard
CortexTM M3).

Downloaded by IFXDMZ\par-liaopeng 29/07/2019 09:08:44

Note that there is no possibility to reset only the debug part of the HSM. If the debugger is connected either
the HSM software or the debugger has to reset/clear the debug register. No dedicated HSM debug control over
the reset generation will be provided.

12.3.2 Clock and Sleep Mode Handling

The clock for HSM subsystem is also provided by the bridge module, the clock frequency for the HSM is derived
from the host system. The HSM runs with the SPB clock frequency or with a reduced frequency. This HSM clock
corresponds to the CortexTM M3 free-running clock FCLK. The HSM will generate a “gated” main processor
clock similar to the CortexTM HCLK clock which is always synchronous to the HSM clock.
The debug modules and the debug portion of NVIC will always be provided with the free running clock which
ensures that the debugger can always access the debug modules even if the HSM is sleeping.
Note that the sleepdeep functionality is not supported for the HSM. The sleepdeep has the same functionality
as the normal sleep mode and has no additional effect or advantage.
In case the user code enters the sleep mode, e.g. via Wait For Interrupt (WFI) or the Wait For Event (WFE)
instructions the SLEEPING signal is asserted indicating a Sleep-now or Sleep-on-exit mode. This indicates that
the clock to the processor HCLK can be stopped. On receipt of a new interrupt or event in the case of WFE, the
NVIC resets the SLEEPING signal, releasing the core from sleep. Halting the core by the debugger by setting bit
C_HALT in the Debug Halting Control and Status Register (DHCSR) also causes the sleep mode to be exited
because the debug portion is clocked with the free running clock FCLK.
Note that the debug system can’t be set back in the sleep mode and user code continues to be execute
although for the software no wake-up event is visible. The user has to take care that the HSM is put again into
sleep if no wake-up condition was met, e.g. by a while() loop.

12.3.3 Debug Access / Authentication

Debug access to the host and HSM subsystem is controlled via the debug control register DBGCTRL. During
and after reset the debugger has no access to the HSM, host debug is permitted by the HSM. The reset behavior
can be changed by the BOS. It’s up to the HSM customer software to provide an authentication mechanism to
the debugger supplier and to enable after a successful authentication the debug access via DBGCTRL.HOST
DBGCTRL.HSM enable bits.

12.3.4 Halt-After-Reset Implementation

At the end of the startup software routine it must checked whether the OSTATE.HARR bit in OCDS is set. If halt
after reset (HAR) is requested and the flash is not protected, the FW must enable DEBUG (set
(DHCSR.C_DEBUGEN), enable the FPB module (set FP_CTRL.ENABLE, set FP_CTRL.KEY) and then set a break
point at the jump address to the user software via one of the Flash Patch Comparator registers. The HSM will
stop and enter the HALT mode at the defined address. The HSM debug mode must be enabled to allow the HAR
request, otherwise the HAR request must be ignored.

Target Specification 282 Revision 2.0

2016-03-04
AURIX™ TC3xx Hardware Security Module

System Debug Confidential

12.3.5 Peripheral Behavior in HALT Mode

The timer module, the watchdog timer, and the TRNG as well as the SysTick counter are suspended in HALT
mode. The AES module is not suspended in HALT mode.

12.3.6 SPB Bus Conflict Triggered by HSM Debugging

The debugger accesses HSM internal resources through the 64 KB debug window, see Section 9.2.5. The
access is done via the SPB bus on the host side. During a single debug access through the window the SPB bus

Downloaded by IFXDMZ\par-liaopeng 29/07/2019 09:08:44

is blocked and cannot be used for other accesses. As a consequence an HSM access to host resources during
(i.e. triggered by) a debug access leads to a bus conflict on the SPB.
The following scenarios may cause a bus conflict:
• explicitly: the debugger accesses a host resource through the HSM address space. This can be a memory
access (RAM, NVM) through the cache or single access window or a peripheral resource (e.g. SFR). This
situation has to be avoided: the debugger has to address host resources always through host addresses
and never through the HSM.
• implicitly: the debugger accesses HSM internal memories always through the cache inside the HSM. If the
data is not already available in the cache it has to be loaded into the cache. As a side effect a used cache
block may be replaced by the new block. If the used block is dirty (i.e. contains data that differs from the
source memory) and the source memory is a host memory the HSM will issue a write access to the host
memory while the SPB is still blocked by the debug access.
For the second scenario the following solutions are possible:
• Before accessing any HSM internal memories the debugger shall halt the HSM CPU via DHCSR.C_HALT and
shall clean the cache by using the cache set clean register (64 writes to CACHE_SC with different set
address). After each write access to CACHE_SC the debugger has to wait until the set is written back to the
memory. This procedure also provides consistency of data in the HSM cache and host memories.
• The software running on the HSM avoids dirty host memory cache blocks by writing host memories via the
single access to host memory window only.

Note: Cache clean by the debugger is not reasonable while the HSM CPU is still running. Therefore periodic
window update shall be disabled for debug memory windows pointing to HSM RAM addresses.

Target Specification 283 Revision 2.0

2016-03-04
AURIX™ TC3xx Hardware Security Module

System Debug Confidential

12.4 Debug Modules Register Extension

This chapter describes the register extensions for the HSM debug modules compared to the standard CortexTM
M3.

Table 12-1 Register Address Space

Module Base Address End Address Note
Debug Extension E000 2000H E000 EFFFH

Downloaded by IFXDMZ\par-liaopeng 29/07/2019 09:08:44

Table 12-2 Register Overview
Register Short Name Register Long Name Offset Address Reset Value
Debug Modules Register Extension, Flash Patch Registers
FP_COMPH0 Flash Patch Comparator High Register 0 0028H 0000 0000H
FP_COMPH1 Flash Patch Comparator High Register 1 002CH 0000 0000H
FP_COMPH2 Flash Patch Comparator High Register 2 0030H 0000 0000H
FP_COMPH3 Flash Patch Comparator High Register 3 0034H 0000 0000H
FP_COMPH4 Flash Patch Comparator High Register 4 0038H 0000 0000H
FP_COMPH5 Flash Patch Comparator High Register 5 003CH 0000 0000H
FP_COMPH6 Flash Patch Comparator High Register 6 0040H 0000 0000H
FP_COMPH7 Flash Patch Comparator High Register 7 0044H 0000 0000H
PID4 Peripheral IDentification Register 4 0FD0H 0000 0000H
PID0 Peripheral IDentification register 0 0FE0H 0000 0001H
PID1 Peripheral IDentification Register 1 0FE4H 0000 0010H
PID2 Peripheral IDentification Register 2 0FE8H 0000 001CH
PID3 Peripheral IDentification Register 3 0FECH 0000 0001H
Debug Modules Register Extension, Debug Halting Control and Status Register
DHCSR Debug Halting Control and Status Register CDF0H 0X0X 0000H

The registers are addressed wordwise.

Target Specification 284 Revision 2.0

2016-03-04
AURIX™ TC3xx Hardware Security Module

System Debug Confidential

12.4.1 Flash Patch Registers

Description of the FPB register extensions.

FP_COMPH0
Defines the upper most three bits of the comparison address. The 32 bit comparator address is combined of
the FP_COMP0.COMP field (and the FP_COMP0.COMPH field. This an extension of the standard CortexTM M3 to
be able to use a full 32 bit comparator address instead of only 28 bit to address especially the HSM Code in the

Downloaded by IFXDMZ\par-liaopeng 29/07/2019 09:08:44

Pflash memory.

FP_COMPH0 Offset Reset Value

Flash Patch Comparator High Register 0 0028H 0000 0000H

31 3 2 0

Res COMPH

Field Bits Type Description

COMPH 2:0 rw High bits of Comparison address.
This field contains bit [31:29] of the comparison address. The lower
[28:2] bits of the comparison address are taken from the
corresponding FP_COMPx register

Flash Patch Comparator High Registers

For each of the eight comparators a corresponding Flash Patch Comparator Register High exists similar to the
Flash Patch Comparator Register FPB_COMP0 to FPB_COMP7. They have the same layout as FP_COMPH0.
Their names and offset addresses are listed below:

Note: Only FPB_COMP0 to FPB_COMP5 can be used, FPB_COMP6 to FPB_COMP7 are intended for literal loads
which are not supported for the HSM.

Table 12-3 Flash Patch Comparator High Registers

Register Short Name Register Long Name Offset Address Reset Value
FP_COMPH1 Flash Patch Comparator High Register 1 002CH 0000 0000H
FP_COMPH2 Flash Patch Comparator High Register 2 0030H 0000 0000H
FP_COMPH3 Flash Patch Comparator High Register 3 0034H 0000 0000H
FP_COMPH4 Flash Patch Comparator High Register 4 0038H 0000 0000H
FP_COMPH5 Flash Patch Comparator High Register 5 003CH 0000 0000H
FP_COMPH6 Flash Patch Comparator High Register 6 0040H 0000 0000H
FP_COMPH7 Flash Patch Comparator High Register 7 0044H 0000 0000H

Target Specification 285 Revision 2.0

2016-03-04
AURIX™ TC3xx Hardware Security Module

System Debug Confidential

PID0
The Peripheral IDentification (PID) registers define the configuration of the FPB.

PID0 Offset Reset Value

Peripheral IDentification register 0 0FE0H 0000 0001H

31 0

Downloaded by IFXDMZ\par-liaopeng 29/07/2019 09:08:44

PID

Field Bits Type Description

PID 31:0 ro PID value.
This field contains the PID value

Peripheral IDentification Registers

The reset values of the registers PID0..PID5 are changed compared to the standard CortexTM M3. The remaining
PID5..PID7 and CID registers are unchanged. The addresses and reset values of the changed PID registers listed
below. They have the same layout as PID0.

Table 12-4 Peripheral IDentification Registers

Register Short Name Register Long Name Offset Address Reset Value
PID1 Peripheral IDentification Register 1 0FE4H 0000 0010H
PID2 Peripheral IDentification Register 2 0FE8H 0000 001CH
PID3 Peripheral IDentification Register 3 0FECH 0000 0001H
PID4 Peripheral IDentification Register 4 0FD0H 0000 0000H

Target Specification 286 Revision 2.0

2016-03-04
AURIX™ TC3xx Hardware Security Module

System Debug Confidential

12.4.2 Debug Halting Control and Status Register

Description of the core debug core register extension.

DHCSR
The access right of the bit DHCSR.C_DEBUGEN is changed compared to the standard CortexTM M3.

DHCSR Offset Reset Value

Downloaded by IFXDMZ\par-liaopeng 29/07/2019 09:08:44

Debug Halting Control and Status Register CDF0H 0X0X 0000H

31 16 15 6 5 4 3 2 1 0
C_ Re C_ C_ C_ C_
DBGKEY Res S* s M* S* H* D*

rw rw rw rw rw rw

Field Bits Type Description

DBGKEY 31:16 rw Debug Key
A05FH must be written whenever this register is written. If not written
as Key, the write operation is ignored and no bits are written into the
register.
Reads back as status bits [25:16]. For details, see [2].
C_SNAPSTALL 5 rw
See [2] for details.
C_MASKINTS 3 rw Mask interrupts
See [2] for details.
C_STEP 2 rw Steps the core in halted mode
See [2] for details.
C_HALT 1 rw Halts the core.
See [2] for details.
C_DEBUGEN 0 rw DEBUG enable.
Enables debug. This bit can only be written by the debugger and by
the HSM SW only in case of HSM debugging is enabled.

Target Specification 287 Revision 2.0

2016-03-04
AURIX™ TC3xx Hardware Security Module

System Debug Confidential

12.5 SW Tool Extensions

The HSM subsystem is from the SW tools point of view a normal CortexTM M3-based product. Therefore the SW
development flow is the same as for the CortexTM M3. There are no extensions in the ARM standard tools
needed and no specific post processing tools required. It is assumed that the standard ARM development tools
MDK-ARM 5.x under µVision4 from KeilTM are used but any other Software Tool Development Kit for the
CortexTM M3 may be used alternatively.
Based on the MDK-ARM Infineon Technologies will provide an Install-Shield containing:

Downloaded by IFXDMZ\par-liaopeng 29/07/2019 09:08:44

• CMSIS compliant include files for the HSM device
• a CMSIS compliant startup code
• a uVision Device Database for the HSM device
• an example project

Target Specification 288 Revision 2.0

2016-03-04
AURIX™ TC3xx Hardware Security Module

Confidential

References
[1] HIS AK Security: SHE – Secure Hardware Extension Functional Specification; Version 1.1 Proposal for
Standardization Revision 439; 1st April 2009
[2] ARM Cortex M3 Technical Reference Manual, Revision r2p0,
http://infocenter.arm.com/help/topic/com.arm.doc.ddi0337g/DDI0337G_cortex_m3_r2p0_trm.p
df

Downloaded by IFXDMZ\par-liaopeng 29/07/2019 09:08:44

[3] ARM Cortex-M3 / Cortex-M3 with ETM (AT420/AT425) Errata Notice, Document Revision 2.0,
http://infocenter.arm.com/help/topic/com.arm.doc.eat0420c/Cortex-M3-Errata-r2p0-v2.pdf
[4] ARMv7M Architecture Reference Manual (ARM DDI0403B), available at
http://infocenter.arm.com/help/index.jsp?topic=/com.arm.doc.set.cortex/index.html
[5] NIST/FIPS 197: Announcing the Advanced Encryption Standard (AES); November 26, 2001;
http://csrc.nist.gov/publications/fips/fips197/fips-197.pdf
[6] NIST Special Publication 800-38A: Recommendation for Block Cipher Modes of Operation: Methods and
Techniques, Morris Dworkin, December 2001, http://csrc.nist.gov/publications/nistpubs/800-
38a/sp800-38a.pdf
[7] NIST Special Publication 800-38B: Recommendation for Block Cipher Modes of Operation: The CMAC
Mode for Authentication, Morris Dworkin, May 2005, http://csrc.nist.gov/publications/nistpubs/800-
38B/SP_800-38B.pdf
[8] NIST Special Publication 800-38D: Recommendation for Block Cipher Modes of Operation:
Galois/Counter Mode (GCM) and GMAC, Morris Dworkin, November 2007,
http://csrc.nist.gov/publications/nistpubs/800-38D/SP-800-38D.pdf
[9] IEEE Standard 1619-2007: Standard for Cryptographic Protection of Data on Block-Oriented Storage
Devices, December 2007
[10] AURIX™ TC3xx 32-Bit Single-Chip Microcontroller, Target Specification, V1.0.0, 2014
[11] ARM Debug Interface v5 Architecture Specification, 8 February 2006,
http://infocenter.arm.com/help/topic/com.arm.doc.ihi0031a/index.html

BSI
[12] Recommendations for RNG certification with AIS 31 (http://www.bsi.de)

Target Specification 289 Revision 2.0

2016-03-04
AURIX™ TC3xx Hardware Security Module

Confidential

Terminology

AES Advanced Encryption Standard

AHB Advanced High-performance Bus
APB Advanced Peripheral Bus
AXI Advanced eXtensible Interface

Downloaded by IFXDMZ\par-liaopeng 29/07/2019 09:08:44

BIST Built-In Self-Test
BOS BOot System
CBC Cipher Block Chaining
CFB Cipher FeedBack
C-MPU Core MPU
CMSIS Cortex Microcontroller Software Interface Standard
CPU Central Processing Unit
CTR CounTeR
CTS Cipher Text Stealing
DTS Die Temperature Sensor
DWT Data Watchpoint and Trace unit
ECB Electronic CodeBook
ECC Error Correction Code
ECDSA Elliptic Curve Digital Signature Algorithm
EEPROM Electrically Erasable Programmable Read Only Memory
EVR Embedded Voltage Regulator
FPB Flash Patch and Breakpoint unit
FPI Flexible Peripheral Interconnect
GCM Galois Counter Mode
HSM Hardware Security Module
HW HardWare
IV Initial Value
LRU Least Recently Used
NVIC Nested Vectored Interrupt Controller
MBIST Memory Built-In Self-Test
MPC Miyaguchi-Preneel Compression
MPU Memory Protection Unit
NMI Non Maskable Interrupt
OCDS On Chip Debug Support
OFB Output Feedback Mode
OTP One-Time Programmable
PKC Public Key Cryptography

Target Specification 290 Revision 2.0

2016-03-04
AURIX™ TC3xx Hardware Security Module

Confidential

PRNG Pseudo Random Number Generator

RAM Random Access Memory
rfu reserved for future use
ROM Read-Only Memory
SCM Shared Crypto Memory
SFR Special Function Register

Downloaded by IFXDMZ\par-liaopeng 29/07/2019 09:08:44

SHE Secure Hardware Extension
SPB System Peripheral Bus
SRI Shared Ressource Interconnect
SW SoftWare
TCB Tweaked CodeBook
TCM Tightly Coupled Memory
TRNG True Random Number Generator
XEX Xor-Encrypt-Xor
XN eXecute Never
XTS XEX-TCB-CTS

Target Specification 291 Revision 2.0

2016-03-04
Downloaded by IFXDMZ\par-liaopeng 29/07/2019 09:08:44
Trademarks of Infineon Technologies AG
AURIX™, C166™, CanPAK™, CIPOS™, CoolGaN™, CoolMOS™, CoolSET™, CoolSiC™, CORECONTROL™, CROSSAVE™, DAVE™, DI-POL™, DrBLADE™, EasyPIM™,
EconoBRIDGE™, EconoDUAL™, EconoPACK™, EconoPIM™, EiceDRIVER™, eupec™, FCOS™, HITFET™, HybridPACK™, Infineon™, ISOFACE™, IsoPACK™, i-
Wafer™, MIPAQ™, ModSTACK™, my-d™, NovalithIC™, OmniTune™, OPTIGA™, OptiMOS™, ORIGA™, POWERCODE™, PRIMARION™, PrimePACK™,
PrimeSTACK™, PROFET™, PRO-SIL™, RASIC™, REAL3™, ReverSave™, SatRIC™, SIEGET™, SIPMOS™, SmartLEWIS™, SOLID FLASH™, SPOC™, TEMPFET™,
thinQ!™, TRENCHSTOP™, TriCore™.
Other Trademarks
Advance Design System™ (ADS) of Agilent Technologies, AMBA™, ARM™, MULTI-ICE™, KEIL™, PRIMECELL™, REALVIEW™, THUMB™, µVision™ of ARM Limited,
UK. ANSI™ of American National Standards Institute. AUTOSAR™ of AUTOSAR development partnership. Bluetooth™ of Bluetooth SIG Inc. CAT-iq™ of DECT
Forum. CIPURSE™ of OSPT Alliance. COLOSSUS™, FirstGPS™ of Trimble Navigation Ltd. EMV™ of EMVCo, LLC (Visa Holdings Inc.). EPCOS™ of Epcos AG.
FLEXGO™ of Microsoft Corporation. HYPERTERMINAL™ of Hilgraeve Incorporated. MCS™ of Intel Corp. IEC™ of Commission Electrotechnique Internationale.
IrDA™ of Infrared Data Association Corporation. ISO™ of INTERNATIONAL ORGANIZATION FOR STANDARDIZATION. MATLAB™ of MathWorks, Inc. MAXIM™ of
Maxim Integrated Products, Inc. MICROTEC™, NUCLEUS™ of Mentor Graphics Corporation. MIPI™ of MIPI Alliance, Inc. MIPS™ of MIPS Technologies, Inc.,
USA. muRata™ of MURATA MANUFACTURING CO., MICROWAVE OFFICE™ (MWO) of Applied Wave Research Inc., OmniVision™ of OmniVision Technologies,
Inc. Openwave™ of Openwave Systems Inc. RED HAT™ of Red Hat, Inc. RFMD™ of RF Micro Devices, Inc. SIRIUS™ of Sirius Satellite Radio Inc. SOLARIS™ of
Sun Microsystems, Inc. SPANSION™ of Spansion LLC Ltd. Symbian™ of Symbian Software Limited. TAIYO YUDEN™ of Taiyo Yuden Co. TEAKLITE™ of CEVA,
Inc. TEKTRONIX™ of Tektronix Inc. TOKO™ of TOKO KABUSHIKI KAISHA TA. UNIX™ of X/Open Company Limited. VERILOG™, PALLADIUM™ of Cadence Design
Systems, Inc. VLYNQ™ of Texas Instruments Incorporated. VXWORKS™, WIND RIVER™ of WIND RIVER SYSTEMS, INC. ZETEX™ of Diodes Zetex Limited.

Trademarks Update 2014-11-12

www.infineon.com

Edition 2016-03-04 Legal Disclaimer Warnings

Published by The information given in this document shall in Due to technical requirements, components
no event be regarded as a guarantee of may contain dangerous substances. For
Infineon Technologies AG
conditions or characteristics. With respect to any information on the types in question, please
81726 Munich, Germany examples or hints given herein, any typical contact the nearest Infineon Technologies
values stated herein and/or any information Office. Infineon Technologies components may
regarding the application of the device, Infineon be used in life-support devices or systems only
© 2014 Infineon Technologies AG.
Technologies hereby disclaims any and all with the express written approval of Infineon
All Rights Reserved. warranties and liabilities of any kind, including Technologies, if a failure of such components
without limitation, warranties of non- can reasonably be expected to cause the failure
infringement of intellectual property rights of of that life-support device or system or to affect
Do you have a question about any
any third party. the safety or effectiveness of that device or
aspect of this document?
Information system. Life support devices or systems are
Email: [email protected] intended to be implanted in the human body or
For further information on technology, delivery
to support and/or maintain and sustain and/or
terms and conditions and prices, please contact
protect human life. If they fail, it is reasonable to
Document reference the nearest Infineon Technologies Office
assume that the health of the user or other
Doc_Number (www.infineon.com).
persons may be endangered.

(Original PDF) Introduction To Operations and Supply Chain Management (5th Edition) Instant Download
No ratings yet
(Original PDF) Introduction To Operations and Supply Chain Management (5th Edition) Instant Download
48 pages
Stylus Pro 7880 9880 Field Repair Guide PDF
62% (13)
Stylus Pro 7880 9880 Field Repair Guide PDF
350 pages
DWC Pcie CTL SW Databook
No ratings yet
DWC Pcie CTL SW Databook
1,093 pages
nRF52840 PS v1.5
100% (2)
nRF52840 PS v1.5
631 pages
Samsung Sync Master 226bw 206bw Service Manual
No ratings yet
Samsung Sync Master 226bw 206bw Service Manual
79 pages
rp2040 Datasheet 3
No ratings yet
rp2040 Datasheet 3
1 page
Openrisc 1200 Ip Core Specification (Preliminary Draft)
No ratings yet
Openrisc 1200 Ip Core Specification (Preliminary Draft)
54 pages
CPU08RM
No ratings yet
CPU08RM
200 pages
CPU08RM
No ratings yet
CPU08RM
200 pages
CPU08 Central Processor Unit: Reference Manual
No ratings yet
CPU08 Central Processor Unit: Reference Manual
200 pages
ST62T40B / E40b 8-Bit Otp / Eprom Mcu With LCD Driver
No ratings yet
ST62T40B / E40b 8-Bit Otp / Eprom Mcu With LCD Driver
74 pages
rp2040 Datasheet 5
No ratings yet
rp2040 Datasheet 5
1 page
ST62T18C Microcontr 8 Bit
No ratings yet
ST62T18C Microcontr 8 Bit
82 pages
User Guide: Keystone Architecture Serial Peripheral Interface (Spi)
No ratings yet
User Guide: Keystone Architecture Serial Peripheral Interface (Spi)
51 pages
Stmicroelectronics cd00001667-1204835
No ratings yet
Stmicroelectronics cd00001667-1204835
134 pages
ST72101/ST72212/ST72213: 8-Bit Mcu With 4 To 8K Rom/Otp/Eprom, 256 Bytes Ram, Adc, WDG, Spi and 1 or 2 Timers
No ratings yet
ST72101/ST72212/ST72213: 8-Bit Mcu With 4 To 8K Rom/Otp/Eprom, 256 Bytes Ram, Adc, WDG, Spi and 1 or 2 Timers
86 pages
STR71xF Reference Manual
No ratings yet
STR71xF Reference Manual
350 pages
Sprugs 6 B
No ratings yet
Sprugs 6 B
207 pages
ST62T32B ST62E32B: 8-Bit Otp/Eprom Mcus With A/D Converter, 16-Bit Auto-Reload Timer, Eeprom, Spi and Uart
No ratings yet
ST62T32B ST62E32B: 8-Bit Otp/Eprom Mcus With A/D Converter, 16-Bit Auto-Reload Timer, Eeprom, Spi and Uart
86 pages
CD00018962 57108
No ratings yet
CD00018962 57108
85 pages
ST 7262
No ratings yet
ST 7262
132 pages
Datasheet - HK st52t400g3 202820
No ratings yet
Datasheet - HK st52t400g3 202820
94 pages
Spruhx 9
No ratings yet
Spruhx 9
294 pages
ST 62T62C
No ratings yet
ST 62T62C
78 pages
nRF52840 PS v1.1
No ratings yet
nRF52840 PS v1.1
619 pages
Tk68hc11e - 2019 11 20
No ratings yet
Tk68hc11e - 2019 11 20
190 pages
STM32F0 Reference Manual
No ratings yet
STM32F0 Reference Manual
988 pages
Datasheet - HK st62t65cn6 5503559
No ratings yet
Datasheet - HK st62t65cn6 5503559
86 pages
7601
No ratings yet
7601
211 pages
Ug585 Zynq 7000 TRM
No ratings yet
Ug585 Zynq 7000 TRM
1,940 pages
ST72345
No ratings yet
ST72345
191 pages
Alpha 21164 Data Sheet
No ratings yet
Alpha 21164 Data Sheet
122 pages
Nand 01 GW 3 B 2 N 6
No ratings yet
Nand 01 GW 3 B 2 N 6
64 pages
nRF52840 PS v1.0 PDF
No ratings yet
nRF52840 PS v1.0 PDF
551 pages
Img 20240313113733
No ratings yet
Img 20240313113733
154 pages
nRF52840 PS v1.9
No ratings yet
nRF52840 PS v1.9
899 pages
4563 PDF
No ratings yet
4563 PDF
101 pages
10022
No ratings yet
10022
262 pages
ST62T53C/T60C/T63C ST62E60C: 8-Bit Otp/Eprom Mcus With A/D Converter, Safe Reset, Auto-Reload Timer, Eeprom and Spi
No ratings yet
ST62T53C/T60C/T63C ST62E60C: 8-Bit Otp/Eprom Mcus With A/D Converter, Safe Reset, Auto-Reload Timer, Eeprom and Spi
84 pages
DWC DDR MultiPHY Smic40ll25 DB
100% (1)
DWC DDR MultiPHY Smic40ll25 DB
220 pages
8-Bit MCUs with A/D Converter Guide
No ratings yet
8-Bit MCUs with A/D Converter Guide
104 pages
UART - Specification by Texas Instruments
No ratings yet
UART - Specification by Texas Instruments
51 pages
8035
No ratings yet
8035
103 pages
Infineon TLE984x Firmware UserManual v01 04 en
No ratings yet
Infineon TLE984x Firmware UserManual v01 04 en
127 pages
Pg150 Ultrascale Memory Ip
No ratings yet
Pg150 Ultrascale Memory Ip
812 pages
pm0223 stm32 Cortexm0 Mcus Programming Manual Stmicroelectronics
No ratings yet
pm0223 stm32 Cortexm0 Mcus Programming Manual Stmicroelectronics
110 pages
0 PJH 9 L 6 F 83 RL 2 I 1 R 3 WSKQ 5 I 5 Akwy
No ratings yet
0 PJH 9 L 6 F 83 RL 2 I 1 R 3 WSKQ 5 I 5 Akwy
38 pages
ST72F521 STMicroelectronics
No ratings yet
ST72F521 STMicroelectronics
215 pages
RSL10 Firmware Reference
No ratings yet
RSL10 Firmware Reference
414 pages
Obsolete Product(s) - Obsolete Product(s) : ST6215C ST6225C
No ratings yet
Obsolete Product(s) - Obsolete Product(s) : ST6215C ST6225C
105 pages
Infineon-PSoC 61 PSoC 62 MCU CY8C6xx5 Architecture Reference Manual-AdditionalTechnicalInformation-V07 00-En
No ratings yet
Infineon-PSoC 61 PSoC 62 MCU CY8C6xx5 Architecture Reference Manual-AdditionalTechnicalInformation-V07 00-En
647 pages
RSL10 Hardware Reference
No ratings yet
RSL10 Hardware Reference
518 pages
St723248 Bit Mcu
No ratings yet
St723248 Bit Mcu
163 pages
ST72F561R6TA Datasheetz
No ratings yet
ST72F561R6TA Datasheetz
265 pages
nRF52833 PS v1.7
No ratings yet
nRF52833 PS v1.7
885 pages
Spin
No ratings yet
Spin
165 pages
Tms 320 VC 5509 A
No ratings yet
Tms 320 VC 5509 A
150 pages
TMS320VC5509APGE Texas Instruments
No ratings yet
TMS320VC5509APGE Texas Instruments
148 pages
Datasheet Mcu
No ratings yet
Datasheet Mcu
122 pages
ST62T108C6
No ratings yet
ST62T108C6
104 pages
DSB 1610 4X0
No ratings yet
DSB 1610 4X0
2 pages
Bricscad Bim: The Value Proposition
No ratings yet
Bricscad Bim: The Value Proposition
20 pages
Marvell Phys Transceivers Alaska 88e1548 88e1548p Product Brief 2015 08
No ratings yet
Marvell Phys Transceivers Alaska 88e1548 88e1548p Product Brief 2015 08
2 pages
Algebraic vs. Transcendental Functions
No ratings yet
Algebraic vs. Transcendental Functions
21 pages
Section6Exercise1 MakingPredictions ParticulateMatterExposure PDF
No ratings yet
Section6Exercise1 MakingPredictions ParticulateMatterExposure PDF
66 pages
Matroska File Format Guide
No ratings yet
Matroska File Format Guide
51 pages
TOUGHBOOK 33 Spec Sheet
No ratings yet
TOUGHBOOK 33 Spec Sheet
2 pages
3.4.5 Packet Tracer - Configure Trunks
No ratings yet
3.4.5 Packet Tracer - Configure Trunks
2 pages
Wallpaper For Phones - Google Search
No ratings yet
Wallpaper For Phones - Google Search
1 page
Pricelist Sentral Komputer Bogor
No ratings yet
Pricelist Sentral Komputer Bogor
2 pages
Datasheet - XPG SX8100 - EN - 202005
No ratings yet
Datasheet - XPG SX8100 - EN - 202005
2 pages
Enyecontrols TKG CO
No ratings yet
Enyecontrols TKG CO
3 pages
Toslink
No ratings yet
Toslink
20 pages
T4 Client-Server Networks 2
No ratings yet
T4 Client-Server Networks 2
37 pages
12th Computer Science EM Text WWW - Tntextbooks.in
No ratings yet
12th Computer Science EM Text WWW - Tntextbooks.in
360 pages
Network Model
No ratings yet
Network Model
25 pages
SKIT Hackathon Ppt-Ewaste
No ratings yet
SKIT Hackathon Ppt-Ewaste
8 pages
Computer Chapter-2
No ratings yet
Computer Chapter-2
33 pages
Case Study
100% (1)
Case Study
15 pages
S1 Ict End of Year
No ratings yet
S1 Ict End of Year
3 pages
Web Design & Marketing Basics
No ratings yet
Web Design & Marketing Basics
65 pages
ICAML 2021: 3 International Conference On Applications of AI & Machine Learning
No ratings yet
ICAML 2021: 3 International Conference On Applications of AI & Machine Learning
2 pages
Op Jeeva1
No ratings yet
Op Jeeva1
36 pages
Sophos Data Loss Prevention SDK Ds
No ratings yet
Sophos Data Loss Prevention SDK Ds
2 pages
SHS - Parts of A Computer - Reviewer
No ratings yet
SHS - Parts of A Computer - Reviewer
5 pages
2.A1. BT Bill of Director
No ratings yet
2.A1. BT Bill of Director
3 pages
Calculation Method of Spectrum Requirement For IMT-2020 eMBB and URLLC With Puncturing Based On M G 1 Priority Queuing Model
No ratings yet
Calculation Method of Spectrum Requirement For IMT-2020 eMBB and URLLC With Puncturing Based On M G 1 Priority Queuing Model
14 pages