Integration Question : OBF Key

[JuneB-Choi]

Hi, I'm June from FADU.
I have a question about the OBF Key used in the obfuscation process of UDS/FE seeds (Caliptra-rtl v1.1).

There are two ways to do this: using PUF or inserting RTL Key through ECO.
Based on our interpretation of the following sentences, if PUF is not used, the obfuscation key can be replaced with a chip-class secret,
and when "chip revision" or "another product", it seems that the new obfuscation key can be applied according to the company's policy.

1. Rotation of the obfuscation key (if not driven through PUF) between silicon steppings of a given product (for example, A0 vs. B0 vs. PRQ stepping) is dependent on company-specific policies.
2. This obfuscation key may be a chip-class secret, or a chip-unique PUF, with the latter preferred.

At this time, can we assume that the "chip-class secret" means the same secret value for all chips? (Not die-unique assets)
If there is anything wrong with the above assertion, please correct it.

Also, if there are any instructions for key rotation when inserting OBF Key via ECO without using PUF, please let me know.

Thank you,
June.

[steven-bellock]

I think the general guidance would be, assuming that your infrastructure and timelines support it, to rotate the key whenever the opportunity presents itself. The use of camouflage cells over simple TIE-HIGH / TIE-LOW cells would obviously improve the physical security, but most folks don't have access to them. I'll bring up the use of camouflage cells as a possible nice-to-have.