We wondered about that in the RP235X roadmap thread already, and I think I know why this wouldn't work, though I haven't verified this.My question is: given that the E16 glitch on the OTP power supply causes the read of CRIT1.DEBUG_DISABLE to be 0 (and the device to enter RISC-V mode), would it be possible for installing a debug key to still cause debug to be disabled, even if CRIT1.DEBUG_DISABLE reads as 0?
The issue is that even though, as far as I understand the related circuitry from the datasheet, installing debugs keys would actually disable debug access at first this doesn't gain you much. The bootrom is setup to only support secure boot under ARM (as the datasheet tells us), not RISC-V, and as far as I can see there's nothing that would abort boot in this case. This means that we are free to fill the flash chip with whatever attacker payload we desire, read the OTP registers and indeed turn debug access back on with the DEBUGEN register.
It may actually be possible to fix this if you disable every other boot option apart from OTP (in addition to installing debug keys), which contains a bootloader that aborts when this case is detected and otherwise just implements the normal flash-boot logic like the bootrom does. Not entirely sure if this would work, though even if it does it imposes significant restrictions on what you can do with the microcontroller.
In general the bootrom is unfortunately rather poorly designed from the perspective of hiding OTP data, as it contains no mechanism of locking OTP pages in early boot. Thus it can only be done in user code relatively late in the boot process, and any subversion of the secure boot mechanism also breaks OTP confidentiality. Security is hard, maybe this gets improved in a later revision.
The "authentication" is actually handled in the RP-AP module, which is always active. And at least according to the datasheet, they should have the same effect as CRIT1.DEBUG_DISABLE:It's RISC-V debug module which has no authentication like ARM.
The effect of installing debug keys depends on which of key 5 and 6 are installed:
• If key 5 or key 6 is valid, and no matching key (either) has been entered through the RP-AP, all debug is disabled.
This has the same effect as setting CRIT1.DEBUG_DISABLE.
Statistics: Posted by Tharre — Wed Apr 30, 2025 3:50 pm