Security-hardened reset domain crossing circuit: Page 2 of 5

April 11, 2019 // By Satyanarayana Murthy Madimatla, Sandeep Jain, Vivek Sharma (NXP Semiconductors)
Security-hardened reset domain crossing circuit
While we focus on various security features of modern automotive designs, reset interface could be offering a favorable surface to the attackers, if not handled appropriately.

Note that simply gating the destination clocks during reset-assertion is not sufficient, as shown in Fig 2. Destination flop i.e., FFC is clock-gated, based on the reset assertion request. The clock is ungated and on rst1_n assertion, FFB gets cleared. However, source flop i.e., FFA may still be undergoing reset, based on reset propagation latency of the network. This may result in FFC getting ungated clock and hence can capture metastable data from FFA

Fig. 2 Gating destination clock during reset assertion


To address this issue, a delayed version of reset-generation request can be used to gate destination clock as shown in Fig 3.

Fig. 3 Delay chain for gating destination clock

A delay element is introduced to ensure clock is disabled after FFA is reset. However, this implementation would delay assertion of the reset request as well and if the delay between reset generation request and actual reset assertion is less than the delay chain, FFA is reset and hence FFC could be sampling metastable values.

Design category: 

Vous êtes certain ?

Si vous désactivez les cookies, vous ne pouvez plus naviguer sur le site.

Vous allez être rediriger vers Google.