Security-hardened reset domain crossing circuit: Page 3 of 5

April 11, 2019 // By Satyanarayana Murthy Madimatla, Sandeep Jain, Vivek Sharma (NXP Semiconductors)
Security-hardened reset domain crossing circuit
While we focus on various security features of modern automotive designs, reset interface could be offering a favorable surface to the attackers, if not handled appropriately.

To address this issue, only de-assertion of reset generation request can be delayed while assertion can shut down the destination clock immediately. This can be achieved by introducing a MUX as shown in Fig. 4 which would ensure the assertion of reset generation request will result in immediate clock gating of FFC

Fig. 4 Proposed implementation delaying
only reset generation request de-assertion

To ensure that clock to FFC gets gated before reset controller asserts the reset, N (number of delay stages) should be small enough to allow the propagation of reset request before reset application and should be large enough to allow the settlement of metastability at the source flop.

Hence, the duration of delay-chain should satisfy the below condition:

Tcontroller > Tdelay-chain > Treset_latency

Where: Tcontroller- Time taken by reset-controller between reset-request and reset-assertion

 Tdelay-chain - delay-chain duration

 Treset_latency- Max reset-tree latency of the design

Maximum latency of the reset paths in the design can be extracted from physical layout. A good number can be extracted after a single place-and-route iteration. The delay chain operates on destination reset and ungated clock so these signals are unaffected by reset assertion in source domain.

Design category: 

Vous êtes certain ?

Si vous désactivez les cookies, vous ne pouvez plus naviguer sur le site.

Vous allez être rediriger vers Google.