STM32MP21 OTP mapping

Applicable for

1. Memory mapping[edit | edit source]

The table below gives an overview of the BSEC OTP memory mapping with useful information in the context of this Wiki reading. It gives the global mapping view including the SoC restricted layout (immutable) and the additional ecosystem choice that is used with OpenSTLinux ecosystem.

OTP words 0 to 127 are called lower OTP and are bit wise programmable.
OTP words 128 to 255 are called middle OTP and are bulk programmable.
OTP words 256 to 383 are called upper OTP and are bulk programmable. These OTP are the one where sensitive information (such as password or private keys) must be stored.

Further information for the words and fields that are not explicitly described here can be found in the reference manual.

1.1. Lower OTP region[edit | edit source]

		For both TD flavor (A35-TD or M33-TD)
OTP word	Bit field (size)	Name	Description
0		OTP_HW_WORD0	OTP Check Word (virgin -> non virgin)
1		OTP_HW_WORD1	OTP Security word to close security state BSECXW
2		OTP_HW_WORD2	OTP Word for re-opening via RMA password : RMA bits
3		OTP_HW_WORD3	OTP Word for re-opening via RMA password : RMA tries bits
4		OTP_HW_WORD4	OTP word for TK Retries (ECIES)
5		ID0	ID0 for Engineering purposes
6		ID1	ID1 for Engineering purposes
7		ID2	ID2 for Engineering purposes
8		Reserved
9		RPN_CODING	STM32MP21 Reference Manuals
10 BOOTROM_CONFIG_1	0-0 (1 bit)	chip cpbk y sign	Chip Public key sign of Y 0 : Chip public key Y is positive 1 : Chip Public key Y is negative
	1-1 (1 bit)	stkeyprov ecies ok	Status of ECIES ST key provisionning when it was attempted. 0: ECIES ST key provisionning last attempt was failed 1: ECIES ST key provisionning last attempt was successfull
	2-2 (1 bit)	stkeyprov hwkey done	ST HW Key provisionning done 0: HWKEY not provisionned 1: HWKEY was provisioned
	10-3 (8 bits)	security counter	security counter involved in productID for chip certificate verification by HSM-OEM in RSSe_prov context
	14-11 (4 bits)	st pub key id	ST ECDSA Public Key ID (ST Key Instance fuse part) involved in productID for chip certificate verification by HSM-OEM in RSSe_prov context
	22-15 (8 bits)	rssefw active signing key	8 possible ST public keys (ST key revocation feature for RSSe_FW authentication) [1-0xFF] -> [1-8] : Value of monotonic counter is X where X is position of the most significant bit at 1.
	28-23 (6 bits)	nb added stsecrets	Number of additional ST secrets words provisionned 0 : no additional ST secrets [1-63] : nb of OTP words located in upper area [360-nb_added_stsecrets..359] that were provisionned with ST secrets.
	31-29 (3 bits)	Reserved
11 BOOTROM_CONFIG_2	0-0 (1 bit)	Reserved
	1-1 (1 bit)	sdmmc1 not default af	SDMMC1 default Afmux usage 0 : SDMMC1 uses default hard coded AFmux. 1 : SDMMC1 uses AFmux defined in OTP.
	2-2 (1 bit)	sdmmc2 not default af	SDMMC2 default Afmux usage 0 : SDMMC2 uses default hard coded AFmux. 1 : SDMMC2 uses AFmux defined in OTP.
	4-3 (2 bits)	Reserved
	5-5 (1 bit)	no cpu pll	CPU PLL usage 0 : PLLs for CPU/AXI are enable for cold boot. 1 : PLLs for CPU/AXI are not enable for cold boot
	9-6 (4 bits)	Reserved
	14-10 (5 bits)	disable uart	Disable UART instances 0b00001: disable USART2 0b00010: disable UART5 0b00100: disable UART6
	15-15 (1 bit)	no data cache	Data cache usage 0: Data cache is used by bootrom. 1: Data cache is not used by bootrom.
	23-16 (8 bits)	boot source disable	Each bit disable a boot source. Default to UART if all disabled. 0b00000001: disable FMC boot source. 0b00000010: disable QSPI NOR boot source. 0b00000100: disable eMMC boot source. 0b00001000: disable SD boot source. 0b00010000: disable UART boot source. 0b00100000: disable USB boot source. 0b01000000: disable QSPI NAND boot source. 0b10000000: disable QSPI HyperFlash boot source.
	25-24 (2 bits)	bootpins layout sel	Bootpins layout selection [0-3]: Select one among the three possible bootpins layout
	29-26 (4 bits)	boot source sel	Boot source selection [0-15]: Select one among the 16 possible boot source of the selected bootpins layout
	30-30 (1 bit)	dont boot on cfm tamper	Disable boot on confirmed tamper feature 0: boot on confirmed tamper 1: do not boot on confirmed tamper
	31-31 (1 bit)	Reserved
12 BOOTROM_CONFIG_3			BOOTROM / FSBL-A version monotonic counter
13 BOOTROM_CONFIG_4	7-0 (8 bits)	Reserved
	11-8 (4 bits)	RNG configuration 3	STM32MP21 Reference Manuals (RNG CR register)
	12 (1 bit)	NIST custom	STM32MP21 Reference Manuals (RNG CR register)
	15-13 (3 bits)	RNG configuration 2	STM32MP21 Reference Manuals (RNG CR register)
	19-16 (4 bits)	Clock divider factor	STM32MP21 Reference Manuals (RNG CR register)
	27-20 (8 bits)	RNG configuration 2	STM32MP21 Reference Manuals (RNG CR register)
	31-28 (4 bits)	Reserved
14 BOOTROM_CONFIG_5	17 -0 (18 bits)	RNG health test control configuration (HTCR0)	STM32MP21 Reference Manuals (RNG HTCR0 register)
14 BOOTROM_CONFIG_5	31-18 (14 bits)	Reserved
15 BOOTROM_CONFIG_6	8-0 (9 bits)	RNG noise source control	STM32MP21 Reference Manuals (RNG NSCR register)
15 BOOTROM_CONFIG_6	31-10 (22 bits)	Reserved
16 BOOTROM_CONFIG_7	0-0 (1 bit)	disable traces	Disable bootROM traces 0: bootROM traces are enabled 1: bootROM traces are disabled
	1-1 (1 bit)	disable hse freq detect	Disable HSE frequency autodetection 0: HSE frequency autodetection is enabled 1: HSE frequency autodetection is disabled
	2-2 (1 bit)	disable hse bypass detect	Disable HSE bypass detection 0: HSE bypass detection is enabled 1: HSE bypass detection is disabled
	3-3 (1 bit)	disable blocking failure traces	Disable traces done by blocking failure process 0: blocking failure traces are enabled 1: blocking failure traces are disabled
	4-4 (1 bit)	a35 mode	Select a35 architecture mode 0: FSBL-A is AArch64 1: FSBL-A is AArch32
	5-5 (1 bit)	fmc force sw reset	FMC is used by CA35 to connect a NAND and by CM33 to connect a NOR or PSRAM 0: Use RCC to reset FMC 1: Use sw procedure to reset FMC witout impacting CM33
	6-6 (1 bit)	emergency debug req	Emergency debug request 0: emergency debug is not requested 1: emergency debug is requested
	7-7 (1 bit)	emmc 128k boot partition	Support eMMC with 128Kb boot partition 0: bootROM does not support eMMC with 128Kb boot partition. 1: bootROM supports eMMC with 128Kb boot partition.
	8-8 (1 bit)	fsbl decrypt prio	FSBL decryption priority (speed or security) 0: use CRYP (fast but no DPA protection) 1: use SAES (slow but DPA protection))
	9-9 (1 bit)	Reserved
	10-10 (1 bit)	Reserved
	13-11 (3 bits)	HSE value	HSE value 0b000: HSE value is autodetected among 16, 20, 24, 28, 32, 36, 40, 48MHz 0b001: HSE = 24MHz 0b010: HSE = 25MHz 0b011: HSE = 26MHz 0b100 (19_2 Mhz): HSE = 19.2MHz 0b101: HSE = 40MHz 0b110: HSE = 48MHz 0b111: Reserved
	14-14 (1 bit)	snand need plane select 1	NAND parameters bank1 - Serial NAND plane selection 0: Serial NAND plane select is not needed. 1: Serial NAND plane select is need
	17-15 (3 bits)	pnand number of ecc bits 1	NAND parameters bank1 - Number of Error Correction Code (ECC) bits 0: ECC unset. 1: ECC 1bit (Hamming). 2: ECC 4bit (BCH4). 3: ECC 8bit (BCH8). 4: on-die ECC.
	18-18 (1 bit)	pnand bus width 1	NAND parameters bank1 - Parallel NAND data witdh 0: data width is 8 bits 1: data width is 16 bits
	26-19 (8 bits)	nand nb of blocks 1	NAND parameters bank1 - Number of blocks in unit of 256 blocks [1-256]: Number of block = 256 * value
	28-27 (2 bits)	nand block size 1	NAND parameters bank1 - Block size in number of pages 0: 64 pages per block 1: 128 pages per block 2: 256 pages per block
	30-29 (2 bits)	nand page size 1	NAND parameters bank1 - Page size 0: 2Kbytes 1: 4Kbytes 2: 8Kbytes
	31-31 (1 bit)	pnand param stored in otp	Parallel NAND parameters stored in OTP bank1 or bank2 0: BootROM uses ONFI parameter table to get parallel nand parameters. 1: parallel nand parameters are defined in bank1 or bank2, depending on nand_config_distribution value.
17 BOOTROM_CONFIG_8	7-0 (8 bits)	oem active signing key1	Eight possible OEM public keys (OEM key revocation feature for OEM-FSBL authentication) [1-256] -> [1-8] : Value of monotonic counter is X where X is position of the most significant bit at 1.
	8-8 (1 bit)	oem keys2 enable	Enable second ECDSA OEM key set for FSBL-M authentication and decryption^{[fsblm-keys 1]} 0: keys2 are not used; keys1 are used for both FSBLA and FSBLM 1: keys2 are enabled; keys1 are used for FSBLA; keys2 are used for FSBLM
	31-16 (16 bits)	Reserved
18 BOOTROM_CONFIG_9	3-0 (4 bits)	secure boot	Enable enforced secure boot 0: Chip is in CLOSED_UNLOCKED state. Secure boot is not enforced (FSBL authentication is not mandatory). [1-15]: Chip is in CLOSED_LOCKED state. Secure boot is enforced (FSBL authentication is mandatory)
	7-4 (4 bits)	prov done	RSSE provisioning done 0: RSSE provisioning is not done [1-15]: RSSE provisioning is done
	11-8 (4 bits)	debug lock	Lock debug enabling until next reset when chip is CLOSED-LOCKED 0: Don't lock debug enabling [1-15]: Lock debug enabling
	15-12 (4 bits)	otp prov done	RSSe OTP provisioning done 0: RSSe OTP provisioning is not done [1-15]: RSSe OTP provisioning part done, used to manage RSSe extension issue
	21-16 (6 bits)	Reserved
	22-22 (1 bit)	ns epoch enable	Enable non secure EPOCH use 0: bootROM does not manage NS_EPOCH. BOOTROM_NS_EPOCH monotonic counter fuse bits are free for other use. 1: bootROM manages NS_EPOCH. bootROM uses BOOTROM_NS_EPOCH monotonic counter fuse bits.
	26-23 (4 bits)	fingerprint enable	Enable fingerprint feature 0: fingerprint feature is disabled 1: fingerprint feature is enabled
	31-27 (5 bits)	free for future use
19 BOOTROM_CONFIG_10	31-0 (32 bits)	fsblm_monotonic	BOOTROM / OEM-FSBLM version monotonic counter
20 BOOTROM_CONFIG_11	0-0 (1 bit)	nand config distribution	NAND configurations distribution 0: pNAND config in nand_2 fields / sNAND config in nand_1 fields 1: pNAND config in nand_1 fields / sNAND config in nand_2 fields
	1-1 (1 bit)	snand need plane select 2	idem BOOTROM_CONFIG_7.snand_need_plane_select_1
	4-2 (3 bits)	pnand number of ecc bits 2	idem BOOTROM_CONFIG_7.pnand_number_of_ecc_bits_1
	5-5 (1 bit)	pnand bus width 2	idem BOOTROM_CONFIG_7.pnand_bus_width_1
	13-6 (8 bits)	nand nb of blocks 2	idem BOOTROM_CONFIG_7.nand_nb_of_blocks_1
	15-14 (2 bits)	nand block size 2	idem BOOTROM_CONFIG_7.nand_block_size_1
	17-16 (2 bits)	nand page size 2	idem BOOTROM_CONFIG_7.nand_page_size_1
	18-18 (1 bit)	hyperflash 3V3 device	Is HyperFlash a 3.3V device 0: hyperflash is not a 3.3V device 1: hyperflash is a 3.3V device
	21-19 (3 bits)	rng htcr value	RNG HTCR value 0: 0xA2B3 1: 0xA2B3 2: 0xAA74 3: 0xA6BA 4: 0x9AAE 5: 0x72AC (corresponds to the default value of IP after reset) 6: 0xAAC7 value set by engineering in OTP 7: 0xA2B3 only other possible value for OTP after engineering set above "6: 0xAAC7" value
	22-22 (1 bit)	ospi io speed ovrw	OSPI IO speed overwrite enable 0: OSPI io speed is not overwritten by otp configuration 1: OSPI io speed is overwritten by otp configuration
	24-23 (2 bits)	ospi io speed clk nclk	OSPI IO speed of clk nclk IO 0b00: low speed. 0b01: medium speed. 0b10: high speed 0b11: very high speed
	25-24 (2 bits)	ospi io speed data cs	OSPI IO speed of CS IO 0b00: low speed. 0b01: medium speed. 0b10: high speed 0b11: very high speed
	31-26 (6 bits)	Reserved
21 BOOTROM_CONFIG_12	31-0 (32 bits)	rsse_monotonic	BOOTROM / RSSe FW version monotonic counter
22 BOOTROM_CONFIG_13	7-0 (8 bits)	oem active signing key2	Eight possible OEM public keys (OEM key revocation feature for OEM-FSBL authentication) [1-256] -> [1-8]: Value of monotonic counter is X where X is position of the most significant bit at 1.
22 BOOTROM_CONFIG_13	31-8 (24 bits)	Reserved
23		H32ENCPRVKEY	BOOTROM / Hash of E1CPvK
24	31-0 (32 bits)	BOOTROM TZ EPOCH0	Secure side Epoch counter
25	31-0 (32 bits)	BOOTROM TZ EPOCH1
26	31-0 (32 bits)	BOOTROM TZ EPOCH2
27	31-0 (32 bits)	BOOTROM TZ EPOCH3
28	31-0 (32 bits)	BOOTROM TZ EPOCH4
29	31-0 (32 bits)	BOOTROM TZ EPOCH5
30	31-0 (32 bits)	BOOTROM TZ EPOCH6
31	31-0 (32 bits)	BOOTROM TZ EPOCH7
32	31-0 (32 bits)	BOOTROM NS EPOCH0	Non Secure Epoch counter
33	31-0 (32 bits)	BOOTROM NS EPOCH1
34	31-0 (32 bits)	BOOTROM NS EPOCH2
35	31-0 (32 bits)	BOOTROM NS EPOCH3
36	31-0 (32 bits)	BOOTROM NS EPOCH4
37	31-0 (32 bits)	BOOTROM NS EPOCH5
38	31-0 (32 bits)	BOOTROM NS EPOCH6
39	31-0 (32 bits)	BOOTROM NS EPOCH7
40 to 100		Available for customer
101		ADAC_SOC_MASK	Control the maximum debug level possible via ADAC
102		ID	STM32MP21 Reference Manuals
103		CRC_HSM
104		CAL1	STM32MP21 Reference Manuals
105		Reserved
106		CAL3	STM32MP21 Reference Manuals
107		Reserved
108		CAL5	STM32MP21 Reference Manuals
109		Reserved
110		CAL7	STM32MP21 Reference Manuals
111		Reserved
112		ENGI1	Engineering
113		ENGI2	Engineering
114		ENGI3	Engineering
115		ENGI4	Engineering
116		ENGI5	Engineering
117		ENGI6	Engineering
118		ENGI7	Engineering
119		ENGI8	Engineering
120		ATRIM1	STM32MP21 Reference Manuals
121		ATRIM2	STM32MP21 Reference Manuals
122		ATRIM3	STM32MP21 Reference Manuals
123		ATRIM4	STM32MP21 Reference Manuals
124		HCONF1	STM32MP21 Reference Manuals
125		MREPAIR1
126		MREPAIR2
127		MREPAIR3

1.2. Middle OTP region[edit | edit source]

	For both TD flavor (A35-TD or M33-TD)
OTP word	Name	Description
128	STM32CERTIF0	STM32 chip certificate (public key)^{[key-formats 1]}
129	STM32CERTIF1
130	STM32CERTIF2
131	STM32CERTIF3
132	STM32CERTIF4
133	STM32CERTIF5
134	STM32CERTIF6
135	STM32CERTIF7
136	STM32CERTIF8
137	STM32CERTIF9
138	STM32CERTIF10
139	STM32CERTIF11
140	STM32CERTIF12
141	STM32CERTIF13
142	STM32CERTIF14
143	STM32CERTIF15
144	STM32CERTIF16
145	STM32CERTIF17
146	STM32CERTIF18
147	STM32CERTIF19
148	STM32CERTIF20
149	STM32CERTIF21
150	STM32CERTIF22
151	STM32CERTIF23
152	OEM KEY1 ROT0	OEM Key1 Root of Trust Hash^{[key-formats 1]}^{[fsblm-keys 1]}
153	OEM KEY1 ROT1
154	OEM KEY1 ROT2
155	OEM KEY1 ROT3
156	OEM KEY1 ROT4
157	OEM KEY1 ROT5
158	OEM KEY1 ROT6
159	OEM KEY1 ROT7
160	OEM KEY2 ROT0	OEM Key2 Root of Trust Hash^{[key-formats 1]}^{[fsblm-keys 1]}
161	OEM KEY2 ROT1
162	OEM KEY2 ROT2
163	OEM KEY2 ROT3
164	OEM KEY2 ROT4
165	OEM KEY2 ROT5
166	OEM KEY2 ROT6
167	OEM KEY2 ROT7
168	STM32PUBKEY0	STM32 chip public key^{[key-formats 1]}
169	STM32PUBKEY1
170	STM32PUBKEY2
171	STM32PUBKEY3
172	STM32PUBKEY4
173	STM32PUBKEY5
174	STM32PUBKEY6
175	STM32PUBKEY7
176	STM32PUBKEY8
177	STM32PUBKEY9
178	STM32PUBKEY10
179	STM32PUBKEY11

	A35-TD flavor		M33-TD flavor
OTP word	Name	Description	Name	Description
180^*	RPROC-FW-PKH_0	Hash of the Public Key for remote processor firmware^{[key-formats 2]}	Available for customer
181^*	RPROC-FW-PKH_1		Available for customer
182^*	RPROC-FW-PKH_2		Available for customer
183^*	RPROC-FW-PKH_3		Available for customer
184^*	RPROC-FW-PKH_4		Available for customer
185^*	RPROC-FW-PKH_5		Available for customer
186^*	RPROC-FW-PKH_6		Available for customer
187^*	RPROC-FW-PKH_7		Available for customer
188^*	Available for customer		FSBLM-M33-FW-PKH_0	Hash of the Public Key for M33TDCID M33 Firmware^{[key-formats 2]}
189^*	Available for customer		FSBLM-M33-FW-PKH_1
190^*	Available for customer		FSBLM-M33-FW-PKH_2
191^*	Available for customer		FSBLM-M33-FW-PKH_3
192^*	Available for customer		FSBLM-M33-FW-PKH_4
193^*	Available for customer		FSBLM-M33-FW-PKH_5
194^*	Available for customer		FSBLM-M33-FW-PKH_6
195^*	Available for customer		FSBLM-M33-FW-PKH_7
196^*	Available for customer		FSBLM-DDR-FW-PKH_0	Hash of the Public Key for M33TDCID DDR Firmware^{[key-formats 2]}
197^*	Available for customer		FSBLM-DDR-FW-PKH_1
198^*	Available for customer		FSBLM-DDR-FW-PKH_2
199^*	Available for customer		FSBLM-DDR-FW-PKH_3
200^*	Available for customer		FSBLM-DDR-FW-PKH_4
201^*	Available for customer		FSBLM-DDR-FW-PKH_5
202^*	Available for customer		FSBLM-DDR-FW-PKH_6
203^*	Available for customer		FSBLM-DDR-FW-PKH_7
204^*	Available for customer		FSBLM-A35-FW-PKH_0	Hash of the Public Key for M33TDCID A35 bare metal Firmware^{[key-formats 2]}
205^*	Available for customer		FSBLM-A35-FW-PKH_1
206^*	Available for customer		FSBLM-A35-FW-PKH_2
207^*	Available for customer		FSBLM-A35-FW-PKH_3
208^*	Available for customer		FSBLM-A35-FW-PKH_4
209^*	Available for customer		FSBLM-A35-FW-PKH_5
210^*	Available for customer		FSBLM-A35-FW-PKH_6
211^*	Available for customer		FSBLM-A35-FW-PKH_7
212 to 237	Available for customer

*For OTP word from 180 to 211 : In Reference manual, those OTP words are available for customer but they have been used in OpenSTLinux distribution.

	For both TD flavor (A35-TD or M33-TD)
OTP word	Name	Description
238^*	OEM ADAC ROTPK HASH0	OEM ADAC key Root of Trust Hash
239^*	OEM ADAC ROTPK HASH1
240^*	OEM ADAC ROTPK HASH2
241^*	OEM ADAC ROTPK HASH3
242^*	OEM ADAC ROTPK HASH4
243^*	OEM ADAC ROTPK HASH5
244^*	OEM ADAC ROTPK HASH6
245^*	OEM ADAC ROTPK HASH7
246^*	ST_BOARD_ID	Identifier for ST boards (or available to customer for their own board)
247^*	MAC_ADDR_0	Mac address ^{[coding 1]}
248^*	MAC_ADDR_1
249^*	MAC_ADDR_2
250^*	MAC_ADDR_3
251^*	MAC_ADDR_4
252^*	MAC_ADDR_5
253	MAC_ADDR_6
254^*	MAC_ADDR_7
255	ST_RSSE_EDMK_DERIV_CSTE_FUSE (SoC dependent)	ST Encryption Decryption Master Key Derivation constant

*For OTP word from 238 to 254 : In Reference manual, those OTP words are available for customer but they have been used in OpenSTLinux distribution.

1.3. Upper OTP region[edit | edit source]

	For both TD flavor (A35-TD or M33-TD)
OTP word	Name	Description
256^*	OTP_RMA_LOCK_PSWD0	RMA lock password (128 bit)
257^*	OTP_RMA_LOCK_PSWD1
258^*	OTP_RMA_LOCK_PSWD2
259^*	OTP_RMA_LOCK_PSWD3
260^**	FIP-EDMK0	FIP encryption decryption master key (256-bit)
261^**	FIP-EDMK1
262^**	FIP-EDMK2
263^**	FIP-EDMK3
264^**	FIP-EDMK4
265^**	FIP-EDMK5
266^**	FIP-EDMK6
267^**	FIP-EDMK7
268 to 323	OEM Secrets available for customer

* For OTP word from 256 to 259 : SoC dependent, to be filled by customer. They are protected by the hardware so they cannot be read back. These OTPs must be programmed locked after provisioning.
**For OTP word from 260 to 267 : In Reference manual, those OTP words are available for customer but they have been used in OpenSTLinux distribution.

	A35-TD flavor		M33-TD flavor
OTP word	Name	Description	Name	Description
324^*	Available for customer		BL2_ASYM_PRVK_KEY0	BL2 Asymmetric private key for encryption
325^*	Available for customer		BL2_ASYM_PRVK_KEY0
326^*	Available for customer		BL2_ASYM_PRVK_KEY2
327^*	Available for customer		BL2_ASYM_PRVK_KEY3
328^*	Available for customer		BL2_ASYM_PRVK_KEY4
329^*	Available for customer		BL2_ASYM_PRVK_KEY5
330^*	Available for customer		BL2_ASYM_PRVK_KEY6
331^*	Available for customer		BL2_ASYM_PRVK_KEY7
332^*	RPROC-FW-ENC-KEY0	Encryption/Decryption Key for remote processor firmware	Available for customer
333^*	RPROC-FW-ENC-KEY1		Available for customer
334^*	RPROC-FW-ENC-KEY2		Available for customer
335^*	RPROC-FW-ENC-KEY3		Available for customer
336^*	RPROC-FW-ENC-KEY4		Available for customer
337^*	RPROC-FW-ENC-KEY5		Available for customer
338^*	RPROC-FW-ENC-KEY6		Available for customer
339^*	RPROC-FW-ENC-KEY7		Available for customer

*For OTP word from 324 to 339 : In Reference manual, those OTP words are available for customer but they have been used in OpenSTLinux distribution.

	For both TD flavor (A35-TD or M33-TD)
OTP word	Name	Description
340^*	TF-M IAK0	Initial attestation 256-bit key (Symmetric or Asymmetric key)
341^*	TF-M IAK1
342^*	TF-M IAK2
343^*	TF-M IAK3
344^*	TF-M IAK4
345^*	TF-M IAK5
346^*	TF-M IAK6
347^*	TF-M IAK7
348^**	OEM KEY2 EDMK0	OEM master key used to derive FSBLM decryption key^{[key-formats 1]}^{[fsblm-keys 1]}
349^**	OEM KEY2 EDMK1
350^**	OEM KEY2 EDMK2
351^**	OEM KEY2 EDMK3
352^**	OEM KEY2 EDMK4
353^**	OEM KEY2 EDMK5
354^**	OEM KEY2 EDMK6
355^**	OEM KEY2 EDMK7
356^**	OEM KEY1 EDMK0	OEM master key used to derive FSBLA or M decryption key^{[key-formats 1]}
357^**	OEM KEY1 EDMK1
358^**	OEM KEY1 EDMK2
359^**	OEM KEY1 EDMK3
360^**	OEM KEY1 EDMK4
361^**	OEM KEY1 EDMK5
362^**	OEM KEY1 EDMK6
363^**	OEM KEY1 EDMK7
364	STM32PRVKEY0	STM32 ECC chip private key
365	STM32PRVKEY1
366	STM32PRVKEY2
367	STM32PRVKEY3
368	STM32PRVKEY4
369	STM32PRVKEY5
370	STM32PRVKEY6
371	STM32PRVKEY7
372	STM32PRVKEY8
373	STM32PRVKEY9
374	STM32PRVKEY10
375	STM32PRVKEY11
376	HWKEY0	Secret hardware unique key
377	HWKEY1
378	HWKEY2
379	HWKEY3
380	HWKEY4
381	HWKEY5
382	HWKEY6
383	HWKEY7

*For OTP word from 340 to 347 : In Reference manual, those OTP words are available for customer but they have been used in OpenSTLinux distribution.
**For OTP word from 348 to 363 : reserved for BootRom, to be filled by customer. They are protected by the hardware so they cannot be read back. These OTPs must be programmed locked after provisioning.

2. References[edit | edit source]

2.1. Key storage in OTP[edit | edit source]

Keys are represented as a string of byte to be stored in consecutive OTP words.

For example, a 64-bit key (0xAABBCCDDEEFF5566) is stored into two consecutive OTP words KEY0 and KEY1.

A key is stored in OTP words using one of the following formats:

↑ ^1.0 ^1.1 ^1.2 ^1.3 ^1.4 ^1.5
KEY0 = 0xAABBCCDD, KEY1 = 0xEEFF5566
↑ ^2.0 ^2.1 ^2.2 ^2.3
KEY0 = 0xDDCCBBAA, KEY1 = 0x6655FFEE

2.2. MAC address[edit | edit source]

↑
Mac addresses are stored as octets list using the following coding convention:
- OTP 247: mac_addr_1[4 first octets]
- OTP 248: mac_addr_2[2 first octets] | mac_addr_1[2 last octets]
- OTP 249: mac_addr_2[4 last octets]
- OTP 250: mac_addr_3[4 first octets]
- ...
Example: 247 = 0xE37AE710 / 248 = 0xE710F495 / 249 = 0xF595E37A
- mac_addr1 : 10:E7:7A:E3:95:F4
- mac_addr2 : 10:E7:7A:E3:95:F5
- ...
Each MAC address is associated in U-Boot to an ethernet device with alias in device tree: ethernet0, ethernet1, ...
On STM32MP257F-EV1 Evaluation board the ETH2 use the first mac address (ethernet0 = &eth2), ETH1 use the second mac address (ethernet1 = &eth1).
On STM32MP257F-DK Discovery kit the ETH1 use the first mac address (ethernet0 = &eth1).
On the default mapping the MAC 3, 4 and 5 are assigned to TSN switch (depending on product version).
A unused MAC address (for example when TSN is not used) should be set to FF:FF:FF:FF:FF:FF, to avoids the trace "invalid MAC address" in U-Boot.

2.3. FSBL-M keys[edit | edit source]

↑ ^1.0 ^1.1 ^1.2 ^1.3
By default STM32MP21x lines use OEM_KEY1_ROT and OEM_KEY1_EDMK for FSBLA and FSBLM. To use the dedicated FSBLM keys (OEM_KEY2_ROT and OEM_KEY2_EDMK) you must program bit 8 from OTP17.

[key-format1-2] 1.0 ^1.1 ^1.2 ^1.3 ^1.4 ^1.5
KEY0 = 0xAABBCCDD, KEY1 = 0xEEFF5566

[key-format2-3] 2.0 ^2.1 ^2.2 ^2.3
KEY0 = 0xDDCCBBAA, KEY1 = 0x6655FFEE

[macaddr-4] 
Mac addresses are stored as octets list using the following coding convention:
OTP 247: mac_addr_1[4 first octets]

OTP 248: mac_addr_2[2 first octets] | mac_addr_1[2 last octets]

OTP 249: mac_addr_2[4 last octets]

OTP 250: mac_addr_3[4 first octets]

...
Example: 247 = 0xE37AE710 / 248 = 0xE710F495 / 249 = 0xF595E37A
mac_addr1 : 10:E7:7A:E3:95:F4

mac_addr2 : 10:E7:7A:E3:95:F5

...
Each MAC address is associated in U-Boot to an ethernet device with alias in device tree: ethernet0, ethernet1, ...
On STM32MP257F-EV1 Evaluation board the ETH2 use the first mac address (ethernet0 = &eth2), ETH1 use the second mac address (ethernet1 = &eth1).
On STM32MP257F-DK Discovery kit the ETH1 use the first mac address (ethernet0 = &eth1).
On the default mapping the MAC 3, 4 and 5 are assigned to TSN switch (depending on product version).
A unused MAC address (for example when TSN is not used) should be set to FF:FF:FF:FF:FF:FF, to avoids the trace "invalid MAC address" in U-Boot.

[4] OTP 247: mac_addr_1[4 first octets]

[5] OTP 248: mac_addr_2[2 first octets] | mac_addr_1[2 last octets]

[6] OTP 249: mac_addr_2[4 last octets]

[7] OTP 250: mac_addr_3[4 first octets]

[8] ...

[9] _addr1 : 10:E7:7A:E3:95:F4

[10] _addr2 : 10:E7:7A:E3:95:F5

[11] ...

[fsblm-key-enable-1] 1.0 ^1.1 ^1.2 ^1.3
By default STM32MP21x lines use OEM_KEY1_ROT and OEM_KEY1_EDMK for FSBLA and FSBLM. To use the dedicated FSBLM keys (OEM_KEY2_ROT and OEM_KEY2_EDMK) you must program bit 8 from OTP17.

[fsblm-keys 1]

[key-formats 1]

[key-formats 2]

[coding 1]