ADSP-2141LKS-N1 ,DSPFEATURES APIDES CRYPTO BLOCK Includes Chained and Parallel Execution Commands640 Mbps Sustained Per ..
ADSP-2161 ,DSP Microcomputers With ROMFEATURESARITHMETIC UNITSSERIAL PORTS TIMER25 MIPS, 40 ns Maximum Instruction Rate (5 V)ALU MAC SHIF ..
ADSP-2163 ,DSP Microcomputers With ROMOVERVIEW . . . . . . . . . . . . . . . . . . . . 3TIMING NOTES . . . . . . . . . . . . . . . . . . ..
ADSP-2164 ,DSP Microcomputers With ROMFeaturesFeature 2161 2162 2163 2164 2165 2166Data Memory (RAM) 1/2K 1/2K 1/2K 1/2K 4K 4KProgram Mem ..
ADSP-2164 ,DSP Microcomputers With ROMaDSP Microcomputers with ROMADSP-216xSUMMARY FUNCTIONAL BLOCK DIAGRAM16-Bit Fixed-Point DSP Micropr ..
ADSP-2166 ,DSP Microcomputers With ROMOVERVIEWDevelopment ToolsFigure 1 shows a block diagram of the ADSP-216x architecture.The ADSP-216x ..
AM2336N , N-Channel 30-V (D-S) MOSFET
AM2336N , N-Channel 30-V (D-S) MOSFET
AM2361P , P-Channel 60-V (D-S) MOSFET
AM2361P , P-Channel 60-V (D-S) MOSFET
AM2370N , N-Channel 100V (D-S) MOSFET
AM2370N , N-Channel 100V (D-S) MOSFET
ADSP-2141L-KS-N1-ADSP-2141LKS-N1
DSP
REV. 0
DSP
APPLICATIONS
Security Coprocessor for High Speed Networking Prod-
ucts (Routers, Switches, Hubs)
Cryptographic Core for Firewalls, Hardware Encryptors,
and More
Crypto Peripheral for Implementing Secure NIC Adapt-
ers (10/100 Ethernet, Token Ring, ISDN)
Secure Modem-on-a-Chip (V.34, ADSL)
FEATURES
DES CRYPTO BLOCK
640 Mbps Sustained Performance—Single DES
214 Mbps Sustained Performance—Triple DES
Supports All Modes: ECB; CBC; 64-Bit OFB; and 1-, 8-,
64-Bit CFB. Includes Automatic Padding
Implements IPsec ESP Transforms Autonomously at
OC-3 (155 Mbps) Rates (3-DES, SHA-1)
HASH BLOCK
Hardware-Based SHA-1 and MD-5 Hashing
253 Mbps Sustained Performance—SHA-1
315 Mbps Sustained Performance—MD-5
Implements IPsec AH and HMAC Transforms
SECURE KERNEL CONTROL
Tamper-Resistant Isolation of Cryptographic Functions
Enforces Security Perimeter Around Crypto Functions
and Crypto Storage Locations
Anticloning Protection
Secure Algorithm Download
SafeNet CGX LIBRARY
On-Chip SafeNet CGX Crypto Library with Flexible CGX
API
Includes Chained and Parallel Execution Commands
Such as Hash-and-Encrypt
Embodied as 32K Words (32K 3 24) Kernel Program
Mask-Programmed into On-Chip ROM
On-Chip Protected 4K 3 16 Security Scratchpad RAM
RANDOM NUMBER GENERATOR
Hardware-Based Nondeterministic Random Number
Generator
Generates Internal Session Keys That Are Never
Exposed Outside of the SafeNet DSP
Redundant Fail-Safe Design
Up to 1.3 Mbits of Random Data Available per Second
FUNCTIONAL BLOCK DIAGRAM
BUS_MODEINTERRUPTS
FLAGS
SPORT 0
SERIAL
PORTS
SPORT 1
26-BITS
ADDR
RAM/ROMPF7/INT_H
BUSSafeNet is a registered trademark of Information Resource Engineering (IRE).
ADSP-2141L
PUBLIC KEY ACCELERATOR
Accelerator for Math-Intensive Public Key Operations
Diffie-Hellman Negotiate: <29 ms (1024-Bit Modulus,
180-Bit Exponent)
RSA 1024-Bit Sign: <29 ms; RSA 1024-Bit Verify: 6 ms
DSA Sign: <39 ms; DSA Verify: <66 ms
KEY MANAGEMENT BLOCK
Laser-Programmed Unique Triple-DES Cryptovariable
Protects Off-Chip Storage
Support for Secure Storage of Both Secret Keys and
Public/Private Key Pairs
Trust-Model Rules Enforcement
Only Encrypted Keys May Be Exported Off the Chip
Internal Key Cache for 15 Keys—Can Be Expanded to
700Keys On-Chip
Keys May Also Be Securely Stored Off-Chip, Allowing
Unlimited Storage
DSP CORE
40 MIPS Sustained Performance
Single-Cycle Instruction Execution
Single-Cycle Context Switch
Zero-Overhead Looping
Low Power Dissipation
16K Words (16K 3 24) On-Chip Program RAM
16K Words (16K 3 16) On-Chip Data RAM
64M Words Off-Chip Program and Data Memory
Programmable 16-Bit Interval Timer with Prescale
PCI BUS/CARDBUS INTERFACE
32-Bit 3.3 V Bus Interface MHz or 40 MHz* Bus Speed
Bus Master and Target Modes
Can Directly DMA Between Crypto Functions and Other
PCI Bus Agents*66 MHz speed pending chip characterization.
GENERAL DESCRIPTIONThe ADSP-2141L SafeNet DSP is a highly integrated embedded
security processor that incorporates a sophisticated, general
purpose DSP, along with a number of highperformance Cryp-
tographic function blocks, as well as PCI, DMA and Serial
EEPROM interfaces. It is fabricated in 0.35m CMOS triple-
layer metal technology and uses a 3.3 V power supply. It is
available in a 208-lead MQFP package with a commercial (0°C
to 70°C) temperature range.
DSP CoreThe DSP is a standard Analog Devices ADSP-218x core with
full ADSP-2100 family compatibility. The ADSP-218x Core
combines the base DSP components from the ADSP-2100
family with the addition of two serial ports, a 16-bit internal
DMA port, a byte DMA port, a programmable timer, Flag I/O,
extensive interrupt capabilities, and on-chip program and data
memory. The external memory interface of the 218x core has
been extended to support up to 64M-words addressing for both
program and data memory. Some core enhancements have been
added in the ADSP-2141L, including on-chip security ROM
and interrupt functions. Refer to the Analog Devices ADSP-2183
data sheet for further information.
SafeNet CGX Library–Secure KernelThe SafeNet CGX Library is a crypto library embodied as firm-
ware (a secure kernel) that is mask-programmed into ROM within
the DSP. This solution protects the library from tampering. The
CGX Library provides the Application Programming Interface
(API) to applications that require security services from the
ADSP-2141L. Those applications may be software executing in
user mode on the DSP, or they may be external host software
accessing the ADSP-2141L via a PCI bus. Approximately 40
Crypto commands—called CGX (CryptoGraphic eXtensions)—
are provided at the API and a simple control block structure is
used to pass arguments into the secure kernel and return status.
The CGX library includes integrated drivers for the various
hardware crypto blocks on the chip. This allows the program-
mer to ignore those details and concentrate on other product
design issues.
The CGX library firmware runs under a protected mode state
of the DSP as described in the Kernel Mode Control section
following. This guarantees the security integrity of the system
during the execution of CGX processes and, for example, prevents
disclosure of cryptographic key data or tampering with a
security operation.
Kernel Mode ControlThe Kernel Mode Control subsystem is responsible for enforcing
the security perimeter around the cryptographic functions of
the ADSP-2141L. The device may operate in either user mode
(kernel space is not accessible) or kernel mode (kernel space is
accessible) at a given time. When in kernel mode, the kernel RAM
and certain protected crypto registers and functions (kernel
space) are accessible only to the CGX library firmware. The
CGX Library executes host-requested macro-level functions
and then returns control to the calling application. The kernel
mode control subsystem resets the DSP should any security
violation occur, such as attempting to access a protected
Protected Kernel RAMThe 4K · 16 kernel RAM provides a secure storage area on the
ADSP-2141L for sensitive data such as keys or intermediate
calculations during public key operations. The Kernel Mode
Control subsystem (above) enforces the protection by allowing
only internal secure kernel mode access to this RAM. A public
keyset and a cache of up to 15 secret keys may be stored in kernel
RAM. Secure key storage may be expanded to 700 secret keys
by assigning segments of the DSP’s internal data RAM to be
protected. Furthermore, a virtually unlimited number of data
encryption keys may be stored in an encrypted form in off-chip
memory.
Encrypt BlockThe encrypt block performs highspeed DES and Triple-DES
encrypt/decrypt operations. All four standard modes of DES are
supported: Electronic Code Book (ECB), Cipher Block Chaining
(CBC), 64-bit Output Feedback (OFB) and 1-bit, 8-bit and 64-
bit Cipher Feedback (CFB). The DES encrypt/decrypt operations
are highly pipelined and execute full 16-round DES in only four
clock cycles. Hardware support for padding insertion, verification
and removal further accelerates the encryption operation. Con-
text switching is provided to minimize the overhead of changing
crypto keys and Initialization Vectors (IVs) to nearly zero.
Hash BlockThe secure hash block is tightly coupled with the encrypt block
and provides hardware accelerated one-way hash functions.
Both the MD-5 and SHA-1 algorithms are supported. Combined
operations that chain both hashing and encrypt/decrypt functions
are provided in order to significantly reduce the processing time
for data that needs both operations applied. For hash-then-encrypt
and hash-then-decrypt operations, the ADSP-2141L can perform
parallel execution of both functions from the same source and
destination buffers. For encrypt-then-hash and decrypt-then-hash
operations, the processing must be sequential, but minimum
latency is still provided through the pipeline chaining design. An
offset may be specified between the start of hashing and the
start of encryption to support certain protocols such as IPsec. A
‘mutable bit handler’ is also provided on the hash engine to
facilitate IPsec AH processing.
Random Number Generator (RNG) BlockThe hardware random number generator provides a true, non-
deterministic noise source for the purpose of generating keys,
Initialization Vectors (IVs), and other random number require-
ments. Random numbers are provided as 16-bit words to the
kernel. The CGX kernel requests random numbers as needed to
perform requested CGX commands such as CGX_Gen_Key,
and can also directly supply from 1 to 65,535 random bytes to a
host application via the CGX_Random command.
Public Key AcceleratorThe public key accelerator module works in concert with the
CGX kernel firmware to provide full public key services to the
host application. The kernel provides macro-level functions to
perform Diffie-Hellman key agreement, RSA encrypt or decrypt,
DSA compute and verify digital signatures. The hardware accel-
erator block speeds computation-intensive operations such as
large vector multiply, add, subtract, square.
PCI/Cardbus InterfaceA full 40 MHz/33 MHz PCI bus interface has been added to the
core DSP functions. The 32-bit PCI interface supports both bus
master and target modes. The ADSP-2141L is capable of using
DMA to directly access data on other PCI entities and pass that
data through its encryption/hash engines.
32-Bit DMA ControllerThe ADSP-2141L incorporates a highperformance 32-bit DMA
controller which can be set up to move data efficiently between
Host PCI memory, the hash/encrypt blocks, and/or external
memory. The DMA controller can be used with the PCI bus in
master mode, thus autonomously moving 32-bit data with mini-
mal DSP intervention. Up to 255 long words (1020 bytes) can
be moved in a burst at up to 160Mbytes per second.
Application RegistersThe application registers are a set of memory-mapped registers
that facilitate communications between the ADSP-2141L and a
host processor via the PCI bus. One of the registers is a mailbox
that is 44 bytes long and set up to hold the CGX command
structure passed between the host and DSP processors. The
application registers also provide the mechanism that allows the
DSP and the external host to negotiate ownership of the hash/
encrypt block.
Serial EEPROM InterfaceThe serial EEPROM interface allows an external nonvolatile
memory to be connected to the ADSP-2141L for storing PCI
configuration information (Plug and Play), as well as general-
purpose nonvolatile storage. For example, encrypted (black)
keys could be stored into EEPROM for fast recovery after a
power outage.
Interrupt ControllerThe DSP core provides support for 14 interrupt sources, includ-
ing six external and eight internal. All interrupts are prioritized
into 12 levels and interrupt nesting may be enabled or disabled
under software control. The security block interrupt controller
provides enhancements to the DSP interrupt functions.
Primarily, the interrupt controller provides a new interrupt
generation capability to the DSP or to an external host processor.
Under programmable configuration control, a crypto interrupt
may be generated due to completion of certain operations such
as encrypt complete, hash complete. The interrupt may either
be directed at the DSP core (on IRQ2), or provided on an out-
put line (PF7/INT_H) to a host subsystem.
Laser Variable StorageThe laser variable storage consists of 256 bits of tamper-proof
factory-programmed data that is only accessible to the internal
function blocks and the security kernel. Included in these laser
variable bits are:Local Storage Variable (master key-encryption key)Randomizer Seed (to supplement the true entropy fed into
the RNG)Program Control Data (enables/disables various features and
configures the ADSP-2141L)CRC of the Laser Data (to verify laser data integrity).
ADSP-2141LThe Program Control Data Bits (PCDBs) include configuration
for permitted key lengths, algorithm enables, Red KEK loading.
Most of the PCDB settings may be overridden with a digitally
signed token which may be loaded into the ADSP-2141L when
it boots. These tokens are created by IRE and each is targeted to
a specific ADSP-2141L using a hash of its unique identity.
Downloadable Secure CodeThe ADSP-2141L allows additional security functions to be added
to the device through a secure download feature. Up to 16K
words of code may be downloaded into internal memory within
the DSP and this code can be given the security privileges of the
CGX kernel firmware. All downloaded firmware is authenticated
with a digital signature and verified with an on-chip public key.
Additional functions could include new encryption, hash or
public key algorithms such as IDEA, RC-4, RIPEMD, elliptic
curve, or any other application that needs direct control over the
protected cryptographic hardware.
0x3FFF
0x2000
PMOVLAYL = LS NIBBLE OF PMOVLAY
PMOVLAYH = MS 3 NIBBLES OF PMOVLAYFigure 1.Program Memory (MMAP = 0)
0x3FFF
0x2000
PMOVLAYL = LS NIBBLE OF PMOVLAY
PMOVLAYH = MS 3 NIBBLES OF PMOVLAYFigure 2.Program Memory (MMAP = 1)
0x1FFF
0x1800
0x17FF
0x1000
0x0FFF
0x0000Figure 3.Data Memory
ARCHITECTURE OVERVIEWThis section provides an architecture-level description of the
unique function blocks within the ADSP-2141L.
Memory MapThe ADSP-2141L memory map is very similar to that of the
ADSP-2183 DSP, except that it includes significantly more off-
chip memory addressing, and has additional crypto registers
which are accessible to the user.
DSP CoreThe DSP core is architecturally identical to the ADSP-218x
with a few exceptions.The memory map includes additional external memory
addressing through the PMOVLAY and DMOVLAY mecha-
nisms. For more information, see the Memory Map section.Additional memory-mapped crypto registers are available in
the kernel data RAM space.The PF7/INT_H flag pin may be reassigned to be the host
interrupt output.
IRQ2 now can include interrupt sources from the cryptosubsystem, depending on interrupt mask registers.A new read register has been added to indicate the state of
interrupt enable and interrupt masks.The kernel mode control subsystem has been added to super-
vise the protected mode of operation of the DSP core.Internal RAM protection logic has been added to allow the
kernel to seize increments of 1K word of internal PRAM and
DRAM.Bus mode configuration (218x vs. PCI) pins have been added.32K words of kernel program ROM have been added to the
DSP memory space. (See the Memory Map section.)
Kernel Mode ControlThe kernel mode control subsystem provides the following
functions which serve to enforce the security integrity of the
ADSP-2141L:Provide a means to securely enter the kernel mode.Provide a means to properly exit the kernel mode.Prevent user mode access to protected memory and register
locations.Manage interrupts during kernel mode executions.Manage the reset function to ensure that sensitive variables
in DSP registers are erased.
Most of the kernel mode control functions are implemented in
the hardware of the ADSP-2141L and are not directly visible to
nonkernel applications (user mode). Any attempt by a user
mode application program running on the DSP to access a
kernel space addresses (PRAM 0x2001 – 0x3FFF, PMOVLAY
000C – 000F; or DRAM 0x0000 – 0x17FF, DMOVLAY 000F)
results in an immediate chip reset and all sensitive registers and
memory locations are erased. Kernel mode may only be entered
via a call, jump or increment to address 0x2000 with PMOVLAY
set to 0x000F. Once in kernel mode, any branch to nonkernel
space program memory causes the DSP to return to user mode.
(Note: For security reasons when in kernel mode, the DSP does
not respond to Emulator bus requests.)
The kernel mode can be interrupted during execution; however,
during certain periods where sensitive data is being moved, all
interrupts are disabled. Within the interrupt service routine,
another call to the kernel (CGX call) may be made if desired,
although there are limitations on which CGX commands may
preempt another. (For information, see the ADSP-2141L CGX
Interface Programmer’s Guide http://www.ire-ma.com/proddoc.htm.)
Only one level of kernel mode nesting is permitted. An interrupt
to a user mode vector location while in nested kernel mode will
also trigger the violation reset logic.
Once the interrupt service routine is finished, the return-from-
interrupt must return control back to the kernel at the address/
overlay that was originally interrupted, otherwise the protection
logic will issue a chip reset.
Hash and Encrypt Block OverviewThe encrypt block is tightly coupled to the hash block in the
ADSP-2141L and therefore the two are discussed together.
Refer to Figure 4, Hash/Encrypt Functional Block Diagram, for
the following description.
The algorithms implemented in the combined hash and encryp-
tion block are: DES, Triple DES, MD-5 and SHA-1. Data can
be transferred to and from the module once to perform both
hashing and encryption on the same data stream. The DES
encrypt/decrypt operations are highly paralleled and pipelined,
and execute full 16-round DES in only four clock cycles. The
internal data flow and buffering allows parallel execution of
hashing and encryption where possible, and allows processing of
data concurrently with I/O of previous and subsequent blocks.
DSP
PCI
OUTPUT
BUS
REGISTER
ADDRESS
DSP
PCI
16-/32-BIT
INPUT
BUS
ADSP-2141LContext switching is optimized to minimize the overhead of
changing cryptographic keys to near zero.
The software interface to the module consists of a set of
memory-mapped registers, all of which are visible to the DSP and
most of which can be enabled for host access via the PCI bus. A
set of five, 16-bit registers define the operation to be performed,
the length of the data buffer to be processed, in bytes, the offset
between the start of hashing and encryption (or vice versa), and
the padding operation. If the data length is unknown at the time
the encrypt/decrypt operation is started, the data length register
may be set to zero, which specifies special handling. In this case,
data may be passed to the hash/encrypt block indefinitely until
the end of data is encountered. At that time, the operation is
terminated by writing a new control word to the hash/encrypt
control register (either to process the next packet or to invoke
the idle state if there is no further work to do). This will close
out the processing for the packet, including the addition of the
selected crypto padding.
A set of seven status registers provides information on when a
new operation can be started, when there is space available to
accept new data, when there is data available to be read out, and
the results from the padding operation.
Crypto ContextsThere are two sets of crypto-context registers. Each context
contains a DES or triple DES key, initialization vector, and
precomputed hashes (inner and outer) of the authentication key
for HMAC operations. The contexts also contain registers to
reload the byte count from a previous operation (which is part
of the hashing context), as well as an IV (also called salt) for
decrypting a black key, if necessary.
Once a crypto-context has been loaded and the operation
defined, data is processed by writing it to a data input FIFO. At
the I/O interface, data is always written to, or read from, the
same address. Internally, the hash and encryption functions
have separate 512-bit FIFOs, each with their own FIFO man-
agement pointers. Incoming data is automatically routed to one
or both of these FIFOs, depending on the operation in progress.
Output from the encryption block is read from the data output
FIFO. In encrypt-hash or decrypt-hash operations, the data is
also automatically passed to the hashing data input FIFO. Output
from the hash function is always read from the digest register of
the appropriate crypto-context.
The initialization vector to be used for a crypto operation can be
loaded as part of a crypto-context. When an operation is complete,
the same context will contain the resulting IV produced at the
end, which can be saved away and restored later to continue the
operation with more data.
In certain packet-based applications such as IPsec, a feature is
available that avoids the need for the control software to generate
and load random IVs for outgoing (encrypted) packets. Effec-
tively, the IV register can be configured to be automatically
updated with new random numbers for each encrypted packet,
with almost no software intervention.
PaddingWhen the input data is not a multiple of eight bytes (a 64-bit
with trailing pad length and next header byte (for IPsec), or
fixed character padding. Note that for the IPsec and PKCS#7
pad protocols, there are cases where the padding not only fills
out the last 8-byte block, but also causes an additional 8-byte
block of padding to be added.
For the hash operations, padding is automatically added as
specified in the MD-5 and SHA-1 standards. When the hash
final command is issued indicating the last of the input data, the
algorithm-specified padding and data count bits are added to the
end of the hash input buffer prior to computing the hash.
Data OffsetsCertain security protocols, including IPsec, require portions of a
data packet to be hashed while the remainder of the data is both
hashed and encrypted. The ADSP-2141L supports this require-
ment through the OFFSET register, which allows specifying the
number of 32-bit dwords of offset between the hash and encrypt/
decrypt operations.
Black Key LoadsThe cryptographic keys loaded as part of a crypto-context can
be stored off-chip in a black, or encrypted, form. If the appropri-
ate control bit is set (HECNTL Bit 15), the DES or 3-DES key
will be decrypted immediately after it is written into the context
register. The hardware handles this decryption automatically.
The Key Encryption Key (KEK) that covers the black keys
is loaded in a dedicated write-only KEK register within the
ADSP-2141L. The IV for decrypting the black secret key is
called ‘salt’ and must be stored along with the black key (as part
of the context). Note that 3-DES CBC mode is used for pro-
tecting 3-DES black keys and single DES CBC is used for
single DES black keys.
When black keys are used, the key-decrypt operation adds a
6-cycle overhead (0.15 ms @ 40 MHz) for DES keys or 36-cycle
overhead (0.9 ms @ 40 MHz) for triple DES keys each time a
new crypto-context is loaded. (Note that if the same context is
used for more than one packet operation, the key decryption does
not need to be performed again.) Depending on the sequencing
of operations, this key decryption may in fact be hidden (from a
performance impact perspective) if other operations are underway.
This is because the black key decryption process only requires
that the DES hardware be available. For example, if the DSP is
reading the previous hash result from the output FIFO, the
black key decryption can be going on in parallel. Also note that
the data driver firmware does NOT have to wait for the key to
be decrypted before writing data to the input FIFO. The hard-
ware automatically waits for the key to be decrypted before
beginning to process data for a given packet. So, with efficient
pipeline programming, it is possible to make the impact of black
key essentially zero.
The KEK for key decryption is loaded via the secure kernel
firmware using one of the CGX key manipulation commands.
(For more information, see the Command Summary section.)
This KEK is typically the same for all black keys, since it is usually
protecting local storage only. It is designated the DKEK in the
CGX API.
One of the laser-programmed configuration bits specifies whether
red (plaintext) keys are allowed to be loaded into the ADSP-
If the AllowRedKeyLoad bit is set, keys may be loaded either in
their black form, or in the red or unencrypted form. Note that
the laser configuration bit may be overridden with a signed
enabler token. (For more information, see the Laser Variable
Storage section.)
Depending on the definition of the security module boundary in
a given application, FIPS 140-1 may require the use of black
keys to protect key material. In other words, if the security
boundary does not enclose the database where keys are stored,
those keys must be protected from compromise. Black key is a
satisfactory way to meet this FIPS requirement.
Random Number Generator (RNG) BlockThe random number generator is designed to provide highly
random, nondeterministic binary numbers at a high delivery rate
with little software intervention. The random numbers are acces-
sible to the kernel firmware in a 16-bit register that may be read
by the DSP in kernel mode. Once the register is read, the RNG
immediately generates a new 16-bit value that is available within
12 microseconds.
All application-level access to random numbers should occur
through the Kernels CGX_RANDOM command (see the
Command Summary section).
The random number generator is designed using a “shot noise”
true entropy source which is sampled by the master 40 MHz
clock of the ADSP-2141L. The entropy source then feeds a
complex nonlinear combinatorial circuit that produces the final
RNG output based on the interaction of the entropy source and
the 40 MHz system clock. Over 200 stages of Linear Feedback
Shift Register (LFSR) are incorporated into the RNG design.
In order to facilitate FIPS 140-1 compliance, an option may be
selected during CGX kernel initialization to enable an ANSI
X9.17 Annex C post-randomizer to be applied to the output of
the RNG. This randomizer applies the DES ECB algorithm
multiple times to further disperse and whiten the random source.
Although this is not necessary to ensure the quality of the random
numbers, it meets the criteria for a NIST-approved random num-
ber generation algorithm.
Public Key Accelerator (PKAC)The public key arithmetic coprocessor (otherwise known as a
BigNum processor) is designed to support long vector calcula-
tions of the kind needed to perform RSA, Diffie-Hellman and
Elliptic Curve operations.
The PKAC can perform multiplication, squaring, addition and
subtraction on arbitrary length bit vectors. The CGX software is
responsible for setting the address register for the operands and
result, as well as specifying the length and operation type. Once
the operation type field is written, the processor polls the opera-
tion complete status while the calculation is carried out.
The PKAC utilizes the protected kernel RAM for input, output
and intermediate variable storage. It may only be accessed from
the secure kernel mode. Since public key computations typically
take many milliseconds to complete, they may be preempted
using a DSP interrupt.
Most application interaction with the public key accelerator will
occur via the CGX software interface (see the Command Inter-
face section). Both highlevel public key operations such as RSA
Sign or Create Diffie-Hellman Key, as well as primitive operations
such as Multiply Vector, Add Long Vector, etc., are presented
via the CGX interface.
PCI/Cardbus InterfaceThe ADSP-2141L appears as a target on the PCI Bus as a single
contiguous memory space of 128k bytes. In this memory space,
the host can access the following:The unprotected internal crypto registers of the ADSP-2141LIDMA access to the DSP’s internal program memory (PM)
and data memory (DM)Paged access to external memory connected to the
ADSP-2141LThe Kernel RAM (KRAM) if it has been unprotected by an
extended mode program
As a PCI Master, the ADSP-2141L can transfer data between:The unprotected internal crypto registers and FIFOs of the
ADSP-2141L and PCI Host memoryExternal memory and PCI Host memory
A 32-bit DMA engine within the ADSP-2141L facilitates these
transfers and permits full PCI bandwidth use.
Serial EEPROM InterfaceThe serial EEPROM interface allows the ADSP-2141L to auto-
matically read the PCI configuration parameters at chip power-up.
IRE can provide the data content for the EEPROM to properly
set the chip device vendor ID, type and properties for full com-
pliance with the PCI Plug and Play standards.
In addition to being used for storage of host bus parameters, any
extra space in the EEPROM may be accessed by the DSP, either
in user mode or kernel mode. Support for this function is not
included in the standard CGX command set. Refer to the
ADSP-2141 User’s Manual for the information on the data
contents of the EEPROM. Refer to http:///
industry/dsp/ire.html.
Table I.Interrupt Sources
ADSP-2141L
Interrupt ControllerThe DSP core of the ADSP-2141L provides a powerful set of
interrupt sources. A total of 14 interrupt sources are available,
although two pairs are multiplexed, yielding 12 simultaneous
sources. Refer to Table I.
The ADSP-2141L enhances the existing interrupt controller
within the ADSP-218x DSP Core with some additional func-
tions related to the crypto functional blocks and the external
host bus interfaces. Two additional interrupt controller sub-
systems have been added to the basic interrupt controller as
shown in Figure 5.
The DSP interrupt controller allows programming between one
and nine sources for the IRQ2 interrupt to the DSP. The
DIMASK register provides the mask to select which interrupt
source is enabled. A pair of status registers, DUMSTAT and
DMSTAT, allow the DSP firmware to read the status of any
interrupt source either before or after the mask is applied.
The host interrupt controller allows programming between one
and five sources for the PF7/INT_H interrupt output signal
(which may be connected to the interrupt input of the host
system). The HMASK register provides the mask to select which
interrupt source is enabled. A pair of status registers, HUMSTAT
and HMSTAT, allow the host firmware to read the status of any
interrupt source either before or after the mask is applied.
Laser Variable StorageThe laser variables are configured through 256 Fuses in the
ADSP-2141L, which are programmed during IC manufacture.
Each ADSP-2141L produced is programmed with a unique set
of Laser Variables.Local Storage Variable (LSV—the Master Key-Encryption-Key)Internal Seed Variable
INTH
TO HOST48-Bit Program Control Data (enables/disables various fea-
tures and configures the ADSP-2141L)CRC of the Laser Data (to verify integrity of the laser bits)
The LSV is a unique triple DES master key-encrypting key that
allows the ADSP-2141L to securely store data (primarily other keys)
off-chip for later reloading. This is necessary if more storage space
is needed than is available with on-chip RAM, or if keys need to
be saved and restored after a power outage. Each ADSP-2141L
produced is programmed with a unique, randomly generated
local storage variable.
The internal seed variable is used to randomly initialize the
RNG circuits before the entropy is mixed in. Each ADSP-2141L
produced is programmed with a unique, randomly generated
internal seed variable which is loaded into the RNG at chip boot
time and cannot ever be read by software.
The 48 Program Control Data Bits (PCDBs) include configura-
tion for permitted key lengths, algorithm enables, red KEK
loading, internal IC pulse timing characteristics. The PCDBs
provide configuration data that falls into three categories:Internal IC pulse-timing characteristicsADSP-2141L hardware version number fieldADSP-2141L feature enables
The first two categories consist of data that cannot be altered
once the ADSP-2141L has been fabricated.
The feature enables can be overridden using a factory token
enabler which may be passed to the CGX kernel as part of the
CGX_INIT command. This token is digitally signed with an
IRE private key and verified internal to the ADSP-2141L with
its public key. The CGX_INIT command is documented in the
ADSP-2141 CGX Interface Programmer’s Guide (available from
http://www.ire-ma.com/proddoc.htm).
PIN FUNCTIONS
I/O DescriptionsThis section describes the physical I/O hardware on the ADSP-2141L.
PIN FUNCTION DESCRIPTIONS–I/O Hardware
ADSP-2141L*When DMS is enabled for generation of CMS, the CMS is activated for DSP access to external memory only, NOT for DMA controller accesses.
Bus Mode DescriptionsThe Pin Function Descriptions, Bus Mode table, shows the multiplexed pins in 2183 and PCI mode. For more information on the
PCI pins MPLX1–MPLX12, see the Pin Functions Description–PCI Mode Multiplex Bus table on the following page.
PIN FUNCTION DESCRIPTIONS—Bus ModeMPLX6
MPLX7
MPLX8
MPLX9
MPLX10
MPLX11
MPLX12
MPLX_BUS[31:0]
IDMA Mode Multiplex Bus Pin Definition
IDMA Port (218x Mode)
PIN FUNCTION DESCRIPTIONS—IDMA Mode Multiplex Bus
PCI Port
PIN FUNCTION DESCRIPTIONS—PCI Mode Multiplex Bus
SYSTEM INTERFACEThe ADSP-2141L may be integrated into a wide variety of sys-
tems, including those that already have a microprocessor and
those that will use the ADSP-2141L as the main processor. The
device can be configured into one of two Host Bus modes:
IDMA or PCI.
IDMA Bus ModeThe IDMA bus mode operates the same as in a native ADSP-
218x device, as described in this section.
The IDMA port provides an efficient means of communication
between a host system and the ADSP-2141L. The port is used
to access the on-chip program memory and data memory of the
DSP with only one DSP cycle per word overhead. The IDMA
port cannot, however, be used to write to the DSP’s memory-
mapped control registers.
The IDMA port has a 16-bit multiplexed address and data bus,
and supports reading or writing 16-bit data (DM) or 24-bit
program memory (PM). The IDMA port is completely asyn-
chronous and can be written to while the ADSP-2141L is oper-
ating at full speed.
specifying only the starting address of the block. This increases
throughput as the address does not have to be sent for each
memory access.
The IDMA port access occurs in two phases. The first is the
IDMA address latch cycle. When the acknowledge is asserted, a
14-bit address and 1-bit destination type can be driven onto the
bus by an external device. The address specifies an on-chip
memory location; the destination type specifies whether it is a
DM or PM access. The falling edge of the address latch signal
latches this value to the IDMAA register.
Once the address is stored, data can either be read from or
written to the ADSP-2141L’s on-chip memory. Asserting the
select line (IS) and the appropriate read or write line (IRD and
IWR respectively) signals the ADSP-2141L that a particular
transaction is required. In either case, there is a one-processor-
cycle delay for synchronization. The memory access consumes
an additional processor cycle.
Once an access has occurred, the latched address is automati-
cally incremented and another access can occur.
Through the IDMAA register, the ADSP-2141L can also
ADSP-2141L
EXTERNALFigure 6.ADSP-2141L IDMA System Configuration
EXTERNALFigure 7.ADSP-2141L PCI System Configuration
PCI Bus ModeFigure 7 illustrates a typical system configuration for the
PCI mode.
ADSP-2141L
DEVICE OPERATION
OPERATIONAL MODES
Security ModesThe ADSP-2141L operates in one of two security modes: kernel
mode or user mode. The mode switching is performed on the fly
as program execution proceeds. Kernel mode is entered via a
jump or call to address 0x2000 with PMOVLAY set to 0x000F.
Kernel mode will exit on its own once it has completed a requested
operation (or terminates due to an error).
Special interrupt handling is performed if the DSP is executing
in kernel mode. While executing a CGX command in kernel
mode, it is possible to interrupt to a nonprotected vector loca-
tion and then invoke the kernel again during the interrupt han-
dler. The [IF CONDITION] RTI instruction must be used to
return to the kernel from the interrupt handler. The return
address and PMOVLAY page must match the interrupted ad-
dress and PMOVLAY page. If not, the violation reset logic will
be triggered. Only one level of kernel mode nesting is permitted.
An interrupt to a nonprotected vector location while in nested
kernel mode will also trigger the violation reset logic.
While in kernel mode, it is possible to interrupt to a protected
vector location. In this case, the processor remains in kernel
mode. The [IF CONDITION] RTI instruction must be used to
return the processor from the interrupt handler. There is no
imposed limit on the number of nested interrupts to a protected
vector location.
Bus ModesThe ADSP-2141L Host Bus may be configured for one of two
personalities: IDMA Mode or PCI Bus Mode. The selection of
mode is made with two hardware control inputs BUS_MODE
and BUS_SEL at boot time.
Table II.Bus Mode SelectionThis selection may not be changed after the ADSP-2141L
comes out of power-up reset. It is typically expected that the bus
mode signals are tied to ground or VDD on the PC Board.
Boot ModesThe ADSP-2141L may be bootstrap-loaded from one of three
sources: byte-wide memory, host processor bus, or external
program memory. The selection of mode is made with two
hardware control inputs BMODE and MMAP. When the host
processor boot mode is selected, any one of the two bus modes
may be used.
Table III.Boot Mode SelectionThe hardware pin states are not relevant after the ADSP-2141L
comes out of power-up reset. Refer to the ADSP-2141L User’s
Manual (available from IRE) for information on BDMA, IDMA
and external program boot modes.
COMMAND INTERFACEThis section provides a general overview of the software com-
mand interface to the crypto functions in the ADSP-2141L.
Refer to the ADSP-2141 CGX Interface Programmer’s Guide
(available from http://www.ire-ma.com/proddoc.htm) for more
details.
OverviewThe ADSP-2141L provides an embedded crypto library that
provides a command interface API (Application Programming
Interface) to outside applications. These commands are referred
to as CGX (CryptoGraphic eXtensions).
The CGX API simultaneously enforces certain security policies
within the ADSP-2141L and insulates applications from the
details of many complex cryptographic operations. The security
policy built into the ADSP-2141L has some of the following
rules:Unencrypted (red) keys may never be retrieved from the
ADSP-2141L.Keys within the ADSP-2141L are marked with an attributes
field that specifies key type and trust level.A key’s type field must match the use in a requested opera-
tion (i.e., cannot use a KEK to encrypt traffic).Keys generated internal to the ADSP-2141L (i.e., from RNG)
are marked as trusted.Keys that are negotiated or imported from outside systems are
marked untrusted (although they may still be quite secure).Separate trusted and untrusted key hierarchies may be main-
tained and customer applications may choose which trust
level is required for a given command.
For most key management operations, the CGX interface must
be used. However, for certain highperformance encryption/
hashing applications, the CGX interface may be bypassed and
either the DSP or a host processor may exercise direct control
over the hash/encrypt block.
COMMAND SUMMARYApproximately 40 CGX Commands are supported in the API to the ADSP-2141L.
General UtilitiesINITInitializes Secure Kernel and Allow Reconfiguration of the ADSP-2141L
DEFAULTRestores Factory Default Settings
RANDOMGenerates Random Numbers (between 1K and 64K bytes)
GET CHIPINFOReturns ADSP-2141L System Information
SELF TESTRuns a suite of self-tests on the hardware and CGX
Symmetrical Key ManagementUNCOVER KEYLoads and Decrypts a Secret Key
GEN KEYGenerates a Secret Key
GEN KEKGenerates an Internal Key Encryption Key
GEN RKEKGenerates a Key Recovery Key Encryption Key
SAVE KEYSaves a key protected by the Recovery Key (RKEK)
LOAD KEYImports a Red (plaintext) User Secret Key
DERIVE KEYDerives a Secret Key from a Pass Phrase
TRANSFORM KEYTransforms a Secret Key using IPsec
DESTROY KEYRemoves Secret Key from the KCR
EXPORT KEYExports an IRE-format Secret Key
IMPORT KEYImports an IRE-format Secret Key
Symmetrical EncryptionENCRYPTEncrypts Data
DECRYPTDecrypts Data
LOAD KGLoads Secret Key into HW/SW Key Generator
HashHASH INITInitializes the Hash Operator
HASH DATAHash Customer Data
HASH ENCRYPTHash and Encrypt Customer Data
HASH DECRYPTHash and Decrypt Customer Data
PRF FunctionsMERGE KEYCombines two secret keys into one key
MERGE LONG KEYCombines two secret keys into a data string (long key)
EXTRACT LONG KEYCreates a secret key from a data string (long key)
PRF DATAHash multiple data items using HMAC
PRF KEYCompletes the above HMAC and create secret key
Asymmetrical Key ManagementGEN PUBKEYGenerates a Public Keyset (Public and Private Parts)
GEN NEWPUBKEYGenerates a part of a Public Keyset
GEN NEGKEYGenerates a Diffie-Hellman Derived Secret Key
EXPORT PUBKEYExports an IRE-format Public Key
IMPORT PUBKEYImports an IRE-format Public Key
Asymmetrical EncryptionPUBKEY ENCRYPTEncrypts Data using RSA Public Key
PUBKEY DECRYPTDecrypts Data using RSA Public Key
Digital SignaturesSIGNDigitally Signs a Message
VERIFYVerifies a Digital Signature
Math UtilitiesADD VECTORPerforms a Vector Add Operation
SUB VECTORPerforms a Vector Subtract Operation
MULT VECTORPerforms a Vector Multiply Operation
EXP VECTORPerforms a Vector Exponentiate Operation
SHIFT VECTORPerforms a Vector Right or Left Shift Operation
Extended Mode
ADSP-2141L
ABSOLUTE MAXIMUM RATINGSSupply Voltage . . . . . . . . . . . . . . . . . . . . . . . . –0.3 V to +4.6 V
Input Voltage . . . . . . . . . . . . . . . . . . . . –0.5 V to VDD + 0.5 V
Output Voltage Swing . . . . . . . . . . . . . –0.5 V to VDD + 0.5 V
Operating Temperature Range (Ambient) . . . . . 0°C to 70°C
Storage Temperature Range . . . . . . . . . . . . –65°C to +150°C
Lead Temperature (5 sec) MQFP . . . . . . . . . . . . . . . . . 280°C
CAUTIONESD (electrostatic discharge) sensitive device. Electrostatic charges as high as 4000V readily
accumulate on the human body and test equipment and can discharge without detection.
Although the ADSP-2141L features proprietary ESD protection circuitry, permanent damage
may occur on devices subjected to high energy electrostatic discharges. Therefore, proper ESD
precautions are recommended to avoid performance degradation or loss of functionality.
Frequency Dependency For Timing SpecificationstCK is defined as 0.5tCKI. The ADSP-2141L uses an input clock
with a frequency equal to half the instruction rate: a 20.0 MHz
input clock (which is equivalent to 50ns) yields a 25ns processor
cycle (equivalent to 40MHz). tCK values within the range of 0.5tCKI
period should be substituted for all relevant timing parameters to
obtain the specification value.
Example: tCKH = 0.5tCK – 7 ns = 0.5 (25 ns) – 7 ns = 8 ns
RECOMMENDED OPERATING CONDITIONS
ELECTRICAL CHARACTERISTICS
DC SPECIFICATIONSVIH
VIL
VOH
VOL
IOZH
IDD
NOTESBidirectional pins: D0–D31, RFS0, RFS1, SCLK0, SCLK1, TFS0, TFS1, IAD0–15, PF0–PF7.Input only pins: IRQ2, BR, MMAP, BMODE, BUS MODE, BUS SEL, DR0, DR1, PWD, IRQL0, IRQL1, IRQE, IS, IRD, IWR, IAL.Input only pins: CLKIN, RESET, IRQ2, BR, MMAP, BMODE, BUS MODE, BUS SEL, DR0, DR1, PWD, IRQL0, IRQL1, IRQE, IS, IRD, IWR, IAL.Output pins: BG, BGH, PMS, DMSL, DMSH, BMS, IOMS, CMS, RD, WR, IACK, PWDACK, A0–A25, DT0, DT1, CLKOUT, FL2–0.Although specified for TTL outputs, all ADSP-2141L outputs are CMOS-compatible and will drive to VDD and GND, assuming no dc loads.Guaranteed but not tested.Output pins: BG, BGH, PMS, DMSL, BMS, IOMS, DMSH, CMS, RD, WR, IACK, PWDACK, A0–A25, DT0, DT1, CLKOUT, FL2–0, EE_DI, EE_CS, EE_SK.
80 V on BR. CLKIN active (to force three-state condition).Three-statable pins: A0–A25, D0–D31, PMS, DMSL, DMSH, BMS, IOMS, CMS, RD, WR, DT0, DT1, SCKL0, SCLK1, TFS0, TFS1, RFS0, RFS1, IAD0–
IAD15, PF0–PF7.
10Idle refers to ADSP-2141L state of operation during execution of IDLE Instruction. Deasserted pins are driven to either VDD or GND.
11Current reflects device operating with no output loads.
12VIN = 0.4 V and 2.4 V. For typical supply currents, refer to Power Dissipation section.
ADSP-2141LSPECIFICATIONS
ADSP-2141L
DC SPECIFICATIONS– PCI Bus PinsNOTESBidirectional pins: MPLX_BUS [31:0}, MPLX1–4, MPLX7–10, MPLX12Input only pins: MPLX_RESET, MPLX5, MPLX6, PCI_CLK, PCI_PAR, PCI_IRDY, PCI_STOPOutput only pins: MPLX11Leakage currents include High-Z output leakage for bidirectional buffers with three-state outputs.Lower capacitance of IDSEL (MPLX_5) input-only pin allows for nonresistive connection to Address/Data bus.
TIMING PARAMETERS
PCI Clock (Guaranteed Over Operating Temperature and Digital Supply Range)The ADSP-2141L is targeted for use in PCI add-on I/O slave card designs. It provides a glueless interface to the PCI bus. All bus
drivers are compliant with PCI interface electrical switching and drive capability specifications.
The ADSP-2141L does not implement the following signals: LOCK, INTB, INTC, INTD, SBO, SDONE, CLKRUN, AD[64:32],
C/BE[7:4], REQ64, ACK64, PAR64.
tHIGH
tLOW
NOTESRise and fall times are specified in terms of the edge rate measured in V/ns. This slew rate must be met across the minimum peak-to-peak portion of the waveform as
shown in Figure 8.The minimum RST slew rate applies only to the rising (deassertion) edge of the reset signal, and ensures that system noise cannot render an otherwise monotonic
signal to appear to bounce in the switching range.
0.2VCC
2V p-p
(MINIMUM)
0.3VCC
0.4VCC
0.5VCC
0.6VCCFigure 8.Clock Waveform
tON
tOFF
tSU
VSTEP (3.3V SIGNALING)
VTL
VTH
CLK
OUTPUT
DELAY
THREE-STATE
OUTPUT
CLK
INPUTFigure 9.Output (Top) and Input Timing Measurement Conditions
ADSP-2141LtCKIL
tCKIH
Switching Characteristics:
tCKL
tCKH
tCKOH
Control SignalsTiming Requirement:
NOTEApplies after power-up sequence is complete. Internal phase lock loop requires no more than 2000 CLKIN cycles assuming stable CLKIN (not including crystal
oscillator start-up time).
tCKOH
CLKIN
CLKOUTFigure 10.Clock Signals and Reset
