Ah, I guess the glitch overrides also those keys, and inadvertently activates RISC-V debug module access:
BTW, I was talking about this authentication:
I think this is happening before any bootrom execution (Power-on State Machine),In the case of guarded reads, the first failure mode can result in the guard read check passing and the
guard word also ending up as the read data. If the critical data are the CRIT0/CRIT1 flags, sampled by the
OTP PSM during boot, this can enable Hazard3 debug and disable the Arm cores which results in a
reversion of the effects of the CRIT1.SECURE_BOOT_ENABLE and CRIT1.DEBUG_DISABLE flags.
BTW, I was talking about this authentication:
3.7.4.10. Debug
Cortex-M33 debug functionality includes processor halt, single-step, processor core register access, Vector Catch,
unlimited software breakpoints, and full system memory access.
The processor also includes support for hardware breakpoints and watchpoints configured during implementation:
• A breakpoint unit supporting eight instruction comparators
• A watchpoint unit supporting four data watchpoint comparators
The Cortex-M33 processor supports system level debug authentication to control access from a debugger to resources
and memory. Authentication via the Armv8-M Security Extension can be used to allow a debugger full access to Nonsecure
code and data without exposing any Secure information.
Statistics: Posted by gmx — Wed Apr 30, 2025 7:16 pm