| Enumerator |
|---|
| NRF_LCS_UNKNOWN | The value returned from the underlying storage cannot be mapped to a valid LCS. This can be an indication of a tampering attempt, or of a failure in the underlying storage. It is not possible to transition into this state. It may be possible to transition out of this state only through an authenticated erase all procedure (if this feature is supported).
|
| NRF_LCS_ASSEMBLY_AND_TEST | The device is in the assembly and test phase. When entering this state, the device may be in a fresh, erased state. In this state, the device is expected to receive the bootloader, manufacturing firmware and end-product update candidate.
In this state the bootloader(s) are not able to perform a signature verification, but should ensure the integrity of the next firmware in the chain. Before leaving this state the manufacturing firmware is expected to:
- Lock down the first stage immutable bootloader.
- Provision the public keys used to verify the bootloader firmware.
- Provision the public keys used to verify the manufacturing firmware.
- (optionally) Provision the public keys used to verify the test and end-product firmware.
- Disable the unauthenticated requests to erase the whole memory.
- Schedule a transition into the
LCS_PSA_ROT_PROVISIONING state.
At this stage, the manufacturing firmware should not assume that the device is soldered on the end-product.
A device in this state is expected to be in a secured, trusted manufacturing environment. Transitioning into this state is possible only through an authenticated erase all procedure (if this feature is supported).
|
| NRF_LCS_PSA_ROT_PROVISIONING | The device is in the PSA Root of Trust (RoT) provisioning phase. When entering this state, the device is expected to have its RoT keys provisioned.
On Nordic devices, the bootloader(s) are expected to perform a signature verification of the firmware, but do not perform firmware updates. The signature verification process is expected to use the keys dedicated for the manufacturing firmware, and not the keys dedicated for the end-product firmware.
At this stage, the device is expected to be soldered on the end-product, but it is not expected to be in the hands of the end user. Before leaving this state, the manufacturing firmware is expected to:
- Go through a securing phase, where both the hardware and software components are checked for integrity and completeness.
- Schedule a firmware update to the main application firmware, effectively overwriting the manufacturing firmware.
- Schedule a transition into the
LCS_SECURED state before leaving the manufacturing environment.
- Revoke the manufacturing keys and remove any other test assets
The device may create a secure channel to provision additional keys, required to secure and run the main application. Since at this stage only a firmware, verified by the RoT keys is allowed to run, the device may be in an unsecured, untrusted environment.
Transitioning into this state is possible only from the LCS_ASSEMBLY_AND_TEST. Transitioning out of this state may also be possible through an authenticated erase all procedure (if this feature is supported).
|
| NRF_LCS_SECURED | The device is secured, and in the deployed state. In this state, the device is expected to be in the hands of the end user, and to run the main application firmware, which is expected to be verified by the keys provisioned in the RoT provisioning phase. The bootloader(s) are no longer allowed to use the manufacturing keys to verify the firmware.
Transitioning into this state is possible only from the LCS_PSA_ROT_PROVISIONING. Transitioning out of this state is possible through a decommissioning procedure, as part of the product return process, or through an authenticated erase all procedure (if this feature is supported). Leaving this state can be done only after removing all user data from the device, and it is expected to be irreversible.
|
| NRF_LCS_PSA_PROT_DEBUG | The device is in the PSA Platform Root of Trust debug state. This state is not yet fully defined, but it is included here for completeness.
|
| NRF_LCS_PSA_NON_PROT_DEBUG | The device is in the PSA Non-Platform Root of Trust debug state. This state is not yet fully defined, but it is included here for completeness.
|
| NRF_LCS_DECOMMISSIONED | The device is decommissioned, and it can be discarded. When entering this state, all secret data must be removed and any-and-all access to the device is prohibited. In this state the device no longer performs regular operations. Transitioning into this state is possible from any valid state.
This state can be used to secure a device after a tampering attempt. A manufacturer may allow to refurbish a device by transitioning it back to the LCS_ASSEMBLY_AND_TEST state through an authenticated erase all procedure (if this feature is supported).
|
| NRF_LCS_MAX | The maximum value of the enum, to ensure it is represented in 32 bits. This is not a valid state, and it is not possible to transition into this state.
|
1.12.0