Rivos Collaborates to Complete Secure Provisioning of Integrated OpenTitan Root of Trust During SoC Production
October 28, 2025 -- Rivos is pleased to announce the successful secure provisioning of the integrated OpenTitan open source Root of Trust (RoT) in its SoC. This was done during the chip production process using the ZeroRISC provisioning appliance and platform.
The Integrated OpenTitan (“Darjeeling”) project allows the Root of Trust to be included in a larger SoC and for it to be used to provide the measured-boot path for the main CPUs. Securely provisioning the part and generating part-specific certificates during the manufacturing process enables the full supply chain to be protected. The Root of Trust can be authenticated, and in-turn attest to the validity of the RoT-creator provisioned boot code.
Rivos contributed to the “multi-top” build infrastructure to allow us to design and instantiate an entire system control subsystem, which includes the Darjeeling Root-of-Trust, a power management controller, and an I/O controller. Each contains an Ibex RISC-V microcontroller, which can run up to 1GHz in the TSMC 3nm process, along with other (existing and Rivos-contributed) IP components from the OpenTitan collection. While the OpenTitan project is focused on the security aspects, this ability to provide a library of composable components shows an additional benefit of the open source approach.
Rivos has upstreamed all of the changes made, enabling inclusion of a Silicon-proven integrated OpenTitan in the main source repository. This includes major IP blocks that are required for integration into a SoC, like the DOE mailbox, debug and DMA interfaces. Security related changes add register access control, a DICE protection environment for the key manager, and dual signing of payloads using key manifests. A few practical things are needed for newer process nodes for one-time-programmable fuse management, and to allow ROM patching. The learnings from the initial SoC, the provisioning process and a FIPS readiness assessment have also resulted in upstream changes. We are using git hash 3aa544f6 as the basis for production parts.
We would like to thank our colleagues at GUC, KYEC, lowRISC, TSMC and ZeroRISC for all their help in getting secure provisioning of the integrated OpenTitan-based RoT successfully implemented.
Related Semiconductor IP
- Root of Trust
- Embedded Hardware Security Module (Root of Trust) - Automotive Grade ISO 26262 ASIL-B
- Root of Trust solutions
- Root of Trust (RoT)
- Silicon Proven Hardware Root of Trust
Related Blogs
- Rambus RT-660 Root of Trust IP Achieves FIPS 140-3 Certification
- Rambus CryptoManager Root of Trust Solutions Tailor Security Capabilities to Specific Customer Needs with New Three-Tier Architecture
- Tailoring Root Of Trust Security Capabilities To Specific Customer Needs
- Trust at the Core: A Deep Dive into Hardware Root of Trust (HRoT)
Latest Blogs
- Rivos Collaborates to Complete Secure Provisioning of Integrated OpenTitan Root of Trust During SoC Production
- From GPUs to Memory Pools: Why AI Needs Compute Express Link (CXL)
- Verification of UALink (UAL) and Ultra Ethernet (UEC) Protocols for Scalable HPC/AI Networks using Synopsys VIP
- Enhancing PCIe6.0 Performance: Flit Sequence Numbers and Selective NAK Explained
- Smarter ASICs and SoCs: Unlocking Real-World Connectivity with eFPGA and Data Converters