chipsalliance · ekarabu · Feb 21, 2025 · Feb 19, 2025 · Feb 19, 2025 · Feb 19, 2025
diff --git a/docs/CaliptraSSHardwareSpecification.md b/docs/CaliptraSSHardwareSpecification.md
@@ -543,8 +543,8 @@ The figure below shows the LCC state transition and Caliptra Subsystem enhanceme
 | MANUF              | FUSE            | Transition from TEST_UNLOCKED state using token stored in FUSE. This is a mutually exclusive state to PROD and PROD_END. To enter this state, MANUF_TOKEN is required. This state is used for developing provisioning and mission mode. In this state, UDS and Field Entropy FUSE partitions can be provisioned. During this state: CLTAP (chip level TAPs) is enabled; Debug functions are enabled; DFT functions are disabled |
 | PROD               | FUSE            | Transition from MANUF state using token stored in FUSE. PROD is a mutually exclusive state to MANUF and PROD_END. To enter this state, PROD_TOKEN is required. This state is used both for provisioning and mission mode. During this state: CLTAP is disabled; Debug functions are disabled; DFT functions are disabled; Caliptra Subsytem can grant SoC debug unlock flow if the conditions provided in “SoC Debug Flow and Architecture for Production Mode” section are satisfied. SoC debug unlock overwrites the signals and gives the following cases: CLTAP is enabled; Debug functions are enabled based on the defined debug policy; DFT is enabled but this DFT enable is called SOC_DFT_EN, which has less capabilities than DFT_EN granted in TEST_UNLOCKED. |
 | PROD_END           | FUSE            | This state is identical in functionality to PROD, except the device is never allowed to transition to RMA state. To enter this state, a PROD_END token is required. It also means that Caliptra-SS cannot enter debug mode anymore. Only transition to SCRAP mode is allowed.|
-| RMA                | FUSE            | Transition from TEST_UNLOCKED / PROD / MANUF using token stored in FUSE. It is not possible to reach this state from PROD_END. When transitioning from PROD or MANUF, an RMA_UNLOCK token is required. When transitioning from TEST_UNLOCKED, no RMA_UNLOCK token is required. During this state: CLTAP is enabled; Debug functions are enabled; DFT functions are enabled |
-| SCRAP              | FUSE            | Transition from any state. During SCRAP state the device is completely dead. All functions, including CPU execution are disabled. The only exception is the TAP of the life cycle controller which is always accessible so that the device state can be read out. No owner consent is required to transition to SCRAP. Note also, SCRAP is meant as an EOL manufacturing state. Transition to this state is always purposeful and persistent, it is NOT part of the device’s native security countermeasure to transition to this state.|
+| RMA                | FUSE            | Transition from TEST_UNLOCKED / PROD / MANUF using token stored in FUSE. It is not possible to reach this state from PROD_END. If the RMA transition is requested, the request must follow the asserted RMA PPD pin. Without this pin, RMA request is discarded. See `cptra_ss_lc_Allow_RMA_or_SCRAP_on_PPD_i` in [Caliptra Subsystem Integration Specification Document](CaliptraSSIntegrationSpecification.md). When transitioning from PROD or MANUF, an RMA_UNLOCK token is required. When transitioning from TEST_UNLOCKED, no RMA_UNLOCK token is required. During this state: CLTAP is enabled; Debug functions are enabled; DFT functions are enabled |
+| SCRAP              | FUSE            | Transition from any state. If the SCRAP transition is requested, the request must follow the asserted SCRAP PPD pin. Without this pin, SCRAP request is discarded. See `cptra_ss_lc_Allow_RMA_or_SCRAP_on_PPD_i` in [Caliptra Subsystem Integration Specification Document](CaliptraSSIntegrationSpecification.md). During SCRAP state the device is completely dead. All functions, including CPU execution are disabled. The only exception is the TAP of the life cycle controller which is always accessible so that the device state can be read out. No owner consent is required to transition to SCRAP. Note also, SCRAP is meant as an EOL manufacturing state. Transition to this state is always purposeful and persistent, it is NOT part of the device’s native security countermeasure to transition to this state.|
 | INVALID            | FUSE            | Invalid is any combination of FUSE values that do not fall in the categories above. It is the “default” state of life cycle when no other conditions match. Functionally, INVALID is identical to SCRAP in that no functions are allowed and no transitions are allowed. A user is not able to explicitly transition into INVALID (unlike SCRAP), instead, INVALID is meant to cover in-field corruptions, failures or active attacks.|
 
 **Note**

diff --git a/docs/CaliptraSSIntegrationSpecification.md b/docs/CaliptraSSIntegrationSpecification.md
@@ -324,7 +324,7 @@ File at path includes parameters and defines for Caliptra Subystem `src/integrat
 | External | input     | 64    | `cptra_ss_mci_generic_input_wires_i` | Generic input wires for MCI              |
 | External | input     | 1     | `cptra_ss_mcu_no_rom_config_i`       | No ROM configuration input               |
 | External | input     | 1     | `cptra_ss_mci_boot_seq_brkpoint_i`   | MCI boot sequence breakpoint input       |
-| External | input     | 1     | `cptra_ss_lc_Allow_RMA_on_PPD_i`     | Allow RMA on PPD input                   |
+| External | input     | 1     | `cptra_ss_lc_Allow_RMA_or_SCRAP_on_PPD_i`     | Allow RMA or SCRAP on PPD input                   |
 | External | input     | 1     | `cptra_ss_FIPS_ZEROIZATION_PPD_i`    | Zeroization request with PPD input       |
 | External | output    | 64    | `cptra_ss_mci_generic_output_wires_o` | Generic output wires for MCI            |
 | External | output    | 1     | `cptra_ss_mci_error_fatal_o`         | MCI error fatal output                   |
@@ -693,7 +693,7 @@ Facing      | Type       | width  | Name                  |  External Name in So
 ------------|:-----------|:-------|:----------------------|:------------------------------------|:-------       |
 External    |input       |   1    | `clk_i`               | `cptra_ss_clk_i`                    | clock         |
 External    |input       |   1    | `rst_ni`              | `cptra_ss_rst_b_i`                  | LC controller reset input, active low|
-External    |input       |   1    | `Allow_RMA_on_PPD`    | `cptra_ss_lc_Allow_RMA_on_PPD_i`    | This is GPIO strap pin. This pin should be high until LC completes its state transition to RMA.|
+External    |input       |   1    | `Allow_RMA_or_SCRAP_on_PPD`    | `cptra_ss_lc_Allow_RMA_or_SCRAP_on_PPD_i`    | This is GPIO strap pin. This pin should be high until LC completes its state transition to RMA or SCRAP.|
 External    |interface   |   1    | `axi_wr_req`          | `cptra_ss_lc_axi_wr_req_i`          | LC controller AXI write request input |
 External    |interface   |   1    | `axi_wr_rsp`          | `cptra_ss_lc_axi_wr_rsp_o`          | LC controller AXI write response output|
 External    |interface   |   1    | `axi_rd_req`          | `cptra_ss_lc_axi_rd_req_i`          | LC controller AXI read request input |
@@ -770,9 +770,9 @@ See LC Controller Register Map**TODO: link will be provided**.
 1. **Connectivity**:
    - Ensure proper routing of all signals to avoid conflicts with other modules.
    - Interfaces like `jtag` and `axi` must adhere to the defined protocol specifications.
-   - Esclation signals (`esc_scrap_state0` and `esc_scrap_state1`) brings LC controller into SCRAP mode and therefore needs to be connected to a dedicated controller.
-   - `Allow_RMA_on_PPD` needs to be tied 0 if it is not being used. Otherwise, it might break LC controller's internal FSM.
-   - Avoid glitches on `Allow_RMA_on_PPD` and escalation inputs (`esc_scrap_state0`, `esc_scrap_state1`) that could cause unintended transitions.
+   - Escalation signals (`esc_scrap_state0` and `esc_scrap_state1`) brings LC controller into temporal SCRAP mode (Escalation state) and therefore needs to be connected to a dedicated controller.
+   - `Allow_RMA_or_SCRAP_on_PPD` needs to be tied 0 if it is not being used. Otherwise, it might break LC controller's internal FSM.
+   - Avoid glitches on `Allow_RMA_or_SCRAP_on_PPD` and escalation inputs (`esc_scrap_state0`, `esc_scrap_state1`) that could cause unintended transitions.
    - Verify that all output signals, including alerts, remain within the expected ranges under normal operation.
 
 ## Programming Interface
@@ -794,8 +794,8 @@ The LC Controller's programming interface facilitates lifecycle state transition
 3. **Token Validation**:
    - For conditional state transitions, provide the transition token before the transition request.
 
-4. **RMA Strap Handling**:
-   - Ensure the `Allow_RMA_on_PPD` GPIO strap is asserted for RMA transitions. Transitions without this strap will fail with an appropriate status in the `LC_CTRL_STATUS_OFFSET` register.
+4. **RMA and SCRAP Strap Handling**:
+   - Ensure the `Allow_RMA_or_SCRAP_on_PPD` GPIO strap is asserted for RMA or SCRAP transitions. Transitions without this strap will fail with an appropriate status in the `LC_CTRL_STATUS_OFFSET` register.
 
 
 ## Sequences: Reset, Boot
@@ -830,7 +830,8 @@ The LC Controller's programming interface facilitates lifecycle state transition
 2. **Error Injection**:
    - Test token errors by providing invalid tokens during a transition request.
    - Simulate OTP errors by corrupting OTP data or configuration.
-   - Test RMA transitions with and without the `Allow_RMA_on_PPD` GPIO strap.
+   - Test RMA transitions with and without the `Allow_RMA_or_SCRAP_on_PPD` GPIO strap.
+   - Test SCRAP transitions with and without the `Allow_RMA_or_SCRAP_on_PPD` GPIO strap.
 
 3. **Boundary Testing**:
    - Verify correct operation under boundary conditions, such as repeated transitions, simultaneous requests, or rapid reset sequences.

diff --git a/src/integration/rtl/caliptra_ss_top.sv b/src/integration/rtl/caliptra_ss_top.sv
@@ -139,7 +139,7 @@ module caliptra_ss_top
     input logic cptra_ss_mcu_no_rom_config_i,
     input logic cptra_ss_mci_boot_seq_brkpoint_i,
 
-    input logic cptra_ss_lc_Allow_RMA_on_PPD_i,
+    input logic cptra_ss_lc_Allow_RMA_or_SCRAP_on_PPD_i,
     input logic cptra_ss_FIPS_ZEROIZATION_PPD_i,
 
     output logic [63:0] cptra_ss_mci_generic_output_wires_o,
@@ -1209,7 +1209,7 @@ module caliptra_ss_top
     lc_ctrl u_lc_ctrl (
             .clk_i(cptra_ss_clk_i),
             .rst_ni(cptra_ss_rst_b_i),
-            .Allow_RMA_on_PPD(cptra_ss_lc_Allow_RMA_on_PPD_i),
+            .Allow_RMA_or_SCRAP_on_PPD(cptra_ss_lc_Allow_RMA_or_SCRAP_on_PPD_i),
             .axi_wr_req(cptra_ss_lc_axi_wr_req_i),
             .axi_wr_rsp(cptra_ss_lc_axi_wr_rsp_o),
             .axi_rd_req(cptra_ss_lc_axi_rd_req_i),