Doc: move implementation details of RAM scrambling to RAM core

hw/application_fpga/README.md

@@ -75,7 +75,10 @@ The memory is cleared by firmware before an application is loaded.
 
 The application RAM is available to use by firmware and applications.
 
-MC: Is the scrambling here now?
+The RAM core also implements (from the view of the CPU) transparent
+RAM address and data scrambling. This scrambling is applied to make it
+harder to extract application and application data from a memory dump
+directly from the memory cores.
 
 ## `rom`
 
@@ -132,21 +135,7 @@ should make it infeasible to improve asset extraction by observing
 multiple memory dumps from the same TKey device. The attack should
 also not directly scale to multiple TKey devices.
 
-The memory protection is based on two separate mechanisms:
+The RAM address and data scrambling is done in de RAM core.
-
-1. Address randomisation
-2. Address dependent data randomization
-
-The address randomization is implemented by XORing the CPU address
-with the contents of the ADDR\_RAM\_ADDR\_RAND register in the tk1
-core. The result is used as the RAM address
-
-The data randomization is implemented by XORing the data written to the
-RAM with the contents of the ADDR\_RAM\_DATA\_RAND register in the tk1
-core as well as XORing with the CPU address. This means that the same
-data written to two different addresses will be scrambled differently.
-The same pair or XOR operations is also performed on the data read out
-from the RAM.
 
 The memory protection is setup by the firmware. Access to the memory
 protection controls is disabled for applications. Before the memory
@@ -168,11 +157,6 @@ setup the memory protection:
 6. Receive the application sent from the client and write it in
    sequence into RAM.
 
-Future TKey devices may implement a more secure ASLR mechanism, and
-use real encryption (for example PRINCE) for memory content
-protection. From the application point of view such a change will be
-transparent.
-
 ## `touch_sense`
 
 Provide touch sensor events to software.

hw/application_fpga/core/ram/README.md

@@ -23,6 +23,22 @@ ram_data_rand inputs as seeds for the scrambling mechanism. When data
 is read out it is descrambled before sent out on the read_data output
 port. The scrambling functionality does not add latency.
 
+The memory protection is based on two separate mechanisms:
+
+1. Address randomisation
+2. Address dependent data randomization
+
+The address randomization is implemented by XORing the RAM address
+with the contents of the ADDR\_RAM\_ADDR\_RAND register in the tk1
+core. The result is used as the RAM address.
+
+The data randomization is implemented by XORing the data written to
+the RAM with the contents of the ADDR\_RAM\_DATA\_RAND register in the
+tk1 core as well as XORing with the CPU address. This means that the
+same data written to two different addresses will be scrambled
+differently. The same pair or XOR operations is also performed on the
+data read out from the RAM.
+
 Note: the scrambling mechanism is NOT a cryptographically secure
 function. Even if it was, a 32 bit key would be too short to add any
 security.