Replay Protected Memory Block
The Replay Protected Memory Block (RPMB) is a secure partition within embedded MultiMediaCard (eMMC) and Universal Flash Storage (UFS) devices that enables authenticated storage of sensitive data, such as cryptographic keys and counters, while protecting against replay attacks and unauthorized modifications. First specified in the JEDEC eMMC 4.4 standard in 2009, RPMB uses a shared secret authentication key between the host and the storage device to ensure data integrity and prevent the reuse of previously issued commands.[1][2] RPMB operates through a dedicated protocol that authenticates read and write operations using a message authentication code (MAC) generated via HMAC-SHA-256, with each successful write incrementing a monotonic counter to invalidate any replayed requests.[1] This mechanism restricts access to a small, isolated memory area—multiples of 128 KB, up to 16 MB per the eMMC standard (with some implementations supporting up to 32 MB)—separate from the main user data partitions, and supports optional AES-256 encryption for additional confidentiality in applications like biometric authentication.[3] The protocol was initially defined in the JEDEC eMMC standard JESD84-A44 and has been extended to UFS and SD cards, aligning with NVMe protocols for broader compatibility in secure boot and trusted execution environments.[1][2] Commonly integrated into smartphones, IoT devices, and automotive systems, RPMB supports critical use cases including anti-rollback protection for firmware updates, secure key storage in Trusted Execution Environments (TEEs), and prevention of unauthorized access to device-specific data.[4] Despite its robustness, vulnerabilities in RPMB implementations have been identified, such as potential replay of failure messages that could lead to denial-of-service conditions in dependent security components.[5] Standardized in eMMC version 4.4 and later (up to 5.1B as of 2025) and UFS version 2.0 and later (up to 4.1 as of 2025), RPMB remains a foundational element for enhancing storage security in resource-constrained environments.[1]Introduction
Definition and Purpose
The Replay Protected Memory Block (RPMB) is a dedicated, small-capacity partition within flash-based storage devices such as embedded MultiMediaCard (eMMC) and Universal Flash Storage (UFS), providing secure and replay-protected data storage isolated from the main filesystem.[1] Its typical size ranges from 128 KB to 16 MB, configured as a multiple of 128 KB blocks (up to 32 MB in some vendor-specific implementations) to accommodate sensitive information without significantly impacting overall device capacity.[3][6] The primary purpose of RPMB is to enable authenticated access to stored data, where both write and read operations mandate the inclusion of message authentication codes (MACs) to verify integrity and authenticity, thereby preventing unauthorized modifications or access.[7] This mechanism counters replay attacks, in which an adversary intercepts and resubmits previously valid transactions to deceive the system into accepting outdated or manipulated data.[8] RPMB achieves this protection through monotonic write counters that increment by one after each successful write operation and nonces—random values generated for each transaction—to ensure freshness, rendering replayed frames invalid due to mismatched counter values or nonces.[3][1] By offering this secure enclave, RPMB facilitates critical applications such as the storage of cryptographic keys, certificate management for device authentication, and tamper-resistant logging of security events, all while maintaining data confidentiality without reliance on the host's general storage areas.[7][3]History and Development
The Replay Protected Memory Block (RPMB) was first introduced as a security feature in the JEDEC embedded MultiMediaCard (eMMC) specification version 4.41 (JESD84-A441), published in March 2010. This specification defined RPMB as a dedicated partition within eMMC devices to enable authenticated, replay-protected storage of sensitive data, addressing emerging threats in mobile and embedded systems. Developed by the Joint Electron Device Engineering Council (JEDEC), a standards organization comprising semiconductor manufacturers, the feature emerged from collaborative efforts involving major storage vendors such as Samsung and SanDisk, who contributed to refining the protocol for practical implementation in consumer electronics.[9][10] The creation of RPMB was motivated by the growing prevalence of mobile devices in the early 2010s, which heightened vulnerabilities to sophisticated attacks like rootkits and firmware manipulations that could enable unauthorized data access or system tampering. As smartphones proliferated, there was an urgent need for hardware-level protections to safeguard critical information, such as cryptographic keys and boot integrity data, against replay attacks where stale or malicious responses could be reused to bypass security. This driver aligned with broader industry shifts toward trusted execution environments and secure boot mechanisms to mitigate risks in increasingly connected ecosystems.[11][8] Following its eMMC debut, RPMB evolved through extensions to other storage protocols. It was incorporated into the Universal Flash Storage (UFS) standard with JEDEC UFS 2.0, released in September 2013, which built on eMMC foundations to support higher-performance interfaces while retaining RPMB for secure data handling in next-generation mobile devices. Subsequent UFS versions, such as 2.1 in 2016, further refined RPMB integration for enhanced authentication and error handling. The feature also expanded to removable media, with adoption in SD cards via the SD Association's SD 9.0 specification, released in February 2022, enabling RPMB in conventional SD memory cards to serve as semi-embedded secure storage alternatives.[12] Key milestones in RPMB's development include its early integration into Android's verified boot processes starting with Android 4.3 (Jelly Bean) in 2013, where developers implemented RPMB drivers to store protected data like modem configurations and billing information, enhancing resistance to rollback and tampering attacks. This adoption accelerated with Android's broader security framework updates. Concurrently, JEDEC's eMMC 5.0 specification, published in October 2013, introduced command queuing and power management improvements that complemented RPMB's security role, while the eMMC 5.1 update in February 2015 added enhanced partitioning and authentication mechanisms to bolster overall device resilience. These advancements solidified RPMB as a cornerstone of storage security across evolving hardware standards.[11][13][14] Subsequent updates as of 2025 include eMMC 5.1B in September 2025 for improved performance and reliability, UFS 4.1 in December 2024, and the announcement of UFS 5.0 in October 2025, all maintaining and enhancing RPMB functionality for modern devices.[15][16][17]Technical Specifications
Partition and Addressing
The Replay Protected Memory Block (RPMB) functions as a virtual logical unit (LUN) within embedded MultiMediaCard (eMMC) and Universal Flash Storage (UFS) devices, providing an isolated storage area for authenticated data. In eMMC implementations, RPMB is treated as a dedicated partition accessed via the SWITCH command (CMD6), which configures the partition access mode in the EXT_CSD register to enable RPMB operations.[7] This command shifts the device's addressing context from the main user data area to the RPMB partition, typically identified by a specific access bit pattern such as partition configuration mode value 0x03 in the SWITCH argument for RPMB enablement.[18] In UFS devices, RPMB operates as a distinct LUN, selected through a QUERY REQUEST UPIU with opcode 0x01 (Read Descriptor) or similar to retrieve and enable the RPMB unit descriptor, followed by Security Protocol IN/OUT commands for data handling.[19] This LUN-based structure in UFS allows independent addressing without altering the primary user LUN. RPMB size is allocated during device configuration and remains fixed thereafter, expressed as a multiple of 128 KB via parameters like RPMB_SIZE_MULT in the eMMC EXT_CSD register (byte 168) or equivalent UFS descriptors.[20] The minimum size is 128 KB, while the maximum is constrained to 16 MB due to the 16-bit address field in the RPMB protocol, ensuring compatibility across devices; while the protocol limits to 16 MB via 16-bit addressing, some implementations support up to 32 MB; representative implementations often provision 4 MB for sufficient secure storage capacity.[21][22] This non-user-accessible area is excluded from standard block I/O paths, preventing direct reads or writes through conventional commands like CMD17/18 (READ_SINGLE/ MULTIPLE_BLOCK) or UFS equivalents, thereby maintaining isolation from the filesystem and user data partitions.[7] Within the RPMB address space, logical addressing begins at 0 and uses 256-byte blocks to align with the protocol's data payload structure, where each operation targets blocks via a 16-bit address field supporting up to 65,536 blocks (yielding the 16 MB limit).[21] This separate namespace ensures no overlap with the device's main logical block addressing (LBA), which typically employs 512-byte sectors for user data, further enforcing security boundaries.[7] Provisioning of RPMB occurs during device manufacturing or initial host setup in a secure environment, including the one-time programming of a 32-byte authentication key using the PROGRAM_KEY operation.[23] This key, used for HMAC-SHA-256 computations, is written once via a dedicated RPMB frame and cannot be read, modified, or erased afterward, establishing the foundation for all subsequent authenticated accesses.[7]Authentication Mechanism
The Replay Protected Memory Block (RPMB) employs a cryptographic authentication mechanism centered on the HMAC-SHA-256 algorithm to ensure the integrity and authenticity of data exchanges between the host and the storage device. This mechanism utilizes a 256-bit device-specific authentication key, which serves as a shared secret and is provisioned during manufacturing or programmed via a secure channel in a controlled environment, such as the production line. The key is used to generate a 256-bit Message Authentication Code (MAC) for each RPMB request and response, computed over the relevant frame fields including the data payload, address, and additional security elements.[7][23][1] To prevent replay attacks, RPMB incorporates a monotonic 32-bit write counter that increments after every successful authenticated write operation. This counter is included in the MAC computation for both write requests and read responses, allowing the device to verify that the presented counter value matches the current internal state; any mismatch or attempt to use an outdated value results in authentication failure. For read operations, the mechanism further employs a 64-bit random nonce generated by the host and included in the request frame, which binds the request to a unique session and contributes to the MAC calculation to ensure freshness and prevent unauthorized replays of previous responses. The nonce is echoed back in the device's response along with its own MAC, enabling the host to validate the reply.[7][23][1] Key programming in RPMB supports secure provisioning via the PROGRAM_KEY operation, ensuring it cannot be written without proper authorization. Key revocation or updates are managed through result codes in the response frame, which signal failures during programming attempts, such as when an existing key prevents reprogramming. Authentication failures, including MAC mismatches due to incorrect keys, invalid counters, or nonce discrepancies, trigger specific result codes in the response; for instance, code 0x06 indicates read failures, while code 0x05 indicates an unprogrammed authentication key. These codes, part of the 16-bit Result field, provide diagnostic feedback while maintaining security by not revealing detailed failure reasons.[7][23][24]Operations and Frame Format
Supported Operations
The Replay Protected Memory Block (RPMB) defines a set of core operations to enable secure, authenticated access to its protected storage area, ensuring data integrity and replay protection through cryptographic mechanisms. These operations include the Authenticated Read request (0x0003), which retrieves data from the RPMB while verifying authenticity via a message authentication code (MAC); the Authenticated Write request (0x0004), which stores data after validation and counter increment; the Read Result request (0x0005), which fetches the outcome of a prior operation including any error status; and the Reading of the Write Counter request (0x0002), which obtains the current value of the monotonic write counter to prevent replays.[3][24] For an authenticated write operation, the host initiates the sequence by issuing a Reading of the Write Counter request to retrieve the device's current write counter value. The host then assembles a 512-byte request frame containing the target address, the data to write (padded if necessary), a 16-byte nonce for freshness, the expected write counter, and a 32-byte HMAC-SHA-256 MAC computed over the frame using the shared authentication key (referencing the HMAC verification process detailed in the authentication mechanism). This frame is transmitted to the device, which validates the MAC, checks that the provided counter matches its internal value, writes the data if valid, increments the write counter, and stores a response with updated details. The host subsequently sends a Read Result request to poll and retrieve the response frame, confirming success or failure.[3][24] The authenticated read sequence begins with the host constructing a single-block request frame (using CMD23 in eMMC for block count setup) that specifies the starting address, block count, a nonce, the expected write counter, and the MAC. The device verifies the MAC and counter, then returns the requested data in one or more 512-byte response frames via a multi-block read (CMD18 in eMMC), with the final frame including the response MAC for integrity verification; the host issues a Read Result request to obtain any operation result if needed. This process ensures that only fresh, authorized reads are possible, with the nonce preventing replay of previous responses.[3][24] These operations are invoked through storage-specific command flows: in eMMC devices, they utilize the MMC_SWITCH command (opcode 6, with mode 3 and RPMB-specific arguments in the data field) to enter the RPMB protocol mode and exchange frames over multi-block read/write channels. In Universal Flash Storage (UFS) devices, equivalent functionality is provided via IOCTL mechanisms or Security Protocol Out/In UPIU commands, which encapsulate the RPMB frames in a similar request-response exchange; in UFS 4.1 (2025), RPMB authentication secures vendor-specific command execution.[3][24][25][26] All operations process data in fixed 512-byte blocks, supporting multi-block transfers through chaining for efficiency, but prohibit partial block writes to maintain alignment and security. Certain specifications limit each operation to a maximum of 256 blocks to bound processing overhead and resource usage.[3][24]Data Frame Structure
The Replay Protected Memory Block (RPMB) employs a fixed 512-byte data frame format for all operations, ensuring compatibility with standard block I/O protocols in storage devices such as eMMC and UFS.[24] This structure facilitates secure data exchange between the host and the device, with fields arranged to support authentication and replay protection.[24] All multi-byte fields within the frame are encoded in big-endian byte order to maintain consistency across implementations.[24] The frame layout consists of padding followed by operational fields, a data payload, and authentication elements, as outlined in the following table:| Byte Offset | Size (bytes) | Field Name | Description |
|---|---|---|---|
| 0–195 | 196 | Stuff Bytes | Reserved padding initialized to 0x00, ensuring frame alignment and fixed total length. |
| 196–197 | 2 | Request/Response Type | Identifies the operation; examples include 0x0003 for Authenticated Read requests and 0x0004 for Authenticated Write requests. |
| 198–201 | 4 | Address | 32-bit starting address of the target block within the RPMB partition. |
| 202–205 | 4 | Write Counter | 32-bit monotonic counter incremented on each authenticated write; initializes to 0x00000000 and rolls over only after 4,294,967,296 writes. |
| 206–213 | 8 | Nonce | 64-bit random value generated by the host to prevent replay attacks. |
| 214–215 | 2 | Block Count | Number of 512-byte blocks for read/write operations (1 for other operations). |
| 216–471 | 256 | Data Block | Payload for read/write operations; for responses, starts with Operation Result (2 bytes) and Write Counter (4 bytes) if applicable; unused or zero-padded for other commands like counter reads. |
| 472–503 | 32 | Key MAC / Result MAC | Message authentication code computed using the shared authentication key over the frame (excluding stuff bytes and this field itself); used as Key MAC in requests and Result MAC in responses. |
| 504–511 | 8 | Reserved | Reserved bytes, set to 0x00. |
Implementations
Hardware Support in Storage Devices
The Replay Protected Memory Block (RPMB) is integrated into embedded MultiMediaCard (eMMC) storage devices as a mandatory feature starting from the JEDEC eMMC 4.4 specification, providing a dedicated secure partition typically sized at 4 MB for authenticated data storage with replay protection.[3] This partition is accessed utilizing a frame-based protocol over standard eMMC commands such as CMD23 for setup, CMD25 for writes, and CMD18 for reads, where each 512-byte frame includes fields for address, data, nonce, write counter, message authentication code (MAC), and result code.[3] Hardware acceleration for HMAC-SHA-256 computations ensures efficient verification of authenticity and integrity, with the 32-byte shared secret key provisioned securely during manufacturing to prevent unauthorized access.[3][23] In Universal Flash Storage (UFS) devices, RPMB support is available from UFS version 2.0 onward, as defined in the JEDEC UFS 2.0 specification (JESD220B), enabling secure storage through a well-known logical unit (W-LUN) encoded as 0x44 (or C4h with the WLUN_ID bit set).[27] Later iterations, such as UFS 3.0, introduced the capability to split RPMB into up to four independent regions, each with its own authentication key, facilitating multi-tenant security in high-performance embedded UFS deployments.[28] UFS 3.1 and 4.0 incorporate performance enhancements like WriteBooster (introduced in UFS 3.0) for improved write buffering and Host Performance Booster (HPB, introduced in UFS 3.1) for faster data access, which complement RPMB operations in embedded systems by reducing latency in secure read/write transactions over NVMe-like serial interfaces.[25][1] Major vendors have implemented RPMB in their storage chips to meet security demands in mobile and embedded applications. Samsung introduced RPMB support in its eMMC controllers starting around 2013, aligning with early adoption in Android devices for secure key storage and anti-rollback protection.[29] Kioxia (formerly Toshiba Memory) integrates RPMB into UFS devices tailored for automotive use cases, such as in UFS 4.0 modules that employ advanced RPMB for rapid access to user credentials and firmware integrity checks in vehicle infotainment and ADAS systems.[30] Western Digital has incorporated RPMB in eMMC and UFS products but disclosed protocol vulnerabilities in 2020, highlighting risks in replay attack scenarios across affected storage standards without proper freshness checks.[31] At the hardware level, RPMB requires a dedicated region within the NAND flash array, isolated from the main user data area to ensure physical separation and prevent tampering, alongside controller logic that securely stores the authentication key in non-volatile memory inaccessible to the host bus.[3] This isolation is achieved through on-chip monotonic counters for write sequencing and hardware-enforced MAC validation, minimizing exposure to side-channel attacks while maintaining compatibility with the device's overall flash management.[23]Software and OS Integration
The Linux kernel supports Replay Protected Memory Block (RPMB) through drivers in the MMC and UFS subsystems, exposing RPMB partitions as character devices such as /dev/rpmb0 for secure access by kernel modules and user-space applications.[32] Initial integration began with kernel version 4.11 in 2017, providing foundational support via the mmc-rpmb.c driver for eMMC devices, which abstracts the multi-step authentication process required for RPMB read, write, and counter operations. For UFS storage, the ufshcd driver includes RPMB functionality, enabling similar authenticated access on modern embedded systems.[33] The recent RPMB subsystem, merged in Linux 6.12, enhances this by standardizing interfaces for Trusted Execution Environment (TEE) drivers, such as OP-TEE, allowing direct kernel-level probing and operations without userspace intermediaries.[34] In Android, RPMB integrates with Android Verified Boot (AVB) 2.0 to store rollback indices and device lock states in a tamper-evident manner, preventing reversion to vulnerable firmware versions.[35] These indices are managed through TEE frameworks like OP-TEE, where the RPMB partition serves as secure storage accessed via ioctl calls from the normal world supplicant (e.g., tee-supplicant) to the secure world for atomic, authenticated updates.[36] This setup complements dm-verity, which enforces filesystem integrity during boot, by leveraging RPMB's replay protection for critical metadata like rollback counters.[37] OP-TEE enables this by configuring RPMB as a file system backend (via CFG_RPMB_FS=y), using a file allocation table for persistent secure data with HMAC-based authentication.[38] User-space access to RPMB is facilitated by libraries such as Android's librpmb, which handles data frame construction and authentication key management for operations like reads and writes.[39] In the Linux kernel, applications interact via ioctl interfaces on the RPMB device, including RPMB_IOC_PROG_KEY for one-time programming of the authentication key, ensuring secure initialization before regular use.[40] These ioctls abstract the protocol's frame format, allowing synchronous requests without exposing low-level details. Cross-platform support extends to Windows IoT and embedded Linux distributions, where RPMB drivers enable secure enclaves for IoT applications. In Windows, the IOCTL_STORAGE_QUERY_PROPERTY with StorageAdapterRpmbProperty queries RPMB presence and payload limits via the STORAGE_RPMB_DESCRIPTOR structure, supporting authenticated storage in embedded scenarios.[41] Embedded Linux variants, such as Yocto-based systems, inherit mainline kernel RPMB drivers for eMMC and UFS, providing consistent access in resource-constrained environments.Applications and Use Cases
Secure Boot Processes
Replay Protected Memory Block (RPMB) plays a critical role in secure boot processes by providing tamper-evident storage for essential boot metadata, including rollback indices and verified cryptographic keys, which help prevent downgrade attacks during firmware and operating system initialization.[7] In verified boot chains, RPMB ensures that only authorized and up-to-date firmware components can execute, maintaining the integrity of the boot sequence from the initial bootloader to the kernel. This storage mechanism leverages RPMB's replay protection to safeguard against unauthorized modifications or rollbacks to vulnerable versions, thereby enforcing a chain of trust rooted in hardware-backed authentication. A key example of RPMB's integration is in Android Verified Boot (AVB) 2.0, where it serves as persistent storage for rollback indices and device lock states, often managed through trusted execution environments like OP-TEE.[35] During the boot process, the bootloader retrieves these indices from RPMB to compare against the rollback values embedded in the vbmeta image; if the stored index exceeds the image's value, the boot is halted to block potential downgrades.[42] In hardware-specific implementations, such as Qualcomm Snapdragon processors, RPMB supports secure storage for firmware updates and recovery processes, including provisioning for authenticated operations post-fuse setup.[43] Similarly, NXP i.MX processors utilize RPMB in their Android security features to store rollback indices for verified boot, allowing confirmation of firmware versions against known secure states.[44] The primary advantage of RPMB in these processes is its provision of tamper-evident, replay-protected storage that maintains boot integrity without dependence on one-time writable fuses, which are limited in capacity and irreversibility.[7] This enables flexible yet secure management of boot counters and keys across device lifecycles, reducing the risk of persistent attacks while supporting over-the-air updates.[42]Trusted Execution Environments
Replay Protected Memory Block (RPMB) integrates with Trusted Execution Environments (TEEs) such as ARM TrustZone to provide persistent, replay-protected non-volatile storage for sensitive data, enabling secure runtime operations in isolated execution contexts. In this synergy, RPMB acts as a dedicated partition in storage devices like eMMC or UFS, where TEEs can store and retrieve critical assets including private keys, biometric templates, and application-specific secrets without exposure to the untrusted normal world operating system. The authentication mechanism of RPMB, which relies on a pre-shared key managed exclusively within the TEE, ensures that data writes and reads are protected against replay attacks through monotonic write counters and HMAC-based verification.[45][8] A prominent example of this integration is in OP-TEE, an open-source TEE implementation for ARM TrustZone, which utilizes RPMB as a backend for secure storage of persistent objects. When enabled via theCFG_RPMB_FS=y configuration, OP-TEE Trusted Applications (TAs) access RPMB using storage types like TEE_STORAGE_PRIVATE_RPMB, allowing them to manage encrypted files in a replay-protected manner. These persistent objects are organized using a File Allocation Table (FAT) structure within the RPMB partition, with data encrypted via AES-CBC derived from hardware-unique keys, ensuring confidentiality and integrity even if the normal world filesystem is compromised.[36]
The data flow in RPMB-TEE interactions maintains strict isolation: a TA in the secure world issues authenticated storage requests, which are forwarded to the normal world via the tee-supplicant daemon using ioctl calls to the Linux MMC subsystem's RPMB driver. This driver handles the low-level communication with the storage hardware, authenticating requests with the TEE-managed key before committing or retrieving encrypted data blobs, thereby preventing unauthorized access from the rich execution environment. Software drivers facilitate this bridging while preserving TEE boundaries, as detailed in broader OS integration contexts.[36][38]
RPMB's adoption in TEEs is widespread in mobile and embedded systems, particularly smartphones running Android with TrustZone-enabled SoCs, where it supports runtime secure storage for features like digital rights management (DRM) key protection. In IoT devices, RPMB similarly enables TEEs to safeguard device-specific secrets and firmware updates against tampering, enhancing security in resource-constrained environments.[34][46]