LOCK MCU dependency?

[rstrongMCT]

if a storage device implements the optional LOCK feature, is there a requirement that the storage device implement Caliptra subsystem mode in lieu of the passive mode which is supported in Caliptra 1.1 as well as Caliptra 2.x? Currently, there is no requirement in the Caliptra 2.x specification or LOCK specification that requires a LOCK enabled device support subsystem mode.

There are existing robust and secure SoC implementations that do not require the assistance/capabilities of the MCU and we believe that the intent of the MCU is create an easier transition path for Caliptra support/adoption on devices that lack a rich, robust secure execution environment. If a device supports LOCK and the device implements a secure execution environment within the SoC, then the device should be allowed to implement passive mode or subsystem mode.

If the above statement isn't accurate, then we'd like to have a discussion. 

[bluegate010]

The requirement for Subsystem mode comes from the need for Caliptra Core to support an AXI manager so it can program MEKs to the controller's inline encryption engine. The AXI manager is presently only available with Subsystem.