packages/chip/docs/risks/risk-register.md
The project is a fully open-source hardware Android phone research program. The v0 prototype must keep the hardest closed-system risks outside the critical path while still building real, testable artifacts.
| Risk | Owner | Status | Severity | Likelihood | Trigger | Failure mode | Mitigation | Evidence |
|---|---|---|---|---|---|---|---|---|
| Snapdragon/Dimensity-class custom SoC scope | architecture | Active | Critical | Very high | Any milestone claims flagship parity without L0-L6 benchmark artifacts. | The project tries to build CPU, GPU, NPU, ISP, modem, LPDDR PHY, PMIC coupling, security, and BSP at once. | Keep v0 to e1_soc, open RTL expansion, and COTS board Android baseline. | docs/benchmarks/report-schema.yaml, docs/project/three-week-execution-plan.md |
| Drop-in flagship pin compatibility | package | Active | Critical | High | Any package, pinout, or PMIC claim copies a commercial phone assumption. | Proprietary package, PMIC, boot, RF, memory, and legal assumptions are copied or guessed. | Exclude pin compatibility; use architecture budgets only. | package/e1-demo-pinout.yaml, docs/pd/padframe/e1_demo_padframe.md |
| Advanced-node open silicon | pd | Active | Critical | Very high | A phone-class AP claim depends on SKY130/GF180 PPA. | Open PDK and open EDA cannot deliver phone-class PPA on modern nodes. | Use SKY130/GF180 only for demonstrators; use commercial silicon for phone baseline. | pd/openlane/config.json, docs/toolchain/README.md |
| LTE/5G modem | phone-board | Active | Critical | Very high | Any v0 task adds integrated modem or RF front-end scope. | Open modem stack cannot meet modern network, RF, certification, and carrier requirements. | Use certified external modem module; exclude integrated baseband. | docs/board/README.md, docs/risks/risk-register.md |
| LTE/5G modem | phone-board | Active | Critical | Very high | Any v0 task adds integrated modem or RF front-end scope. | Open modem stack cannot meet modern network, RF, certification, and carrier requirements. | Use certified external modem module; exclude integrated baseband. | board/README.md, docs/risks/risk-register.md |
| LPDDR5X/LPDDR6 PHY | memory | Active | Critical | High | Any v0 artifact claims custom LPDDR PHY readiness. | Mixed-signal PHY, training, SI/PI, and package co-design fail. | Use COTS SoC memory subsystem for product path; model only in open RTL path. | docs/rtl/open_rtl_prototype_path.md, docs/arch/memory-map.md |
| GPU and Android graphics | graphics | Active | Critical | High | A UI or benchmark claim lacks HWC/gralloc/CTS evidence. | No performant Vulkan/GLES stack, HWC, gralloc, sync, or CTS behavior. | Framebuffer first; conformance before performance; no flagship GPU claim in v0. | docs/benchmarks/benchmark-matrix.md, docs/android/riscv-bringup.md |
| Camera ISP | camera | Active | Critical | High | Any camera claim goes beyond simple/UVC or mocked HAL behavior. | Sensor tuning, 3A, HDR, denoise, HAL3, and calibration are missing. | UVC/simple camera only; exclude computational photography. | docs/android/riscv-bringup.md, sw/aosp-device/device/eliza/eliza_ai_soc/manifest.xml |
| Android compatibility | android | Active | Critical | High | AOSP boot is treated as compatibility without CTS/VTS result paths. | AOSP boots but CTS/VTS/HAL/Treble fail. | Track AOSP boot separately from compatibility; run subsets early. | sw/aosp-device/device/eliza/eliza_ai_soc, scripts/check_aosp_bsp.py |
| Power and thermal | validation | Active | High | High | Any performance report omits sustained duration, thermal, or power fields. | Benchmarks pass briefly but device throttles or drains battery. | Require sustained loops and external power measurement for product claims. | docs/benchmarks/report-schema.yaml, docs/fw/board-smoke/tests/smoke_plan.md |
| Verification burden | verification | Active | Critical | Very high | RTL changes land without cocotb/formal/Verilator evidence. | RTL bug survives to tapeout or corrupts memory/security state. | Formal, cocotb, Verilator, FireSim, Linux stress, and release gates. | verify/cocotb, verify/formal, scripts/pipeline_check.py |
| Floating toolchain inputs | release | Active | High | High | Tool versions, image digests, lockfiles, or SHAs are absent from release evidence. | A later Docker apt, Nix, OpenLane2, Chipyard, or Python package update changes results or breaks a reproduced run. | Require .venv, tool version reports, lockfiles/digests/SHAs before release evidence. | docs/toolchain/README.md, scripts/tool_versions.sh |
| Local fork drift | release | Monitoring | High | Medium | A local OpenLane/Chipyard/PDK/AOSP fork is required but lacks upstream base and retirement plan. | A private OpenLane/Chipyard/PDK/AOSP patch becomes the only working path and cannot be reviewed or upstreamed. | Fork only for named release blockers; record upstream base SHA, patch branch, and retirement plan. | docs/toolchain/headless-cli-audit.md, .github/workflows/ci.yml |
| Scaffold check mistaken for proof | release | Active | High | High | A docs-only or preflight check is used as implementation evidence. | Missing OpenLane/Renode/AOSP/FPGA tools are hidden behind docs-only checks and treated as implementation evidence. | Every absent heavy tool must map to an explicit blocked gate and required unblock artifact. | scripts/check_pd_preflight.py, scripts/pipeline_check.py |
| OpenLane/PDK reproducibility | pd | Active | High | High | OpenLane image, PDK, or manifest digest is not pinned or installed for a PD run. | PD results cannot be reproduced or compared across machines. | Pin image digests, record manifests, and block signoff without run artifacts. | scripts/install_openlane_image.sh, pd/signoff/manifest.yaml |
| FPGA bitstream bring-up | fpga | Active | High | Medium | FPGA release proceeds while board revision or pins remain unassigned. | The hardware path cannot prove reset, debug bridge, GPIO, or timing on a real board. | Keep bitstream release blocked until exact board/pins are assigned and a build transcript exists. | board/fpga/e1_demo_fpga.yaml, board/fpga/constraints/e1_demo_ulx3s.lpf |
| Board DFM and procurement | phone-board | Active | High | Medium | Fabrication outputs are generated before stackup, package, BOM, and DFM review. | Prototype boards are unbuildable, untestable, or blocked by unavailable components. | Treat KiCad artifacts as planning until package footprint, test points, BOM alternates, and DFM notes are reviewed. | docs/board/kicad/e1-demo/fab-notes.md, docs/manufacturing/release-manifest.yaml |
| Gap inventory drift | program | Active | High | Medium | Workstream status docs omit known stubs, scaffolds, LARPs, untested claims, or complete gaps. | The release narrative overstates maturity and hides blocked subsystem gates. | Keep the gap review stricter than subsystem claims and require project-plan checks to validate its structure. | docs/project/workstream-gap-review.md, scripts/check_project_plan.py |
| Secure boot / key ladder absent | security | Active | Critical | Very high | Any claim of "secure boot", "verified boot", "rollback protected", "debug locked", or "KeyMint ready" without all rejection/acceptance transcripts archived. | ROM is identity-only; no signature verification, key ladder, rollback, or lifecycle gating exists; a tampered or downgraded image would execute. | Implement signed image format, Ed25519 key ladder, OTP rollback indices, and lifecycle gating per docs/security/boot-image-format.md and docs/security/threat-model.md; gate release on docs/security/test-plan.md TC-BOOT-, TC-ROLLBACK-. | docs/security/threat-model.md, docs/security/boot-image-format.md, docs/security/otp-fuse-map.md, docs/security/test-plan.md, docs/project/security-usb-storage-update-fail-closed-work-order-2026-05-17.yaml |
| Debug policy / JTAG gating absent | security | Active | Critical | High | Any production-lock claim without per-lifecycle JTAG/SWD gating, debug-auth, and RMA key-erasure transcripts. | JTAG would remain open on LOCKED devices; user keys exposed via debug; no path from LOCKED to authorized service without compromising user data. | Implement per-lifecycle gating, Ed25519 debug-auth, and hardware-driven RMA wipe per docs/security/debug-policy.md; gate release on TC-DEBUG-*. | docs/security/debug-policy.md, docs/security/otp-fuse-map.md, docs/security/test-plan.md |
| AVB / A/B / OTA / recovery absent | security | Active | Critical | Very high | Any "AVB enabled", "A/B OTA ready", "recovery ready", or "fastboot secure" claim without TC-OTA-*, TC-AB-*, TC-RECOVERY-*, TC-FASTBOOT-* evidence. | AOSP fstab.eliza AVB flags are scaffold markers; OTA, recovery, lock-state, and slot switch are unimplemented; bad/rollback/interrupted OTA could brick or downgrade. | Implement AVB chain, A/B slot metadata, staged OTA with battery/storage/signature gates, and recovery image per docs/security/avb-a-b-ota.md. | docs/security/avb-a-b-ota.md, docs/security/test-plan.md, docs/project/security-usb-storage-update-fail-closed-work-order-2026-05-17.yaml |
| Manufacturing key ceremony / signer audit absent | security | Active | Critical | High | Any production provisioning without HSM-rooted ceremony, split-knowledge custody, signer audit log, and named VRO. | A single insider could sign arbitrary images; revocation impossible without root ceremony; per-device attestation unverifiable. | Stand up offline + online HSM with FIPS 140-2 L3, split-knowledge custody, append-only audit log, and named Vulnerability-Response Owner per docs/security/key-ceremony.md. | docs/security/key-ceremony.md, docs/security/otp-fuse-map.md |
| USB / Type-C / PD compliance not in v0 | phone-board | Active | High | High | Any "USB-C ready", "USB compliant", or "PD ready" claim. | Without USB-IF pre-scan or certification, marks and claims violate USB-IF license terms; PD source/alt-mode bugs could damage hosts. | Restrict v0 to USB 2.0 device-mode sink-only per docs/security/usb-pd-spec.md; archive explicit no-cert claim; defer source/PD/alt-mode to a separate work order with pre-scan evidence. | docs/security/usb-pd-spec.md, docs/project/product-architecture-security-radio-sensors-optimization-2026-05-17.yaml |