eMMC RPMB partition Counter feature

Question

I have a question about the RPMB rollback protection counter, according to the RPMB specification, when a write operation is issued to the RPMB partition, this partition will compare a physical counter (inside this partition) to the counter that the write operation has, if it is equal, then continue the next check (HMAC,etc). If the write operation is validated, this physical counter will increase by 1. Now here comes my question:

1. Is this a global counter for the whole RPMB patition ? Or everytime when we create a small chunk inside, then RPMB patition will have a counter associated to it ?
2. What is the size of this counter ? What will happen if there are too many write operations and then overflows?
3. If overflow happened, will the RPMB protect still valid ? Or no more write operations are allowed ?
4. Is there is way to factory reset the RPMB partition (like the normal user partition in Android ?)

Thanks.

Answer 1

After all, I got the answer:

1. Yes,there is a unique global counter, which does not depend on the partition creation in RPMB. Instead, this global counter will increase by 1 every time after a valid write operation.
2. According to RPMB reference, it is 32 bit. Currently there is no handle case if the counter overflow(since write to RPMB use case is very few).So it might reset to 0, or do not increase any more.
3. Depends on the RPMB manufacture design, maybe this partition will not allow any more write after overflow happens.
4. The content in RPMB can always be rewrite(like the normal RAM), so yes. However, for global RPMB partition counter, no.