[FAQ] What are the TI deliverables for security in MCU+ devices ?

Q1 : Does TI devices support hardware accelerators ?

Yes, MCU+ device class (AM243x, AM263x and AM273x) in TI supports hardware cryptography.

Q2 : What type of supports are present in the hardware ?

MCU+ devices have a security island to provide isolation with a dedicated core for security. For AM243x, the security core is Cortex M3 and for AM263x and AM273x, the security core is Cortex M4. The devices like AM243x family have SA2UL and AM263x and AM273x have DTHE which are the symmetric hardware accelerators and PKA which is asymmetric hardware accelerator. These accelerators can be used with uDMA / eDMA to offload the CPU processing as well as computation power. It supports AES, MAC, SHA, RSA, ECC, as well as TRNG. It also supports features like Secure Boot (in Secure-ROM), Secure Debug support, Memory Firewalls etc.

Q3. How does application core interact with security core ?

Application cores can send request via TISCI for AM243x and Secure IPC (using the MBOX) for AM263x and AM273x to security cores to avail services delivered by HSMRt Firmware.

Q4. What are different configuration of devices delivered by TI ?

TI delivers High Secure (HS) devices for production. The High Secure devices are delivered as High Secure Field Secure (HS-FS) devices. These devices are classified as limited security devices due to lesser security supports like secure boot and secure debug. The Memory Firewall will be default configuration only to protect the entities of Security Core. The SBL authentication is optional and certificates are not verified. The debug connectivity to HSM cores are permanently disabled in this state but Application cores will be accessible for Debug. The TIFS-MCU firmware delivered by TI can only be used on HS-FS devices. The source code for TIFS-MCU Firmware for FS devices are not shared.

Only for AM263x and AM273x -

After requesting the access to TIFS package, the customer has the access to HSM care package. The care package consists of a OTP key writer which allows customer to program their secrets in the one-time programable memory of the devices. After the secrets are programmed in the device, the device is considered as High Secure (Security Enabled). TI classifies HS-SE as high secure device. By default, the debug for all the cores are closed in the device. Although the debug enablement can be requested for Application cores via SBL or TIFS services. The secure boot of application can be enabled in the device. The SBL authentication and certificates verification is mandatory though support of encrypted SBL can be enabled. In this mode, the Root of Chain of Trust shifts from TI secrets/keys to customer secrets/keys.

For more details on the same, please go through the Security Hardware Addendum.

Q5. What are TI deliverables in software ?

For AM263x and AM273x, TI delivers HSM care package which consists of OTP key writer which allows users to change their device from HS-FS to HS-SE. The package also consists of TIFS-MCU firmware package. The TIFS(TI Foundation Security) MCU firmware is the security firmware which is executed on HSM core or ARM Cortex M4F. The security firmware is released with the source code and users have freedom to update the source code in order to add custom features in the software. The package also consists of various tools which allows secure image generation, certificate generation etc.

Q6. Is the AutoSAR stack for these drivers available ?

Vector who is a 3P of TI provides a veHSM stack which will be delivered for AM263x and AM273x. This will have Crypto layer support for AM2X devices in MCAL.

Q7. Will the software delivery also consists of demo examples ?

Yes, the TIFS or the MCU_PLUS_SDK release will have examples for Security features like Encryption, Decryption, MAC Generation and Verification, Hashing, Random Number Generation, Secure Boot, Debug Authorization etc. These features are subject to be part of release which caters the features.

Q8. What is the cost of the TIFS package ?

The TIFS is an extension of MCU+ SDK. It is available to customers for free of charge. Although a request has to be raised by the user.

For AM263x, the request must be raised at this link – AM2634 data sheet, product information and support | TI.com

Direct link to the same - https://www.ti.com/licreg/docs/swlicexportcontrol.tsp?form_id=337487&prod_no=AM263X-RESTRICTED-SECURITY&ref_url=EP-proc-Sitara-MCU

Q9. What tools are planned as a part of HSM Care Package ?

The TIFS package will have support to tools to create High Secure boot images, Debug Certificates, Sysconfig support for HSM cores. This is also subject to be part of release which caters the features.

To download the TIFS Package or the OTP Key writer, checkout the product page link - https://www.ti.com/product/AM2634#product-details

This will redirect the user to go through a NDA and then post approval, they will have access to My Secure SW deliverables.