• State TI Thinks Resolved
  • Locked Locked
  • Replies 4 replies
  • Answers 1 answer
  • Subscribers 30 subscribers
  • Views 231 views
  • Users 0 members are here
Support feedback
Options
Options
Similar topics

This thread has been locked.

If you have a related question, please click the "Ask a related question" button in the top right corner. The newly created question will be automatically linked to this question.

AM2432: Support for Elliptic Curve Customer keys using key-writer

Venkata Kishore Kajuluri
Prodigy 50 points
Part Number: AM2432

Hi,

Does the the part support writing Elliptic Curve keys as customer keys using the key writer? Also, do we need the key-writer to send the key material X509 certificate to the chip or can this BLOB be part of the flashed image? i.e do we need the key writer at a manufacturing location to program SMEK, SEK etc?

Also are there any special permissions needed to get access to the keywriter to test the BLOB generation workflow?

  • 0
    TI__Mastermind 26015 points

    Hi Venkata Kishore Kajuluri,

    TI does not recommend Elliptical Curve keys for PG1.0 (More information cannot be shared on this forum).
    From PG2.0 ECDSA keys can be used.

    Venkata Kishore Kajuluri said:
    Does the the part support writing Elliptic Curve keys as customer keys using the key writer?

    At this moment, the keywriter does not support Elliptical Curve keys.

    Venkata Kishore Kajuluri said:
    Also, do we need the key-writer to send the key material X509 certificate to the chip or can this BLOB be part of the flashed image?

    The keywriter can be flashed along with the X509 certificate but this is a overhead as keywriter application is a one-time usable application and you don't need its services on every boot cycle so we suggest to use UART mode to simply have the keywriter application as RAM application to program the BLOB instead of flashing it.

    Venkata Kishore Kajuluri said:
    do we need the key writer at a manufacturing location to program SMEK, SEK etc?

    Yes, you will need the keywriter application to program the SMEK, SEK and other customer secrets at the manufacturing unit.

    Venkata Kishore Kajuluri said:
    any special permissions needed to get access to the keywriter to test the BLOB generation workflow?

    Do you mean the source code of keywriter ? That is not accessible to the customers.

    Best Regards,
    Aakash

  • 0 in reply to Aakash Kedia
    Prodigy 50 points

    HI Thank you very much for the quick responses. For the last question, I was referring to the key-writer software application to generate the BLOBs for testing purpose before using the application in production.

  • 0 in reply to Venkata Kishore Kajuluri
    Prodigy 50 points

    Hi one more additional question. Is the key writer only able to write only the hash of the public key or would it also be able to write the public key itself onto the device? If not where can the public key reside on the chip, is it intended to be loaded along with the customer application which is again used to verify the same app that is signed with the private key associated with the application?

  • 0 in reply to Venkata Kishore Kajuluri
    TI__Mastermind 26015 points

    Hi ,

    Venkata Kishore Kajuluri said:
    I was referring to the key-writer software application to generate the BLOBs for testing purpose before using the application in production.

    We have dummy keys support provided with the application.

    Venkata Kishore Kajuluri said:
    Is the key writer only able to write only the hash of the public key or would it also be able to write the public key itself onto the device?

    Only Public Key Hashes are programmed in the device eFuses.

    The user can keep the public key on the device in encrypted format or use secure storage on the device.

    Venkata Kishore Kajuluri said:
    is it intended to be loaded along with the customer application which is again used to verify the same app that is signed with the private key associated with the application?

    If the Extended Secure Boot is enabled then, the customer application needs to be signed via private key and the public key is part of the certificate programmed on the flash.

    Hope this helps,
    Aakash