• State Resolved
  • Locked Locked
  • Replies 3 replies
  • Subscribers 30 subscribers
  • Views 394 views
  • Users 0 members are here
Support feedback
Options
Options
Similar topics

This thread has been locked.

If you have a related question, please click the "Ask a related question" button in the top right corner. The newly created question will be automatically linked to this question.

AM2634-Q1: questions about HSM: run-time FW, SBL support

Will Gao
Intellectual 2335 points
Part Number: AM2634-Q1

Hi experts, 

In regarding to the HSM, customer and I have following questions, please help check and give your guidance: 

1). For HS-FS device type and PG1.0A silicon version, does it support loading HSM runtime Firmware? From the SDK bootloader API, it seems that only PG1.1 and HS-SE can load HSM firmware, can we modify the API and let SBL loads the HSM runtime FW? 

2). What kinds of services does the default HSM runtime FW provide? E.g. opening the system MPU service? 

3). Do we have the source codes of the default HSM runtime FW? 

4). For HS-FS device type, if there is no HSM runtime FW, what kind of state will the HSM get into? Will it also eclipse the HSM ROM, or it will stall in a loop? 

5). Further question based on 4), if the HSM ROM is not eclipsed, what kinds of services will the HSM ROM will provide? Can R5 CPU get some services via IPC mailbox from HSM now? If there are services, does SDK or TIFS-MCU provide any drivers for R5 CPU to access these services? 

6). For HS-SE device type, if customer wants to do authentication and encryption on the App image, the SBL and HSM run-time Firmware should make some modification to support it, right? 

Thanks for your help!

Best Regards, 

Will 

  • +1
    TI__Mastermind 25795 points

    Hi Will,

    Will Gao said:
    1). For HS-FS device type and PG1.0A silicon version, does it support loading HSM runtime Firmware? From the SDK bootloader API, it seems that only PG1.1 and HS-SE can load HSM firmware, can we modify the API and let SBL loads the HSM runtime FW? 

    PG1.A only supports HSM Run Time loading for HS-SE device. The HS-FS firmware is not released for PG1.A devices. The HS-FS firmware is only released for PG1.1 devices.

    Will Gao said:
    2). What kinds of services does the default HSM runtime FW provide? E.g. opening the system MPU service? 

    More information is available here - https://software-dl.ti.com/mcu-plus-sdk/esd/AM263X/latest/exports/docs/api_guide_am263x/DRIVERS_HSMCLIENT_PAGE.html

    Will Gao said:
    3). Do we have the source codes of the default HSM runtime FW? 

    Yes, these sources are available to user after they have signed the NDA via Product Page -

    Will Gao said:
    For HS-FS device type, if there is no HSM runtime FW, what kind of state will the HSM get into? Will it also eclipse the HSM ROM, or it will stall in a loop?

    If its the HS-FS device and PG1.1 with HSM Firmware loaded then the firmware will wait for interrupt and its services. HSM ROM will be eclipsed. Else the HSM ROM will wait for installation request from the device.

    Will Gao said:
    5). Further question based on 4), if the HSM ROM is not eclipsed, what kinds of services will the HSM ROM will provide? Can R5 CPU get some services via IPC mailbox from HSM now? If there are services, does SDK or TIFS-MCU provide any drivers for R5 CPU to access these services? 

    Yes, HSM ROM only provides an option to install the HSM Run Time.

    Check this function - Hsmclient_loadHSMRtFirmware

    Will Gao said:
    6). For HS-SE device type, if customer wants to do authentication and encryption on the App image, the SBL and HSM run-time Firmware should make some modification to support it, right? 

    No, on HS-SE devices the Security is enforced. So authentication of application is a must. Although encryption is optional. This can be done either by command line or devconfig.mak file modifications. These will be taken in the documentations directly when the feature is available.

    Best Regards,
    Aakash

  • 0 in reply to Aakash Kedia
    TI__Intellectual 2335 points

    Hi Aakash, 

    Thanks so much for your detailed explanation. Totally understood the question of 1)-5) now.

    However for question 6), do you mean that in command line or devconfig.mak file, there will be commends to compile the SBL and HSM run-time FW accordingly to let them support authentication of app image, right? 

    Best Regards, 

    Will 

  • +1 in reply to Will Gao
    TI__Mastermind 25795 points

    Hi Will,

    MCU_PLUS_SDK for AM263x currently does not support the same. But this is planned for 09.00 release. Although the feature will be similar to how AM243x supports the same like this -

    https://software-dl.ti.com/mcu-plus-sdk/esd/AM243X/latest/exports/docs/api_guide_am243x/SECURE_BOOT.html

    Hope this helps.

    Best Regards,
    Aakash