AM2634: HSM Integration in SDK SBL

Abdelrhman Afifi

Intellectual 415 points

Part Number: AM2634

Hello,

I have HSM software and need to integrate it inside the SBL, is there any guide for this?

Yours,

over 2 years ago

0 Aakash Kedia over 2 years ago

TI__Mastermind 26025 points

Hi Abdelrhman Afifi,

The HSM firmware integration is already covered as part of SBL for HS-FS devices as mentioned below - https://software-dl.ti.com/mcu-plus-sdk/esd/AM263X/latest/exports/docs/api_guide_am263x/SECURITY_PAGE.html

If you need more insights on integration and enablement of Security on AM263x devices, please refer to AM26x MCU+ Academy - "Enabling Security" --

https://dev.ti.com/tirex/explore/node?node=A__AESgmqK3b93425uf.HP2zA__AM26X-ACADEMY__t0CaxbG__LATEST

Best Regards,
Aakash

0 Abdelrhman Afifi over 2 years ago

Intellectual 415 points

Thanks for your help,
I have a follow-up question If the board SBL load the HSM firmware and then the SBL jumps to my application, my application needs to use the HSM firmware.
Is it required to load it again inside the application or is it just loaded once in the board SBL?

Yours

0 Aakash Kedia over 2 years ago in reply to Abdelrhman Afifi

TI__Mastermind 26025 points

Hi Abdelrhman Afifi,

As per the secure boot flow, the SBL is responsible for HSM Run Time. After the HSM Run Time is loaded, SBL or Application can leverage the same.

This will inform about the same - https://software-dl.ti.com/mcu-plus-sdk/esd/AM263X/latest/exports/docs/api_guide_am263x/EXAMPLES_HSM_SERVICES.html#autotoc_md1575

Best Regards,
Aakash

0 Abdelrhman Afifi over 2 years ago in reply to Aakash Kedia

Intellectual 415 points

Hello,

What are the types of reset that will require HSM firmware reloading? (i.e. power-on reset, warm reset,....)

Does resetting the Host core will reset the HSM core as well?

0 Abdelrhman Afifi over 2 years ago in reply to Abdelrhman Afifi

Intellectual 415 points

After conversion to SE, it is mentioned that the debug port will be disabled, how should I test and debug my software?

0 Aakash Kedia over 2 years ago in reply to Abdelrhman Afifi

TI__Mastermind 26025 points

Hi Abdelrhman Afifi,

By default the debug access to HSM as well as public cores are disabled in case of HS-SE devices. The request can be requested via HSM Client service as mentioned here - https://software-dl.ti.com/mcu-plus-sdk/esd/AM263X/latest/exports/docs/api_guide_am263x/EXAMPLES_HSM_SERVICES.html

More details in My Secure SW link here - https://software-dl.ti.com/secure/software/sitara-sec/AM263X-RESTRICTED-SECURITY/TIFS_MCU/v08_06/tifs_am263x_08_06_00_05_docs_only/docs/api_guide_am263x/html/HSM_DBG_SRV.html?__gda__=1691584887_6db356badf79dfd78f25461319c0c8dd

Hope it helps.

Best Regards,
Aakash

0 Aakash Kedia over 2 years ago in reply to Abdelrhman Afifi

TI__Mastermind 26025 points

Hi,

Abdelrhman Afifi said:
What are the types of reset that will require HSM firmware reloading? (i.e. power-on reset, warm reset,....)

In terms of reset, there are warm reset and cold reset(PORZ). For either of the cases the HSM needs to be reloaded.

Abdelrhman Afifi said:
Does resetting the Host core will reset the HSM core as well?

If you mean by FSM trigger, it only resets the subsystem. It has no impact on SoC, hence no impact on HSM core as well.

Best Regards,
Aakash

0 Abdelrhman Afifi over 2 years ago in reply to Aakash Kedia

Intellectual 415 points

Hi Aakash,

Thanks for your help.

If the SBL loads the HSM and then gives control to the application, what are the required APIs the application should call in order to use the HSM?
The application does not need to reload the firmware again, but does it need to call the init API for example?

0 Aakash Kedia over 2 years ago in reply to Abdelrhman Afifi

TI__Mastermind 26025 points

Hi Abdelrhman Afifi,

Abdelrhman Afifi said:
what are the required APIs the application should call in order to use the HSM?

All the mentioned APIs in the HSM Client details are explained in the link above.

Abdelrhman Afifi said:
The application does not need to reload the firmware again, but does it need to call the init API for example?

HSM will be initialized during its installation. Application can directly invoke client APIs to use HSM Services. Client Init at application end will be handled via System_Init code generated as part of syscfg.

Hope it helps.

Best Regards,
Aakash

0 Abdelrhman Afifi over 2 years ago in reply to Aakash Kedia

Intellectual 415 points

Hello,

Aakash Kedia said:
Client Init at application end will be handled via System_Init code generated as part of syscfg.

I am not using the SDK so the is no code to be generated from the syscfg.
So the needed API to be called in the Application before using HSM services is Client init? Is that correct?

0 Aakash Kedia over 2 years ago in reply to Abdelrhman Afifi

TI__Mastermind 26025 points

Abdelrhman Afifi said:
So the needed API to be called in the Application before using HSM services is Client init? Is that correct?

That is the correct understanding.

Arm-based microcontrollers

Arm-based microcontrollers forum

AM2634: HSM Integration in SDK SBL