Part Number: AM2634
Tool/software:
Hi TI,
We are seeking clarification on several aspects of the keywriter mechanism and secure boot processes as we are integrating these technologies into our production. Below are some detailed questions we hope to have answered:
-
What is the function of the certificate generated by using
gen_keywr_cert.sh? Is there a relation betweensmek.key, the public key fromsmpk.pemand the key writing certificate? -
Is the code in the keywriter additional package not actually keywriter code? What is the relation between Keywriter Code, SBL and Tools(Certificate generation) and how do they work?
-
What is the purpose of the folder
source/security/tifs/sbl_keywriter/scripts/cert_gen/common/keys_devel? -
How does the keywriter image write keys into the chip's otp efuse?
-
Is the following process during factory production feasible?
a. The programming station writes the key writer image to a RAM address via CAN, where it executes to write keys.
b. The programming station writes signed production software to Flash via CAN.
c. Power cycle the device, and secure boot becomes effective. -
Is the entire binary image file encrypted using
smek.keyfor SBL and HSM runtime firmware? Is this encryption process completed during compilation? Are the so-called HS-SE device signed SBL and HSM firmware actually both signed and encrypted image files? -
Is the signature calculated based on the encrypted image or the unencrypted image? That is, what is the sequence of encryption and signing?
We appreciate your assistance in providing detailed explanations to these inquiries, which will help us ensure our implementation aligns with best practices and technical specifications.
Best regards,
Cesc Yang.
