AM2432: EVM

Venkata Kishore Kajuluri

Part Number: AM2432

Tool/software:

Does TI use a FIPS version of Openssl to generate the keywriter certs? on a FIPS enabled machine usage of PKCS1 padding is prohibited in Openssl V3. Is there any known workaround for this?

10 months ago

0 Prashant Shivhare 10 months ago

TI__Guru 69161 points

Hi Venkata,

The latest Keywriter v10.00.08 recommends using OpenSSL v3.1.2 or v3.2.1 both of which are not FIPS validated as outlined in the following OpenSSL documentation

https://openssl-library.org/source/#:~:text=The%20following%20OpenSSL%20version(s)%20are%20FIPS%20validated%3A

Regards,

Prashant

0 Venkata Kishore Kajuluri 10 months ago in reply to Prashant Shivhare

Prodigy 60 points

Prashant Shivhare But once validated this still will cause issue as PKCS1 padding will be disallowed in FIPS mode. Does TI have any workaround for this? or are we not able to generate certs with FIPS mode? https://github.com/openssl/openssl/blob/f1607c8a2c04bcb95ddb2e6fc4e0aaec9729929b/doc/man7/fips_module.pod#L240 https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-131Ar2.pdf

0 Venkata Kishore Kajuluri 10 months ago in reply to Venkata Kishore Kajuluri

Prodigy 60 points

Hi,

Does the security controller firmware support any other padding modes that we can use? or just PKCS1? If OEAP is supported, we could use that in FIPS mode

0 Newman 10 months ago in reply to Venkata Kishore Kajuluri

TI__Expert 5995 points

Hi Prashant,

Any update here?

Thx, Merril

0 Newman 10 months ago in reply to Newman

TI__Expert 5995 points

Hi Prashant,

Any update?

Thx, Merril

0 Newman 9 months ago in reply to Newman

TI__Expert 5995 points

Hi Prashant,

Can you please update this thread w/ the latest status?

Thanks, Merril

0 Prashant Shivhare 9 months ago in reply to Newman

TI__Guru 69161 points

Hi Venkat,

Venkata Kishore Kajuluri said:
Does the security controller firmware support any other padding modes that we can use? or just PKCS1?

The AM64/243 SYSFW only has the support for PKCS#1v1.5 scheme. If the FIPS valiated OpenSSL mandatorily prevents using this scheme then you have to use the regular OpenSSL only.

Regards,

Prashant

0 Newman 9 months ago in reply to Prashant Shivhare

TI__Expert 5995 points

Hi Venkat,

The customer would like to request "FIPS validated Openssl support for future release. This means changing TI's sysfw binary for a new padding, for example OEAP, which is allowed in FIPS mode. Need to understand whether this needs to involve ROM code change or if this could be handled/implemented without a ROM code change."

If TI can add this feature/mode, when could it be implemented? Can a Jira be opened for this?

Thanks, Merril

0 Kavitha Malarvizhi 9 months ago in reply to Newman

TI__Prodigy 690 points

Hi ,

ROM code only supports PKCS#1.5 signing scheme for signing the SBL Key-writer.

Regards,

Kavitha

0 Mukul Bhatnagar 6 months ago in reply to Kavitha Malarvizhi

TI__Guru* 83745 points

Hello Venkat

I believe as per Merill this issue is still open and being tracked by you. I wanted to just re-iterate that as mentioned by Kavitha and team, there is currently no ability to workaround this, as the AM24 ROM does not support this. To address this requirement requires a silicon spin, that is currently not in scope for this device.

Let us know how we can help you move forward on this.

Arm-based microcontrollers

Arm-based microcontrollers forum

AM2432: EVM