• State Resolved
  • Locked Locked
  • Replies 9 replies
  • Subscribers 31 subscribers
  • Views 181 views
  • Users 0 members are here
Support feedback
Options
Options
Similar topics

This thread has been locked.

If you have a related question, please click the "Ask a related question" button in the top right corner. The newly created question will be automatically linked to this question.

AM2634: How to switch between Secure Boot Algorithms

Cesc Yang
Prodigy 191 points
Part Number: AM2634
Other Parts Discussed in Thread: SHA-256

Tool/software:

Hi TI,

I have some questions regarding secure boot on AM2634. I'm aware of RSA-4096-PKCS1V15 and RSA-4096-PSS are supported, but is ECDSA also supported? Can you please clarify all the crypto algorithms supported for secure boot?

Additionally, how do I switch between these algorithms? Does the OTP keywriter support generating ECDSA keys?

Best Regards,

Yang

  • 0
    TI__Mastermind 35332 points

    Hi Yang

    Cesc Yang said:
    I'm aware of RSA-4096-PKCS1V15 and RSA-4096-PSS are supported, but is ECDSA also supported? Can you please clarify all the crypto algorithms supported for secure boot?

    We have the plan to enable ECDSA based secure boot by End of April 2025. Please refer to the documentation of TIFS for the curretly supported Algorthms.

  • +1
    TI__Mastermind 35332 points
    Cesc Yang said:
    Additionally, how do I switch between these algorithms? Does the OTP keywriter support generating ECDSA keys?

    Also for OTP keywriter the plan is same to enable ECDSA based key generation by April 2025. 

  • 0 in reply to Nilabh Anand
    Prodigy 191 points

    Hi Nilabh,

    Thanks for the clarification.

    As for the RSA-2048/3072/4096, is it correct that the secure boot mechanism does not need additional configuration by customer as long as the corresponding root key is provisioned into the eFuse? Additionally, does the OTP keywriter package support generating keys with specific length?

    Best Regards,

    Yang

  • 0 in reply to Cesc Yang
    TI__Mastermind 35332 points
    Cesc Yang said:
    As for the RSA-2048/3072/4096, is it correct that the secure boot mechanism does not need additional configuration by customer as long as the corresponding root key is provisioned into the eFuse?

    Yes that is true.

  • 0 in reply to Nilabh Anand
    Prodigy 191 points

    Hi Nilabh,

    I see my edited reply wasn't refreshed for you. The customer wants to know if the OTP keywriter package support generating keys with specific length.

    B R,

    Yang

  • +1 in reply to Cesc Yang
    TI__Mastermind 35332 points
    Cesc Yang said:
    Additionally, does the OTP keywriter package support generating keys with specific length?

    Yes it generates dummy keys for testing only, ideally keys should be provided by the user. 

    For more details please look at the gen_krywriter_cert.sh script in otp package, serach for -g argument you will find more details on which length of keys are generated. I will not be able to attach snippet as it is a restricted content. It uses OpenSSL to generate the dummy keys. You can modify the default config for your needs.

  • 0 in reply to Nilabh Anand
    Prodigy 191 points

    Niabh,

    The customer wants to know if the secure boot supports configuration of hashing algorithms. Can we switch between SHA-256, SHA-384 and SHA-512? I can see the default support is based on SHA-512.

    Yang

  • +1 in reply to Cesc Yang
    TI__Mastermind 35332 points

    Yes it is possible to switch while you build the HSMRT image:

    The supported hash algorithm values are sha512, sha384 and sha256 . The default value is sha512 .

    Below is an example of how to change it to 256.

    $make -s -C examples/hsm_getversion/am263px/system_nortos/ all DEVICE=am263px DEVICE_TYPE=HS APP_SIGNING_HASH_ALGO=sha256
  • 0 in reply to Nilabh Anand
    Prodigy 191 points

    Do you mean the application image instead of HSMRT image?