• State Resolved
  • Locked Locked
  • Replies 6 replies
  • Subscribers 32 subscribers
  • Views 308 views
  • Users 0 members are here
Support feedback
Options
Options
Related

This thread has been locked.

If you have a related question, please click the "Ask a related question" button in the top right corner. The newly created question will be automatically linked to this question.

AM263P4: Secure Boot: individual calibration section flashing

Rens Bossers
Prodigy 155 points
Part Number: AM263P4
Other Parts Discussed in Thread: UNIFLASH

Tool/software:

Hello,

We have an aim to enable secure boot on AM263P (currently developing on Launchpad hardware). So far,I've gone through:

- TI academy

- SDK

- (related) Keywriter info

- Secure boot/HSM documentation found on the restricted security section through Secure Resources.

However, one system requirement we have is to be able to flash/reflash calibration sections, for example sensor offset values. 

As of my current understanding, this will cause problems for the secure boot process, as this relies on a full (x509 signed) Application image being flashed, then authenticated through HsmRT before being run.

Currentlly, Flashwriter accepts a binary 'blob' (full Application .mcelf in our case); flashes this full 'blob' to a single flash adress (specified as the offset in Uniflash). The load adresses for each section are ignored, only run adresses are used to load relevant program sections into their respective RAM locations. HsmRT authentication (of the full image) is done on every boot, so even if we have a custom flashwriter capable of flashing just calibration sections, this would change image contents, and so hash verification would fail. 

In short, we always need to flash an application containing all loadable sections, unless we don't enable HS-SE - unless my understanding is incorrect?

Some questions:

1) Once eFuse programming is done, how does HsmRT prevent Application from starting if Application image verification fails?

2) How does HsmRT perform hash verification? Is the Application image copied into ram prior to verification (thereby imposing a restriction on max image size), or does this work by copying chunks from flash?

3) Documentation on whether HsmRT is available to us is not very clear. For example, source 1:

Source 2:

From this, I gather it is possible to edit the HsmRT image for HS-SE, but not for HS-FS (TI-provided). In this case, for HS-SE, it might it be possible to modify HsmRT behaviour to do section-based checksum/hash verification instead of the full-image verification. Is this assumption correct?

4) If above is correct, can we run HsmRT for HS-SE on a HS-FS device (no eFuses programmed) for testing?

5) What steps/func calls are needed to HsmRT to fully complete Application image authentication?

Thanks,
Rens

  • 0
    Prodigy 155 points

    Does anyone have any pointers here? Thanks, Rens

  • 0
    TI__Mastermind 48960 points
    Rens Bossers said:

    1) Once eFuse programming is done, how does HsmRT prevent Application from starting if Application image verification fails?

    2) How does HsmRT perform hash verification? Is the Application image copied into ram prior to verification (thereby imposing a restriction on max image size), or does this work by copying chunks from flash?

    1. If image verification fails, then image will not be booted, basically HSMRT will send a nack to sbl which will not allow sbl execution to go ahead, you can look at SBL OSPI example code to understand further.

    2. While I cannot share the info here in public as it is NDA info, you can look at HSM RT firmware project .c file to understand the flow. For copying both approaches are supported in SDK 1. SBL OSPI MCELF 2. SBL OSPI MCELF Fastboot, refer to the sbl example in SDK.

  • 0
    TI__Mastermind 48960 points
    Rens Bossers said:

    3) Documentation on whether HsmRT is available to us is not very clear. For example, source 1:

    Source 2:

    From this, I gather it is possible to edit the HsmRT image for HS-SE, but not for HS-FS (TI-provided). In this case, for HS-SE, it might it be possible to modify HsmRT behaviour to do section-based checksum/hash verification instead of the full-image verification. Is this assumption correct?

    Yes HSMRT image and source code is available to you for modification once you have converted your device to HSSE.

    HSFS device firmware is not available to customer.

  • 0
    TI__Mastermind 48960 points
    Rens Bossers said:
    4) If above is correct, can we run HsmRT for HS-SE on a HS-FS device (no eFuses programmed) for testing?

    No, Ti does not provide HSFS HSM_RT image, Recommended process for HSMSRT development is on HSSE device.

  • +1
    TI__Mastermind 48960 points
    Rens Bossers said:
    5) What steps/func calls are needed to HsmRT to fully complete Application image authentication?

    Please refer to SBL OSPI example to understand the details.

    Refer to API:

    Bootloader_parseAndLoadMultiCoreELF
    This API takes care of image parsing and authentication.

    mcu_plus_sdk_am261x_10_00_01_10/source/drivers/bootloader/bootloader.c

  • 0 in reply to Nilabh Anand
    Prodigy 155 points

    Ok, thanks Nilabh.