• State Resolved
  • Locked Locked
  • Replies 3 replies
  • Subscribers 32 subscribers
  • Views 352 views
  • Users 0 members are here
Support feedback
Options
Options
Related

This thread has been locked.

If you have a related question, please click the "Ask a related question" button in the top right corner. The newly created question will be automatically linked to this question.

MCU-PLUS-SDK-AM263X: MCU-PLUS-SDK-AM263X:

Erick Aldarondo
Prodigy 10 points

Part Number: MCU-PLUS-SDK-AM263X

Tool/software:

Clarifications on Keyring Management and Storage for AM263x Secure Boot

 

Hello,

I'm working with the AM263x device and have some questions regarding the Keyring service in the context of secure boot:

  • How is the Keyring managed on the AM263x?

 

  • Is the Keyring service intended only for application image authentication, or can it also be used to store and manage other sets of cryptographic keys?

 

  • If the Keyring is stored internally, could you clarify where exactly it resides? Some documentation suggests it is stored in a "carved-out" section of SMS internal memory — could you confirm this?

 

  • What does "SMS" stand for in this context (Security Management System, or something else)?

 

I have a few questions regarding the Keyring import process on AM263x HS_SE devices:

 

  • Based on the documentation, the HSM Client Import Keyring Service is issued by the SBL to the HSM Server and is responsible for importing the keyring. Once the service is requested, the HSM parses the X.509 certificate and populates the keyring into HSM Secure RAM.

    Could you confirm whether the HSM ROM initially contains the keyring or if the HSM only stores the keyring in Secure RAM after importing it during boot?

 

  • Is there any persistent (non-volatile) storage of the keyring inside the HSM, or is the keyring always freshly populated into Secure RAM at each boot via the SBL?

 

Thank you for your support!

  • +1
    TI__Guru* 87521 points

    Hi,

    Please find my responses below

    Erick Aldarondo said:
    How is the Keyring managed on the AM263x?

    The keyring is a set of keys which can be imported by SBL after importing the HSM runtime binary on an HS-SE device, Keyring is stored in HSM Secure RAM starting at location 0x460503C0.

    Erick Aldarondo said:
    Is the Keyring service intended only for application image authentication, or can it also be used to store and manage other sets of cryptographic key

    This service can be intended for both imageAuth and debugAuth.

    Erick Aldarondo said:
    If the Keyring is stored internally, could you clarify where exactly it resides? Some documentation suggests it is stored in a "carved-out" section of SMS internal memory — could you confirm this?

    Keyring is stored in HSM Secure RAM starting at location 0x460503C0. I believe SMS also refers to the same

    Erick Aldarondo said:
    What does "SMS" stand for in this context (Security Management System, or something else)?

    Could you point me to the documentation stating SMS?

    Erick Aldarondo said:
    Based on the documentation, the HSM Client Import Keyring Service is issued by the SBL to the HSM Server and is responsible for importing the keyring. Once the service is requested, the HSM parses the X.509 certificate and populates the keyring into HSM Secure RAM.

    Could you confirm whether the HSM ROM initially contains the keyring or if the HSM only stores the keyring in Secure RAM after importing it during boot?

    The keyring is a set of keys which can be imported by SBL after importing the HSM runtime binary on an HS-SE device, So it is obtained from the SBL after HSM is loaded, not from ROM

    Erick Aldarondo said:
    Is there any persistent (non-volatile) storage of the keyring inside the HSM, or is the keyring always freshly populated into Secure RAM at each boot via the SBL?

    Keyring is stored in volatile memory at each boot via SBL to maintain security constraints.

    For more information on Keyring, please refer the TIFS documentation available here

    https://www.ti.com/secureresources/AM263X-RESTRICTED-SECURITY

    Thanks and Regards,

    Nikhil Dasan

  • 0 in reply to Nikhil Dasan
    Prodigy 10 points

    Keyring Management — TISCI User Guide in the link provided I found the info about the SMS internal memory but I am not actually sure if the AM263X boards family use the same Keyring Management that is on the link and is not mentioning the specific family board that I am looking into.

  • +1 in reply to Erick Aldarondo
    TI__Guru* 87521 points

    Hi,

    The above is for the Sitara and Jacinto microprocessor devices. Please download the TIFS User guide from the below link for AM263 device. You would have to request access for the using the same link for the first time

    Nikhil Dasan said:
    www.ti.com/.../quote]

    Thanks and Regards,

    Nikhil Dasan