• State Resolved
  • Locked Locked
  • Replies 8 replies
  • Answers 1 answer
  • Subscribers 30 subscribers
  • Views 116 views
  • Users 0 members are here
Support feedback
Options
Options
Related

This thread has been locked.

If you have a related question, please click the "Ask a related question" button in the top right corner. The newly created question will be automatically linked to this question.

AM263P4: Dynamic modification of keyring

Olivier Hepler
Prodigy 135 points
Part Number: AM263P4
Other Parts Discussed in Thread: SYSCONFIG,

Tool/software:

Hi,

I want to use the keyring on the am263p4's HSM for encryption and decryption of application level data. Can I dynamically create symmetric keys and update/access the keyring from the application's perspective while it is already booted and running on the microcontroller? It seems like the keyring is defined in the sysconfig file at sbl boot time so I wasn't sure if changing and accessing it while an application is running is possible.

Thanks

  • 0
    TI__Guru* 85266 points

    Hi,

    The symmetric keyring, unlike the assymetric keyring is a blob in the certificate, which is a combination number of symm keys used. 

    If your usecase is having a certificate with 1 symm key that you will import to HSM in application, then this would overwrite the existing symmetric keys on the HSM secure ram.

    So, your usecase is possible, if you have 1 symm key which you would be using after importing to your application. It would just overwrite the existing symm key at index 32.

    is this your usecase?

    Thanks and regards,

    Nikhil Dasan

  • 0 in reply to Nikhil Dasan
    Prodigy 135 points

    The asymmetric keyring isn't a blob in the certificate? I thought both symmetric and asymmetric keys were blobs in the certificate and imported through the certificate

    My question was more about if we are able to update the keyring after the bootloader has executed and while the application is running? Or do we need to reboot to update the keyring by updating the certificate of our bootloader

  • 0 in reply to Olivier Hepler
    TI__Guru* 85266 points

    Hi,

    Sorry for the misunderstanding.

    The process of keyring is simple. You pass a symm key or asymm key or both via a certificate to HSM using the keyring import service, it stores the keys into the HSM Secure RAM.

    In the same cycle, if you send another certificate with a different symm key or asymm key or both to HSM using the keyring import service, it replaces the existing keys in HSM Secure RAM with the new keys that are sent.

    I don't see an issue with using keyring import service multiple times, only that the keys would be replaced by the new set of keys in HSM Secure Ram.

    Thanks and Regards,

    Nikhil Dasan

  • 0 in reply to Nikhil Dasan
    Prodigy 135 points

    Ok that makes sense thank you. So as long as we can generate a keyring certificate and make the call to HsmClient_importKeyring(...) we don't need to reboot and rerun the SBL to update the keyring?

  • 0 in reply to Olivier Hepler
    TI__Guru* 85266 points

    Correct. This service could be called from application itself. Is there a usecase for such method? I mean, typically the keyring keys are set at the beginning of the boot and the keys are selected during runtime right?

    If you don't mind, may I understand the need for using this multiple times instead of a one time keyring importing?

    Thanks and Regards,

    Nikhil Dasan

  • 0 in reply to Nikhil Dasan
    Prodigy 135 points

    We want to have the ability to generate and then change our symmetric and asymmetric key bank at runtime without rebooting. This would support the generation of keys that only AM263P4 knows about without having to create them outside and manually load them onto the microcontroller. We would use these keys to encrypt data while its being used within the microcontroller.

  • 0 in reply to Olivier Hepler
    TI__Guru* 85266 points

    Hi,

    Olivier Hepler said:
    This would support the generation of keys that only AM263P4 knows about without having to create them outside and manually load them onto the microcontroller.

    Understood, in this case, you would be having a facility to create the certificate every time a new set of keys are available? Because, currently the certificate for the keyring is fed via SBL, but there could be other means of getting certificate (with keys in it) from external world to AM263P4 and send the same to HSM via keyring import service.

    By the generation of keys that only AM263P4 knows, do you mean this way?

    Thanks and Regards,

    Nikhil Dasan

  • 0 in reply to Nikhil Dasan
    Prodigy 135 points

    Yes this would be for keys that only the am263p4 knows about. Thanks for the help