• State TI Thinks Resolved
  • Replies 3 replies
  • Answers 2 answers
  • Subscribers 31 subscribers
  • Views 83 views
  • Users 0 members are here
Support feedback
Options
Options
Related

AM263P4: Use of Keyring for encryption and decryption

Addison Audette
Prodigy 75 points
Part Number: AM263P4

Tool/software:

How are the keys stored in the keyring used for encryption and decryption?

From my understanding of the keyring - each key is stored with a key hash and a key index. Therefore when an image is needing to be decrypted using the keyring id from the certificate - is the public hash used in the decryption function, is there a way to retrieve the key from the keyring given the keyring index and that is used to decrypt the image, or is there another way this is done?

Is there any code that I can follow to see how this works?

  • 0
    TI__Guru* 85076 points

    Hi,

    During image decryption, retrieve the decryption key using the enc_key_id from the application certificate. This enc_key_id will correspond to either KEYRING_DSMEK_INDEX, KEYRING_DBMEK_INDEX, or a Keyring key ID.

    If the iteration count is 1, derive the decryption key from the salt. Otherwise, use the symmetric key directly for decryption.

    You could refer to the API SEC_BOOT_getDecryptionKey() in C:\ti\tifs_am263px_10_02_00_01\source\modules\sec_boot\sec_boot.c for the source implementation

    Thanks and Regards,

    Nikhil Dasan

  • 0 in reply to Nikhil Dasan
    Prodigy 75 points

    Thank you for that explanation. Is there code that shows implementation of using a keyring ID to decrypt/encrypt that isn't used for secure boot?

  • 0 in reply to Addison Audette
    TI__Guru* 85076 points

    Hi Addison,

    There is no out of box code to demonstrate this, but you can follow the below simple steps to check this at your end

    1. Import keyring in SBL using the Keyring Import Service, reference provided in the TIFS user guide, which is a ReadMe in TIFS SDK

    2. Build the hello world application with following changes in devconfig.mak.

    DEVICE_TYPE = HS

    APP_SIGNING_KEY  = your keyring assymetric key

    APP_SIGNING_KEY_KEYRING_ID = your keyring assymetric key ID

    APP_SIGNING_HASH_ALGO = your hash algo

    3. Now you will have a hello world application signed with your auxillary key from Keyring and key ID part of the certificate.

    4. Now follow the usual secure boot process where the HS_SE SBL loads your hello world application.

    5. In this process, in the HSM core would retrieve the keyhash from HSM_RAM using the keyID mentioned in the application image certificate and authenticates the same. (Reference API is validateAndMatchKeyHash() in cert_auth.c)

    Regards,

    Nikhil Dasan