• State Resolved
  • Locked Locked
  • Replies 5 replies
  • Answers 1 answer
  • Subscribers 32 subscribers
  • Views 171 views
  • Users 0 members are here
Support feedback
Options
Options
Related

This thread has been locked.

If you have a related question, please click the "Ask a related question" button in the top right corner. The newly created question will be automatically linked to this question.

AM263P4: Keyring Key Access

Olivier Hepler
Prodigy 145 points
Part Number: AM263P4


Tool/software:

Hi,

Are keys stored in the HSM keyring on AM263P usable for performing encryption/decryption operations from application code running outside the HSM (e.g., on a non-secure R5F core)? Of course we can't actually get ahold of the keyring key itself from application code running outside the HSM but can we use it to encrypt/decrypt data? 

Or are keyring keys strictly reserved for internal HSM operations like secure boot, provisioning, or certificate verification?

I have read through the TIFS documentation and haven't found a clear answer to this questions.

thanks

  • 0
    TI__Guru* 87076 points

    Hi,

    The keys imported using the Keyring from R5 is stored in the HSM Secure ram, which is accessible only by the HSM core for usage. 

    This is the framework implemented for Keyring, so that the non-secure core R5 does not have access to these keys and any decryption or authentication to be done for an image should be done at HSM core and the certificate from R5 core will only have the keyID information which is sent to HSM core to fetch the corresponding key within it on the secure RAM.

    Thanks and Regards,

    Nikhil Dasan

  • 0 in reply to Nikhil Dasan
    Prodigy 145 points

    What API call is available to the r5 core that allows it to pass a keyring key id and data such that the hsm encrypts that data using the keyring key? I can't seem to find a driver that can do this for me in the sdk

  • 0 in reply to Olivier Hepler
    TI__Guru* 87076 points

    This is not an API, 

    this is sent as part of certificate extension 1.3.6.1.4.1.294.1.12 as shown below, which is attached to the application binary as a certificate.

    HSM authenticates this certificate using the Root of trust keys and extracts the sign_key_id and enc_key_id information from this certificate.

    Then using this key id, it further continue to get the key from the HSM secure ram and authenticates or decrypts the image sent along with this.

    The above screen shot is from mcu_appimage_x509_cert_gen.py in C:\ti\tifs\source\imports\security_common\tools\boot\signing\mcu_appimage_x509_cert_gen.py used to sign the image.

    Thanks and Regards,

    Nikhil Dasan

  • 0 in reply to Nikhil Dasan
    Prodigy 145 points

    So you can only use keyring keys to decrypt/authenticate software images with certificates attached to them that specify keyring id s to use?

  • +1 in reply to Olivier Hepler
    TI__Guru* 87076 points

    Yes, That is the out of the box TIFS service provided.