LP-AM261: Secure Boot related doubts

Hi Nithin,

Nithin Kurian said:

Is it possible to add MBED TLS to HSM core?

• Is if no, is there any hardware limitation for doing so?
• If yes,
  1. is there any such implementation which is already available.?
  2. Is it possible to use that with hardware accelerators ?
  3. Is there any limitation on adding code to M4 core

On HS-SE device you can modify the code that runs on the M4F core, we do not have an implementation on M4F core yet, but the MCU_PLUS_SDK does have support for R5F that can be referenced.

You can offload MbedTLS operations to hardware accelerators like DTHE and PKA. But since we are adding some software layers over the standard Hardware Accelerators API calls, this will add some minor CPU overhead. I can walk you through the steps of offloading MbedTLS cryptography to hardware accelerators over our weekly sync up call.

Nithin Kurian said:

So, is it possible to do Asymmetric encryption and decryption from R5 core?

We can perform SHA and AES operations on R5F Core using the DTHE accelerator. We cannot perform PKA operations (only on M4 core)

Nithin Kurian said:

Similarly, i can see AsymCrypt_XXX APIs in the SDK 

One thing to note here is that the "AsymCrypt" APIs are not for AM261x, but for other device (AM243x/AM64x).

Nithin Kurian said:

Is there any example available for the same?

The examples for the same can be found in MCU_PLUS_SDK (https://software-dl.ti.com/mcu-plus-sdk/esd/AM261X/10_02_00_15/exports/docs/api_guide_am261x/EXAMPLES_SECURITY.html)

You can see the sample driver code and APIs for AM261x at: 

DTHE driver page: https://software-dl.ti.com/mcu-plus-sdk/esd/AM261X/10_00_01_10/exports/docs/api_guide_am261x/DRIVERS_DTHE_PAGE.html

Path: mcu_plus_sdk/source/security/security_common/drivers/crypto/dthe, mcu_plus_sdk/source/security/security_common/drivers/crypto/rng

AES API guide: https://software-dl.ti.com/mcu-plus-sdk/esd/AM261X/10_00_01_10/exports/docs/api_guide_am261x/group__SECURITY__DTHE__AES__MODULE.html

SHA API guide: https://software-dl.ti.com/mcu-plus-sdk/esd/AM261X/10_00_01_10/exports/docs/api_guide_am261x/group__SECURITY__DTHE__SHA__MODULE.html

Nithin Kurian said:

We have a need for authentication of an image to be done from application image.

1. As per my understanding security lib should be added to the application image. Is that correct?
2. What are the steps to be followed in doing so?
3. Is there any example available for that?

Yes you would need to link the security lib to use DTHE related security APIs. If using MbedTLS cryptography, then you would also need to link the mbedtls library.

You can check the project properties (or makefile) of the applications in the SDK (examples/security/crypto/) or (/source/networking/enet/core/examples/lwip/cpsw_lwip_https/). There is no out-of-box example which shows image auth being done from an R5F application. Is there any specific requirement which you would like to discuss here?

Regards.
Shaunak