• State Resolved
  • Locked Locked
  • Replies 18 replies
  • Subscribers 31 subscribers
  • Views 301 views
  • Users 0 members are here
Support feedback
Options
Options
Related

This thread has been locked.

If you have a related question, please click the "Ask a related question" button in the top right corner. The newly created question will be automatically linked to this question.

AM62P-Q1: AM62Px Security development and SDK clarification

Pengfei Wang
Prodigy 20 points

Part Number: AM62P-Q1
Other Parts Discussed in Thread: AM62P

Hi, Ti Expert,

This is from Aumovio security team, We have AM62Px EVM board---SK-AM62P-LP. and try to use it to develop security relevant features for Automotive ECU poduct.

Now for starting, we have some questions:

  1. We download the SDK "mcu_plus_sdk_am62px_11_02_00_23", but don't found any security driver or HSM (TIFS) APIs, compared with "mcu_plus_sdk_am263x_11_01_00_19" , it has HsmClient and SIPC package, why in am62px SDK, don't have it? I got info, in "3.4.1. Device Security — Processor SDK AM62Px Documentation" link, will have description, yes, it has, but where have the package? below image show the am263x SDK:
    1. image.png
  2. Some document mentioned definition: TIFS, HSM, SYSFW... what is the different between them? As my understanding, TIFS is your TI special HSM, will running in M4F core 0. but also have 3rd part HSM (optional), it will running in M4F core 1.
  3. For TIFS, whether your TIFS firmware can be used for comercial? 
  4. If we integrate 3rd part HSM firmware, also need the TIFS FW during boot sequence? or replace it with 3p HSM directly? TIFS is necessary for boot sequence?
  5. During secure boot, for auth each FW (R5F SBL, HSM, A53 u-boot...), whether will use same key set: SMEK/SMPK..., or will use different keys during each step?
  6. As we know, in AM263x CPU, the Security operation will be handled by HSM core, the R5F or A53 cores will only request it to HSM core, is it same with AM62Px? if yes, does below sequence correct?
    1. image.png
  7. For Device type, I got info: "GP device cannot switch to HS", but in link "3.4.1. Device Security — Processor SDK AM62Px Documentation ", it mentioned can mogration GP to HS-FS, please help to clarify:
    1. image.png 
    2. image.png

Thanks in advance!

  • +1
    TI__Guru* 77331 points

    Hello,

    AM263 and AM62P have different security architectures. We have the TIFS firmware on AM62P which runs on the M4F0 core in the SMS. This TIFS firmware is provided as binary only in the SDKs and acts as a server listening for TISCI requests from the other cores in the device. The TIFS documentation is available here:

    https://software-dl.ti.com/tisci/esd/latest/index.html

    There is another core called HSM core in the SMS dedicated for running customer's HSM stack. The TIFS core always runs independent of the HSM.

    All the images are authenticated with the same key only (active key in the efuse).

    The migration is from the software perspective only. Like, if one was working with GP devices and now have HS devices, the migration guide discusses how to migrate the software to the HS devices.

    For more information on the AM62 Security Architecture, please refer to the sources available here:

    www.ti.com/.../AM62X-RESTRICTED-SECURITY

    Regards,

    Prashant

  • 0
    Prodigy 20 points

    Thanks for these information. 

    What about the TIFS binary usage? does it can used for commercial product? Or we have to replace it with 3rd part commercial HSM firmware?

  • 0 in reply to Pengfei Wang
    Prodigy 20 points

    And Where we can download the TIFS binary for AM62Px? As you mentioned for AM62Px only provide binary.

  • +1 in reply to Pengfei Wang
    TI__Guru* 77331 points
    Pengfei Wang said:
    What about the TIFS binary usage? does it can used for commercial product? Or we have to replace it with 3rd part commercial HSM firmware?

    The TIFS always runs independently of HSM firmware so yes it can be commercialized. The TIFS binary comes with the SDKs.

  • 0
    Prodigy 20 points

    OK, Thanks!

    Another question: we found the SA3_UL features description in AM62Ax SDK in AM62Ax MCU+ SDK: SA3UL, but don't found it in AM62x and AM62Px SDK description, the SA3_UL also supported in AM62x and AM62Px, so does this SA3_UL description also available for AM62Px?

    We want to confirm these Features also supported in AM62Px.

  • 0 in reply to Pengfei Wang
    Prodigy 20 points

    And I found the SDK security description from "3.2.2.3. Crypto — Processor SDK AM62Px Documentation", does it mean, current this AM62Px SDK is only support driver below HW accelerator:

    if Yes, what about the PKA asymmetric algorithm, e.g RSA and ECC?

    Where I can get the complete list of AM62Px HW security accelerator features supported?

  • 0 in reply to Pengfei Wang
    Prodigy 20 points

    And I found in TISCI message definition, in "Secure Management" chapter, Crypto Service TISCI Description — TISCI User Guide the "Crypto Services" seems only have AES encrypt and Decrypt. what about the other services? e.g. RSA signature verification...what is the TISCI message?

  • 0 in reply to Pengfei Wang
    TI__Guru* 77331 points
    Pengfei Wang said:
    We want to confirm these Features also supported in AM62Px.

    The SA3UL is not supported in the MCU+ SDK for AM62P. It is supported in the Processor SDK.

    https://software-dl.ti.com/processor-sdk-linux/esd/AM62PX/11_02_08_02/exports/docs/linux/Foundational_Components/Kernel/Kernel_Drivers/Crypto/SA2UL_OMAP.html

    Pengfei Wang said:
    Where I can get the complete list of AM62Px HW security accelerator features supported?

    The TIFS does not allow access to the PKA module and as such it's not available for general purpose uses.

    Pengfei Wang said:
    the "Crypto Services" seems only have AES encrypt and Decrypt. what about the other services?

    The TIFS only provides the AES services as of now. For the other services, you may leverage the OpenSSL on the Linux as described in the PSDK documentation.

  • 0 in reply to Prashant Shivhare
    Prodigy 20 points

    Thanks for reply, let me list the info:

    1. For SA3UL, it is supported in Processor SDK, and only support AES HW accelerator, if try to use SA3UL from Linux kernel, only can support AES;

    2. The PKA (RSA/ECC) is only allowed to used by TIFS (M4F core0) itself, and used for Secure Boot / JTAG authentication usage; 

    3. if user application want to use RSA/ECC signature operation (isign/verify), need to via openssl (be integrated in kernel) to call HW accelerator;

    Am I correct for above 3 points?

    Another question, For HW accelerator, whether support RSA3K? in TI academy, only mentioned RSA2K and RSA4K.

    Thanks again!

  • 0 in reply to Pengfei Wang
    TI__Guru* 77331 points
    Pengfei Wang said:
    1. For SA3UL, it is supported in Processor SDK, and only support AES HW accelerator, if try to use SA3UL from Linux kernel, only can support AES;

    SHA is supported as well. Basically, the authentication and the encryption engines are supported but not the PKA.

    Pengfei Wang said:
    2. The PKA (RSA/ECC) is only allowed to used by TIFS (M4F core0) itself, and used for Secure Boot / JTAG authentication usage; 

    That is correct.

    Pengfei Wang said:
    3. if user application want to use RSA/ECC signature operation (isign/verify), need to via openssl (be integrated in kernel) to call HW accelerator;

    The OpenSSL won't use hardware accelerator for PKA. It will rely on software implementations.

    Pengfei Wang said:
    Another question, For HW accelerator, whether support RSA3K? in TI academy, only mentioned RSA2K and RSA4K.

    Please refer to the Security Accelerator TRM available on the previously shared secure portal for any confirmation about the features supported in the hardware. The information anywhere else may be outdated or not match the actual supported features.

  • 0 in reply to Prashant Shivhare
    Prodigy 20 points

    ok, SHA is supported from SA3UL, nice.

    1. you mentioned "Basically, the authentication and the encryption engines are supported", is this TISCI message "TISCI_MSG_PROC_AUTH_BOOT"? if Yes, then the user application want to use security feature:

       1). Via  SA3UL for AES, SHA;

       2). Via openssl for RSA/ECC which implemented with software. 

       3). TISCI message, but only limited operation can support. refer to TISCI message list. 

    2. What about the 3id part HSM, if we integrate our special HSM, running in M4F core 1, whether can call RSA/ECC accelerator?

  • +1 in reply to Pengfei Wang
    TI__Guru* 77331 points
    Pengfei Wang said:
    1. you mentioned "Basically, the authentication and the encryption engines are supported", is this TISCI message "TISCI_MSG_PROC_AUTH_BOOT"?

    I meant the crypto driver in the kernel only support the authentication and encryption engines which supports algorithm like SHA and AES respectively. The PROC_AUTH_BOOT is just a service provided by the TIFS for the authentication of a signed and optionally encrypted blob.

    Pengfei Wang said:
    2. What about the 3id part HSM, if we integrate our special HSM, running in M4F core 1, whether can call RSA/ECC accelerator?

    The TIFS does not allow HSM also to access the PKA engines.

  • 0 in reply to Prashant Shivhare
    Prodigy 20 points

    OK, got it. Thanks.

    The TIFS don't allow other cores/roles to use RSA/ECC accelerator, and TIFS only use RSA for Secure Boot, and ECC seems don't have any  use case.

    In my understanding now (info from above discussion), user application seems no any way to use RSA/ECC accelerator. Am I correct?

    for example, to verify the RSA3072 signature for a custom data. whether only can use SW implementation?

    Anther question:

    How the TIFS prevent the 3rd HSM to access the OKA accelerator? via firewall?

  • +1 in reply to Pengfei Wang
    TI__Guru* 77331 points
    Pengfei Wang said:
    TIFS only use RSA for Secure Boot, and ECC seems don't have any  use case.

    This is not entirely correct. The TIFS now has the support for the ECC keys as well for authentication of the blobs using PROC_AUTH_BOOT.

    Pengfei Wang said:
    In my understanding now (info from above discussion), user application seems no any way to use RSA/ECC accelerator. Am I correct?

    That is correct.

    Pengfei Wang said:
    How the TIFS prevent the 3rd HSM to access the OKA accelerator? via firewall?

    The PKA MMRs are firewalled to allow access to TIFS only.

  • 0 in reply to Prashant Shivhare
    Prodigy 20 points

    Thanks Prashant.

    Clear now!

  • 0 in reply to Prashant Shivhare
    Prodigy 20 points

    Hi Prashant, I found the PKA package from AM62Ax MCU+ SDK, 

    Does it mean, this Chip ---AM62Ax, the MCU+ SDK can support to use PKA, not limited by TIFS?

  • +1 in reply to Pengfei Wang
    TI__Guru* 77331 points
    Pengfei Wang said:
    Does it mean, this Chip ---AM62Ax, the MCU+ SDK can support to use PKA, not limited by TIFS?

    That is not correct. The driver is there probably because it was ported from the AM64x MCU+ SDK which does have access to the PKA. The AM62A MCU+ SDK has the examples for AES, SHA (examples/security/crypto) but not the PKA suggesting it is indeed not supported.