This thread has been locked.

If you have a related question, please click the "Ask a related question" button in the top right corner. The newly created question will be automatically linked to this question.

AM2434: External server for creating HSSE device and using UART uniflash hs_fs file on for firmware upgrade

Part Number: AM2434
Other Parts Discussed in Thread: UNIFLASH, SHA-256

Hello,
we're currently working with the AM2434 device and are planning to implement enforced security using an own external security server to create HSSE files for all our binaries.

I have a couple of questions regarding this process: After modifying the makefile to generate only the .bin file, is it possible to use encryption and a self-signed x509 certificate for creating an HSSE apiimage for our firmware and SBL?

Once we have enabled security on the device, will it still be possible to use the sbl_uart_uniflash HSFS tiimage for firmware upgrades on a secured device?
Alternatively, what are the recommended steps for performing firmware upgrades over UART on a secured device?

Any insights or experiences you could share would be greatly appreciated! Thank you in advance.

  • Hello,

    is it possible to use encryption and a self-signed x509 certificate for creating an HSSE apiimage for our firmware and SBL?

    Yes, it is possible.

    Once we have enabled security on the device, will it still be possible to use the sbl_uart_uniflash HSFS tiimage for firmware upgrades on a secured device?

    This is not possible. You must use the HSSE build of the SBL_UART_UNIFLASH for flashing over UART.

  • Hello Prashant,

    I am seeking assistance regarding the process of signing the currently generated apiimage.hsfs file with our custom PKI server. There are several areas where I need clarification, and I would appreciate your guidance on this matter.

    Here are the specific points I would like to address:

    1. Makefile Modifications: What changes are necessary in the Makefile to integrate it then with our custom encryption and signing by script there is .bin input file?

    2. Key Integration: How can we integrate our generated PKCS12 format certificate/key pair from our PKI server?

    3. Signing Encrypted Binaries: What steps are needed to configure in windows script to add x509 certificate to binary/ELF from our PKI server?

    We also have documentation for the AM2434 OTP Keywriter that explains how to generate an x509 certificate and import our PKCS12 format certificate/key pair to the device.

    However, TI generic scripts for signing and encryption only reference locally importing key files and using an x509 certificate for signing.

    Thus, I would like to know:

    • What should be sent to our PKI server for the signature?
    • In what format should the signature be? 

      Signature Type: Plain Signature, Authenticode, JAR, APK, CMS, OpenPGP.

      Signature Method: Digest Only or Entire Binary. We have options: 

      "Digest Only" if you plan to submit a precomputed digest. This is the recommended mode.

      "Entire Binary" if you plan to submit the entire binary image. The maximum supported size is 200MB.

      Digest Algorithm: SHA256, SHA384, SHA512

      Signature Algorithm: ECDSA P-256, RSA 2048-bit, RSA 4096-bit, etc (required for Plain Signatures. if not specified ECDSA is assumed)

      By default RSA signatures use PKCS#1 v1.5. Experimental support for RSA-PSS is also available.

    • How can we modify the TI script to utilize our server for which we are using a Python script that can handle binary or hash inputs and support signature algorithms (ECDSA, RSA)?

    Lastly, could you please clarify how to obtain the sbu_uart_uniflash binary file, which has not been signed using TI keys? Alternatively, how can we rebuild the hsfs file so that it functions with our custom signing keys?

    Thank you very much for your assistance. I look forward to your expert guidance.

    BR, Matej.

  • Hello,

    Assuming you have the setup for signing with your PKI server, you would follow these steps for signing the application:

    After the last step, you would get the signed bootable application image.

    I would not recommend modifying any makefiles in the SDK. These steps can simply be implemented in a script outside of the SDK.

    Let me know if any clarifications are required.

    Regards,

    Prashant

  • Hello Prashant,
    thank you for your reply and information,

    Regarding the first step—after building our application, it creates an apiimage.hsfs file, which is already signed by the TI certificate.
    We need to know what to modify to obtain an apiimage without the TI certificate, or whether we could use the hsfs file as our bin file that we will send for signing.

    I understand that we will create a SHA-512 digest of the apiimage, tag it, create a certificate file, and send it for signature to our PKI.

    I would like to ask if the configuration of our PKI server, which is set to sign certificates with RSA4096/SHA-256 by the intermediate CA, will affect the second part of authentication (parts 2a, 2b, 2c on the Image Authentication Sequence) described in https://software-dl.ti.com/tisci/esd/latest/6_topic_user_guides/authentication.html

    There is comment that 

    • All integrity checking is performed by checking the SHA2-512 hash of the data payload and no other format is currently supported.


    Thank you.
    BR,
    Matej.

  • Hello Matej,

    We need to know what to modify to obtain an apiimage without the TI certificate, or whether we could use the hsfs file as our bin file that we will send for signing.

    The generated "*.appimage.hs_fs" cannot be used as your bin file. The example's makefiles actually deletes the unsigned appimage at the end of the build procedure. So, you can simply delete the commmand that deletes this generated unsigned appimage.

    https://github.com/TexasInstruments/mcupsdk-core/blob/6a622a5c2729c5ad10ba066646944609dc0c64bb/examples/hello_world/am243x-evm/r5fss0-0_nortos/ti-arm-clang/makefile#L320

    All integrity checking is performed by checking the SHA2-512 hash of the data payload and no other format is currently supported.

    This is correct. The SYSFW only supports SHA512 hash for the authentication.

    Regards,

    Prashant

  • Thank you Prashant
    in that case we need to configure PKI server, which is currently set to sign certificates with RSA4096/SHA-256 by the intermediate CA, to use SHA512 correct?

  • in that case we need to configure PKI server, which is currently set to sign certificates with RSA4096/SHA-256 by the intermediate CA, to use SHA512 correct?

    This is correct.

    Please let me know if you need any further clarifications.