AM2432: Use DKEK in AM2432

Andrea Politano

Part Number: AM2432

Hi,

I am using AM2432 with the Industrial SDK 11.00.00.08.

I am interested in using DKEK to encrypt data.

I'm reading here that there are two possible mechanisms, but I've had problems with both. Using the first mechanism to provide the DKEK directly to SA2UL, I couldn't find where to set the USE_DKEK in SA2UL security context flag. But in both cases, when I try to use the functions declared here, the compiler always reports "unresolved symbol Sciclient_set/get/releaseDKEK".

Is the use of DKEK actually supported on the AM2432? Is there a step I'm missing? Is there a example that uses it?

Thank you,

Best Regards,

Andrea

3 months ago

0 Prashant Shivhare 3 months ago

TI__Guru* 84331 points

Hello,

Andrea Politano said:
But in both cases, when I try to use the functions declared here, the compiler always reports "unresolved symbol Sciclient_set/get/releaseDKEK".

It seems like the functions are only declared but not defined in the SDK.

Andrea Politano said:
Is the use of DKEK actually supported on the AM2432? Is there a step I'm missing? Is there a example that uses it?

There is no example in the SDK to demonstate the TISCI DKEK APIs or the DKEK use cases.

Please note you cannot use the DKEK APIs in the application because of the Security Handover as described in this response

https://e2e.ti.com/support/microcontrollers/arm-based-microcontrollers-group/arm-based-microcontrollers/f/arm-based-microcontrollers-forum/1627031/am2432-am2432-jtag-handling/6274257

Regards,

Prashant

0 Andrea Politano 3 months ago in reply to Prashant Shivhare

Intellectual 320 points

Hello Prashant,

thank you for your reply.

Prashant Shivhare said:
It seems like the functions are only declared but not defined in the SDK.

Is there any other way to use it anyway? For example, with Sciclient_service. Or something equivalent that can be used as an encryption key and thus remains secret.

Prashant Shivhare said:
Please note you cannot use the DKEK APIs in the application because of the Security Handover as described in this response

This is not a problem, I would use it in the SBL before the Security Handover.

Thank you,

Best Regards,

Andrea

+1 Prashant Shivhare 3 months ago in reply to Andrea Politano

TI__Guru* 84331 points

Hello,

Please see the following patch to retrieve the DKEK

diff --git a/examples/hello_world/hello_world.c b/examples/hello_world/hello_world.c
index 8694deccc11..aea6a258ba8 100644
--- a/examples/hello_world/hello_world.c
+++ b/examples/hello_world/hello_world.c
@@ -37,6 +37,66 @@
 #include "ti_drivers_open_close.h"
 #include "ti_board_open_close.h"
 
+int32_t App_getDKEK(
+    const struct tisci_msg_sa2ul_get_dkek_req *req,
+    struct tisci_msg_sa2ul_get_dkek_resp *resp,
+    uint32_t timeout)
+{
+    int32_t status;
+    struct tisci_msg_sa2ul_get_dkek_req localReq = *req;
+    const Sciclient_ReqPrm_t reqPrm =
+    {
+        TISCI_MSG_SA2UL_GET_DKEK,
+        TISCI_MSG_FLAG_AOP,
+        (const uint8_t *)&localReq,
+        sizeof(localReq),
+        timeout
+    };
+    Sciclient_RespPrm_t respPrm =
+    {
+        0,
+        (uint8_t *)resp,
+        sizeof(*resp)
+    };
+
+    status = Sciclient_service(&reqPrm, &respPrm);
+    if ((status != SystemP_SUCCESS) || (respPrm.flags != TISCI_MSG_FLAG_ACK))
+    {
+        status = SystemP_FAILURE;
+    }
+    return status;
+}
+
+void test_func()
+{
+    int32_t status;
+    uint32_t i;
+    struct tisci_msg_sa2ul_get_dkek_req req = {
+        .sa2ul_instance  = 0U,
+        .kdf_label_len   = 5U,
+        .kdf_context_len = 7U,
+        .kdf_label_and_context = { 'L', 'A', 'B', 'E', 'L', 'C', 'O', 'N', 'T', 'E', 'X', 'T' },
+    };
+    struct tisci_msg_sa2ul_get_dkek_resp resp = {0};
+
+    status = App_getDKEK(&req, &resp, SystemP_WAIT_FOREVER);
+
+    if (status == SystemP_SUCCESS)
+    {
+        DebugP_log("DKEK retrieval successful!\r\n");
+        DebugP_log("DKEK: ");
+        for (i = 0U; i < CRYPTO_DKEK_KEY_LEN; i++)
+        {
+            DebugP_log("%02x ", resp.dkek[i]);
+        }
+        DebugP_log("\r\n");
+    }
+    else
+    {
+        DebugP_log("DKEK retrieval failed! Status: %d\r\n", status);
+    }
+}
+
 void hello_world_main(void *args)
 {
     /* Open drivers to open the UART driver for console */
@@ -47,6 +107,7 @@ void hello_world_main(void *args)
 #else
     DebugP_log("Hello World!\r\n");
 #endif
+    test_func();
 
     Board_driversClose();
     Drivers_close();
diff --git a/source/drivers/bootloader/soc/am64x_am243x/bootloader_soc.c b/source/drivers/bootloader/soc/am64x_am243x/bootloader_soc.c
index c8b8085457f..cb4ee7849c0 100644
--- a/source/drivers/bootloader/soc/am64x_am243x/bootloader_soc.c
+++ b/source/drivers/bootloader/soc/am64x_am243x/bootloader_soc.c
@@ -1001,7 +1001,7 @@ int32_t Bootloader_socCpuResetReleaseSelf(void)
         }
         if(status==SystemP_SUCCESS)
         {
-            status = Bootloader_socSecHandover();
+            // status = Bootloader_socSecHandover();
         }
         if(status==SystemP_SUCCESS)
         {
diff --git a/source/drivers/sciclient/sciclient.c b/source/drivers/sciclient/sciclient.c
index ed1044e476a..367817b953a 100644
--- a/source/drivers/sciclient/sciclient.c
+++ b/source/drivers/sciclient/sciclient.c
@@ -706,6 +706,7 @@ uint32_t Sciclient_getCurrentContext(uint16_t messageType)
        (TISCI_MSG_WRITE_SWREV == messageType) ||
        (TISCI_MSG_READ_KEYCNT_KEYREV == messageType) ||
        (TISCI_MSG_WRITE_KEYREV == messageType) ||
+       (TISCI_MSG_SA2UL_GET_DKEK == messageType) ||
        (TISCI_MSG_BOARD_CONFIG_PM == messageType))
     {
         retVal = gSciclientHandle.secureContextId;

Arm-based microcontrollers

Arm-based microcontrollers forum

AM2432: Use DKEK in AM2432