Because of the holidays, TI E2E™ design support forum responses will be delayed from Dec. 25 through Jan. 2. Thank you for your patience.

  • State Resolved
  • Locked Locked
  • Replies 5 replies
  • Subscribers 83 subscribers
  • Views 758 views
  • Users 0 members are here
Support feedback
Options
Options
Similar topics

This thread has been locked.

If you have a related question, please click the "Ask a related question" button in the top right corner. The newly created question will be automatically linked to this question.

Original question:

TMS320F28388S: Secure Boot

TMS320F28388D: Secure Flash Boot

David Peterson1
Prodigy 50 points
Part Number: TMS320F28388D

Looking at the TRM 5.7.7.1.3 - The flash authentication uses a Cipher-based Message Authentication Protocol (CMAC) to authenticate 16KB of flash starting from the configured flash entry point address.

The Secure ROM size is 64K, does the flash authentication routine just point to 16K within this section?

Thanks for the assistance. 

  • 0
    TI__Guru** 113045 points

    Hi David,

    Yes, the authentication routine is in Secure ROM and this routine only authenticate 16KB of application code in flash starting from the configured flash entry point address as part of "secure BOOT" option.  

    does the flash authentication routine just point to 16K within this section?

    Sorry, I did not get this question. Can you elaborate this question a bit more ?

    Regards,

    Vivek Singh

  • 0 in reply to Vivek Singh
    Prodigy 50 points

    Here is more information on how we plan to use the secure boot. Does this make sense?

     

    Configuration / Setup

    CPU1 - DSP

    SecureBoot mode

    BOOTPINCONFIG/BOOTDEF = Secure Flash Boot - Flash Boot Option 0

    CPU1 OTP CMACKEY set by production

    Stored in Secure Flash -

    Boot Sector 0

    Golden CPU1 Boot Code CMAC set by production

    CPU1 Boot Code

     

    CPU1 Application1 CMAC set by production 

    CPU1 Application2 CMAC set by production

    CPU1 Application3 CMAC set by production

     

    CPU2 - DSP

    SecureBoot mode

    BOOTDEF = Secure Flash Boot - Flash Boot Option 0 (configured by CPU1 via IPC)

    CPU2 OTP CMACKEY set by production

    Stored in Secure Flash -

    Boot Sector 0

     

    Golden CPU2 Boot Code CMAC set by production

     

    CPU2 Boot Code

     

    CPU2 Application1 CMAC set by production 

    CPU2 Application2 CMAC set by production

    CPU2 Application3 CMAC set by production

     

    Questions –

    When the DSP CPU1  first boots, the CPU determines the boot mode. Figures out Secure Boot (Flash Boot Option 0). Does the CPU automatically verify the 16K of secure flash using the CMACKEY and the Golden CMAC? I am trying to understand when the first time any of our code is ran and what is taken care of by the boot process.

     

    Do we configure secure verification routine what code is ran after the secure flash is verified?

    After verification of the secure boot, we would run the verified code.

     

    The thought is that we would also store calculated CMAC values in this secure flash area to be used to verify other application images that we would run. Does this seem valid?

     

    I don’t have to have all the specific details at this point, just a plan for the future and ensure that we are not misunderstanding anything.

  • 0 in reply to David Peterson1
    TI__Mastermind 30255 points

    Hello

    David Peterson1 said:

    Questions –

    When the DSP CPU1  first boots, the CPU determines the boot mode. Figures out Secure Boot (Flash Boot Option 0). Does the CPU automatically verify the 16K of secure flash using the CMACKEY and the Golden CMAC? I am trying to understand when the first time any of our code is ran and what is taken care of by the boot process.

    When secure flash boot is set, upon boot the CPU will perform the CMAC on the first 16K from the selected flash entry location. CMAC (using the secret key you set in OTP which shared between CPU1 and CPU2) will calculate the tag and compare it against the golden tag you've placed in the designated location within the first 16K flash being authenticated. If the tags match, then boot will branch to your application. If not, device will reset.

    David Peterson1 said:

     Do we configure secure verification routine what code is ran after the secure flash is verified?

    After verification of the secure boot, we would run the verified code.

    The secure flash boot (once it passes authentication) will branch to the entry address of the selected secure flash boot option. If you want to authenticate another region of flash, your app should call the CMAC routine that's stored in the device's secure ROM to run on other flash locations. API is detailed in TRM. Golden CMAC tag generation is supported for all secure boot entry locations as well as one user customized region (you can configure start address and length). More detail on this is in the TMS320C28x Assembly Language Tools User's Guide (linked in TRM).

    David Peterson1 said:

    The thought is that we would also store calculated CMAC values in this secure flash area to be used to verify other application images that we would run. Does this seem valid?

    I don’t have to have all the specific details at this point, just a plan for the future and ensure that we are not misunderstanding anything.

    The user customized region CMAC tag can be stored in your entry secure flash region. The other golden CMAC tags will be stored within their flash region.

    Best regards

    Chris

  • 0 in reply to Christopher Chiarella
    Prodigy 50 points

    Thank you.

    Will there be an application note describing in more detail than the TRM the secure boot process?

  • 0 in reply to David Peterson1
    TI__Mastermind 30255 points

    Yes, an app note is currently in-progress

    Best regards

    Chris