• State
  • Locked Locked
  • Replies 1 reply
  • Subscribers 99 subscribers
  • Views 795 views
  • Users 0 members are here
Support feedback
Options
Options
Related

This thread has been locked.

If you have a related question, please click the "Ask a related question" button in the top right corner. The newly created question will be automatically linked to this question.

DRA821U: Secure boot by using the external TPM

Hideaki Matsumoto
Genius 9765 points

Part Number: DRA821U
Other Parts Discussed in Thread: DRA821

Hi,

Can TPM (Trusted Platform Module) be used with DRA821U ?

My customer is interested in the security feature of DRA821, but TI doesn’t program a customer key. Therefore, they’re considering an external TPM, because TPM vender can program the customer key.

In the use case of the external TPM with DRA821U, could you tell them if the following operations are possible ?

1. Is True Secure Boot possible by using TPM with DRA821 ?

In the case of Raspberry Pi example below, it cannot support the true secure boot even if TPM is used. See the below. How about DRA821 ?

https://github.com/joholl/rpi4-uboot-tpm

No Secure Boot on Raspberry Pi

Secure boot on the Raspberry Pi is not possible. That is because the first-stage bootloader on the raspberry (bootcode.bin and start.elf) is closed source. For secure boot, you need a so-called Root of Trust in the first-stage bootloader, and we do not have that.

2. Can DRA821 use the TPM which can be entrusted to manage Cipher and Key ?

3. Is software tampering detection possible by using TPM ?

Regards,

Hideaki

  • 0
    TI__Genius 17625 points
    Hideaki Matsumoto said:

    1. Is True Secure Boot possible by using TPM with DRA821 ?

    In the case of Raspberry Pi example below, it cannot support the true secure boot even if TPM is used. See the below. How about DRA821 ?

    https://github.com/joholl/rpi4-uboot-tpm

    No Secure Boot on Raspberry Pi

    Secure boot on the Raspberry Pi is not possible. That is because the first-stage bootloader on the raspberry (bootcode.bin and start.elf) is closed source. For secure boot, you need a so-called Root of Trust in the first-stage bootloader, and we do not have that.

    Initial secure boot of DRA821 is implemented by device boot ROM. User bootloader runs on Cortex-R5 and is authenticated and security controller firmware is then authenticated by user bootloader.

    If using TI SPL (Secondary Program Loader) model, the user bootloader is built from uboot sources, so is open source.

    As such, I think it meets your definition

    • SPL built w/u-boot
    •  Device eFuse key
    •  Root-of-Trust            Can also authenticated by RoT     Can also authenticated by RoT
    • +-----------------+        +-------------------------+        +------------------------+
    • |   first-stage   |        | second-stage bootloader |        |        Raspbian        |
    • |   bootloader    |-------\|          U-Boot         |-------\|      Linux Kernel      |
    • |                 |-------/|                         |-------/|                        |
    • | (closed-source) |        | (built-in TPM support)  |        | (built-in TPM support) |
    • +-----------------+        +-------------------------+        +------------------------+
    •     Cortex-R5                      Cortex-A72                         Cortex-A72

    Hideaki Matsumoto said:
    2. Can DRA821 use the TPM which can be entrusted to manage Cipher and Key ?

    TI SDK does not explicitly include TPM support.

    If this is part of Linux, then should support.

    Hideaki Matsumoto said:
    3. Is software tampering detection possible by using TPM ?

    I cannot answer this – depends on TPM capabilities and system implementation.