AM6548: verify asymmetrical signature: calculating hash and decrypting signature

Hape

Part Number: AM6548
Other Parts Discussed in Thread: AM6528

Hello everyone,

I'm searching to example code or functions for the AM6548 (or AM6528) to verify plain asymmetrical signatures - I think there are three steps:

1..calculating the hash of given data (e.g. SHA512)
2. decrypting signature with public key (e.g. RSA4096);
3. compare the hash with the decryption result.

Would be nice to have functions or an example for steps 1 and 2 for the AM65xx similar to openssl.
Or do you have an example code for this issue?

Thanks in advance

Hape

over 3 years ago

0 Hong Guan64 over 3 years ago

TI__Guru 69240 points

Hello Hape,
Is the signature verification intended for integrity check on first stage user bootloader?
If yes, onchip bootrom support is needed => AM65x HS device.
If not, what is SW platform?
Best,
-Hong

0 Hape over 3 years ago in reply to Hong Guan64

Prodigy 105 points

Hello Hong,
thanks for your quick response.

No, question is not about verification of the SBL..
The currently used SW platform is ti-processor-sdk-rtos-am65xx-evm-08_02_00_05.

Best regards
Hape

0 Hong Guan64 over 3 years ago in reply to Hape

TI__Guru 69240 points

Hello Hape,
If it is on AM65x HS, it is possible to extend secure boot chain beyond SBL, where the next stage SW is verified by SBL calling the SYSFW TISCI API for signature verification
If it is on AM65 GP, I'm not aware of signature verification support in the referenced TI-RTOS SDK release. Most likely you'll need to port some light version of crypto lib with your SW.
Best,
-Hong

0 Hape over 3 years ago in reply to Hong Guan64

Prodigy 105 points

Hello Hong,
thanks again for your reply.

Regarding verify of next stage SW by the SBL I only found the usage of X509 certificates.
Could you give me the name(s) of TISCI API function(s) for verification of a plain signature or of a source file / path where i can find it?

What do you mean with "port some light version of the crypto lib"?
If you know applicable functions in another SDK release you could send me a link to it and names of the relevant source files or functions.
Then I can try to port it for our application.

Many thanks in advance for further information.
Hape

0 Hong Guan64 over 3 years ago in reply to Hape

TI__Guru 69240 points

Hello Hape,
I thought you were looking for signature verification, and some pointers on SYSFW TISCI API for K3 SoC security
software-dl.ti.com/.../index.html
You're right these TISCI APIs are based on x.509

I would think some external package, for example,
en.wikipedia.org/.../Mbed_TLS

Best,
-Hong

0 Hape over 3 years ago in reply to Hong Guan64

Prodigy 105 points

Hello Hong,

yes, I´m looking for signature verification (functions for calculating hash and decrypting signature as written in my first request above).

The only signature verification in the SDK that I could find so far is the verification of an entire X.509 certificate by TISCI message TISCI_MSG_PROC_AUTH_BOOT.
Did you mean that in your last response?

In this X.509 certificate check it should have some integrated functions to create hashes and decrypt signatures like I'm looking for.
Is there really no way to call/use these functions directly?
And isn't there any other sample code or application note from TI side to verify a simple signature by using processor resources directly (on secure or insecure devices)?

I would be very happy about further hints or tips.
Thank you for your support.

Hape

0 Hong Guan64 over 3 years ago in reply to Hape

TI__Guru 69240 points

Hello Hape,
One additional pointer is "AM64x MCU+SDK package" as listed below:
www.ti.com/.../08.03.00.18
software-dl.ti.com/.../SECURITY_PKA_MODULE_PAGE.html
Please note that
- The package is only available on AM64x SoC.
- The package is for your reference ONLY if you decide to port it to other SoCs on your own.
Best,
-Hong

0 Hape over 3 years ago in reply to Hong Guan64

Prodigy 105 points

Hello Hong,

I'm interpreting your answer in that a way that the functions I'm looking for are actually not available/accessible on the AM65xx.

Thanks for the Link to the AM64xx SDK corresponding signature verification with PKA usage.
Is the PKA HW on the AM65xx the same as on the AM64xx?

Another question:
Is there a type / variant of the AM64xx which would be pin-compatible with the AM6548-HS ?

Thank you for your help.
Hape

0 Hong Guan64 over 3 years ago in reply to Hape

TI__Guru 69240 points

Hello Hape,
The HW crypto block (including PKA) is same/similar on AM65x/AM64x.
If you have access to AM65x security resource download portal, you'll find K3 HW Crypto TRM addendum.
Unfortunately AM64x SoC is not pin-to-pin compatible to AM65x SoC.
Best,
-Hong

0 Hape over 3 years ago in reply to Hong Guan64

Prodigy 105 points

Hello Hong,

yes, I have security recource access.
Do you mean with "K3 HW Crypto TRM addendum" the SPRUIL3B (Revised May 2022)?

Is the PKA-usage on the AM6548 completly the same as on the AM64xx or is it just 'similar'?

There was an update of the AM64x SDK:
mcu_plus_sdk_am64x_08_04_00_17-windows-x64-installer.exe
Can I take this or should I take the version 8.3 which you have linked above?

Do you have a C-file or a function name of the AM64x SDK regarding to the PKA functionality as a reference for me?

Thanks again and best regards
Hape

0 Hong Guan64 over 3 years ago in reply to Hape

TI__Guru 69240 points

Hello Hape,
Yes, K3 HW Crypto TRM covers K3 family SoCs (i.e. AM65x, AM64x...).
I believe PKA block is the same for AM65x/AM64x.
I'd recommend to look into the latest one: MCU+SDK 8.4.0.17
software-dl.ti.com/.../EXAMPLES_DRIVERS_SA2UL_PKA_RSA_SIGN_VERIFY.html
Best,
-Hong

Processors

Processors forum

AM6548: verify asymmetrical signature: calculating hash and decrypting signature