• State Resolved
  • Locked Locked
  • Replies 4 replies
  • Answers 1 answer
  • Subscribers 98 subscribers
  • Views 441 views
  • Users 0 members are here
Support feedback
Options
Options
Related

This thread has been locked.

If you have a related question, please click the "Ask a related question" button in the top right corner. The newly created question will be automatically linked to this question.

DRA829V: HSM implementation

PRASANTH P P
Prodigy 10 points
Part Number: DRA829V
Other Parts Discussed in Thread: TDA4VL, TDA4VH, DRA821, DRA829

Hi,

I am working on a AUTOSAR project that requires crypto drivers and HSM support. I need to know the following things:

1. Is the DMSC in the DRA829V is actually a HSM?

2. For developing/running the AUTOSAR compliant crypto drivers in the DRA829V, what changes I have to do in the DMSC?

3. Where I can find the relevant examples/documentation regarding HSM in Jacinto processors?

  • 0
    TI__Guru** 113455 points

    Hi Prashanth,

    1. I am not sure what your definition of HSM is. The DMSC in DRA829V has a Cortex-M3 core that runs a TIFS firmware which is delivered only in binary form. What DRA829V device type are you using?

    2. The TIFS itself does not provide support for any crypto operations by itself. The only supported features are what is needed to authenticate the decrypt the boot binaries.

    3. The TIFS interface documentation is all part of the TISCI User Guide documentation.

    I am not sure of the background here, but can you confirm if you are trying to add your own Security stack? 

    regards

    Suman

  • 0 in reply to Suman Anna
    Prodigy 10 points

    Hi Suman,

    Thanks for your reply and for sharing the user guide. As I am new to the AUTOSAR and crypto, I do not know up to what extend my queries are understandable to an experienced person.

    1. By HSM, I referred to a hardware with separate core and secure memory to handle all the crypto related things like managing/storing keys, acceleration for crypto algorithms etc.. I have seen from the TRM that the DMSC contains a AES module. So is this DMSC is another name for the TI's HSM (Hardware Security Module) is one doubt.

    2. From Piyali Goswami's reply to one of the DMSC query (https://e2e.ti.com/support/processors-group/processors/f/processors-forum/982429/tda4vm-the-function-changing-on-dmsc-and-wkup-domain?tisearch=e2e-sitesearch&keymatch=DMSC#), I understand that we can program DMSC if the HSM is required. That is why I asked about the changes required to be done for running crypto drivers.

    In short what I am looking is, not to add my own security stack, but to implement the crypto related things in the J721EXSOMG01EVM. Some documents says like it can be implemented in software, but will utilize the main processor time and load on the cpu will increase. Another method is to look for whether there is any hardware support (HSM) for the same. In this case I am thinking like I can modify the DMSC for accessing the hardware for implementing this crypto related things.

  • 0 in reply to PRASANTH P P
    TI__Guru** 113455 points

    Hi Prasanth,

    1. Yes, thanks for clarifying. The DMSC (Device Management Security Controller) is the name used in the TRM for the h/w block dealing with the runtime security. The Cortex-M3 core within DMSC is indeed reserved for performing the secure boot and authentication within the firmware called TIFS (TI Foundational Security).

    Please see the TI-SCI User Guide that provides an overview and all the features supported by the TIFS firmware.

    The TIFS by itself doesn't provide all your desired HSM features like a s/w keystore, perform crypto operations etc. All of these features have to be developed by 3P Security Vendor companies like yours and integrated on top of the TIFS software on DRA829 and DRA821 devices. The newer generation TDA4VL and TDA4VH devices have a new block called SMS (Security Management Subsystem) which has two Cortex-M4 cores, with one that would run the TIFS firmware and the other a customer-chosen HSM software stack.

    2. Yes, any HSM stack would have to be written on top of the TIFS firmware. These need special DRA829 devices so that the TIFS signing by TI keys can be bypassed, and directly signed with customer keys.

    PRASANTH P P said:
    In short what I am looking is, not to add my own security stack, but to implement the crypto related things in the J721EXSOMG01EVM. Some documents says like it can be implemented in software, but will utilize the main processor time and load on the cpu will increase.

    The TIFS does not provide the crypto encryption services. It only provides authentication and decryption services. Please see the System Firmware Authentication and Decryption Requests for details. You would either have to rely on the MAIN domain SA2UL and Crypto drivers that the HLOS may provide (eg: We have a Linux driver but nothing with QNX).

    PRASANTH P P said:
    In this case I am thinking like I can modify the DMSC for accessing the hardware for implementing this crypto related things.

    You will need special devices for this. Please contact your TI representative or point of contact if you want to look further into this approach. This cannot be discussed on the public forum.

    regards

    Suman

  • 0 in reply to Suman Anna
    Prodigy 10 points

    Hi Suman,

    Thankyou for the detailed reply. Now I understood an overall idea regarding my problem solution. Thanks again for your reply.