Does TDA4AL secure boot support encrypted and signed secure boot forms？

Kevin YUE

Prodigy 50 points

Hi TI experts:

from LINK ：https://software-dl.ti.com/tisci/esd/latest/6_topic_user_guides/secure_boot_signing.html#,

I find have two secure boot scheme：
1.Signing an unencrypted binary for secure boot

2.Signing an encrypted binary for secure boot

my question：

1.if TDA4AL support encrypted and signed secure boot scheme?

2.For scheme 1, if the signature is not encrypted, the program and hash value of the bootloader may be replaced. So, how can we ensure the authenticity of the bootloader?

over 1 year ago

0 Diwakar Dhyani over 1 year ago

TI__Guru 55965 points

Kevin YUE said:
1.if TDA4AL support encrypted and signed secure boot scheme?

This a foundational security function all the TDA4X HS-SE devices support this feature including TDA4AL .

Only HS-SE devices has the secure boot functionality.

Kevin YUE said:
2.For scheme 1, if the signature is not encrypted, the program and hash value of the bootloader may be replaced. So, how can we ensure the authenticity of the bootloader?

1.Authenticity is maintained by signing the image and integrity is maintained using encryption.

In the secue bot flow:

Bootloader is only signed: In this case first the hash of the public key will get compared with the hash of public key present in the efuses , if it matches then we do the authentication of the digital cetificate.
Bootloader is encrypted and signed : In this also we do match the has of the public key followed by authentication the decryption.

In both of the case the authenticity of the image is maintained.

also if you are changing the hash in the certificate you need to re-sign the certificate with the root trust keys.And that can only be done by authenticated person.

Regards
Diwakar