TMDS64GPEVM: U-Boot: how to provide environment variables protection

Jakub Grad

Part Number: TMDS64GPEVM
Other Parts Discussed in Thread: AM6442

In our custom product based on AM6442 SoC we want to provide security level to safely store u-boot environment variables in .env file somewhere on mass storage. For now .env file is stored as plain text and this create security hole in our product. We want to prevent to someone replace this file with his u-boot environment variables. The question is:

1. It is possible to encrypt this env file by for example key burned in SoC by efuses or any other way?

2. Moving whole environment to u-boot source code is also not our case because few environment variables need to be modified by RAUC (which we are using to update software). So the key need to be also known to RAUC to decrypt env file.

Jakub

over 1 year ago

0 Hong Guan64 over 1 year ago

TI__Guru 70320 points

Hello Jakub,
Here is one option for your user case:
- sign the binary blob (i.e. .env file) with SMPK => signed binary blob = "x.509 + binary blob"
- verify the signed binary blob by calling TISCI API
software-dl.ti.com/.../PROC_BOOT.html

You may refer to secure boot flow for the concept
software-dl.ti.com/.../Foundational_Components_Secure_Boot.html

Best,
-Hong

0 Jakub Grad over 1 year ago in reply to Hong Guan64

Intellectual 730 points

Hello Hong

Thanks for response. Could you provide some code example how to use TISCI API? What is SMPK tool? Is it provided with sdk?

Jakub

0 Hong Guan64 over 1 year ago in reply to Jakub Grad

TI__Guru 70320 points

Hello Jakub,
This is u-boot code calling the TISCI API for binary blob verification.
git.ti.com/.../security.c

We have AM64x security resource download portal, where security collaterals, links/tools... are hosted
Customer may request access to the portal via the link
www.ti.com/.../swlicexportcontrol.tsp

Best,
-Hong

Processors

Processors forum

TMDS64GPEVM: U-Boot: how to provide environment variables protection