PROCESSOR-SDK-AM64X: OTP Keys Certificate

Huynh Nguyen

Hello,

I have two questions :

1. SWREV fields : COARDCONFIG, SBL and SYSFW are these for the TI usage and not related to customer's application software revision ?

Is there any field in the Customer's OTP that can be used for application SW revision ? Or is it already part of magic number in the Application Certificate ?

In that case the new update of application software has nothing to do with the OTP and do not worry about writing any application revision to this OTP area ?

2. OTP Keys Certificate : is this one -to- one to CPU when the certificate is generated and cannot be used to other CPU (KEK is RGN for each CPU)?

So customer's keys should be programmed using the KW when the certificate is generated together ?

3. Can the keys be programmed later using the pre-generated OTP Keys Certificate (it's certificate) ?

4. For the best practical production should the blank CPU (HS-FS) to be programmed with the keys (HS-SE) before sending to the assembly house ?

This question is for the reason of keys protection which CPU cannot be programmed at the outside assembly house.

Any recommendation fixture with special socket for this purpose to pre=program the keys before assembly ?

Regards;

Huynh

9 months ago

0 Prashant Shivhare 9 months ago

TI__Guru 50051 points

Hi Huynh,

1) I will check on this and get back to you.

2) The Keywriter certificate is generated on the host machine independently. So, it's not tied to any particular SoC. The same keywriter certificate can be used to program multiple SoCs.

3) The keys can be programmed at any time as long as the SoC state is still HSFS.

4) The production programming is completely your design. If there is a doubt about keys protection then the certificate contains them in encrypted form. These can only be decrypted by the TIFS Keywriter at run time.

Regards,

Prashant

0 Huynh Nguyen 9 months ago in reply to Prashant Shivhare

Prodigy 240 points

For question 2) : OTP Keywriter Certificate generation. It is confusing a bit due to the diagram shows that KEK(256b) inside the SoC is RGN generated per SoC device and used it to encrypt all the keys etc How can one certificate be use for all SoC? One more question is how the certificate be generated without accessing the SoC to get the KEK before generating the certificate. Yes the procedure is showing that accessing the SoC is not needed during generating the certificate. The question is HOW to get to the KEK ?

0 Huynh Nguyen 9 months ago in reply to Prashant Shivhare

Prodigy 240 points

Also in question 2) : for OTP Keywriter Certificate generation script : can we use -b <path_to_customer_keys>/bmpk.pem --bmek <path_to_customer_keys>/bmek.pem ..... where <path_to_customer_keys> is the link to the customer HSM (secure server) ?

0 Prashant Shivhare 9 months ago in reply to Huynh Nguyen

TI__Guru 50051 points

Hi Huynh,

The KEK is not used anywhere in the OTP Keywriter certificate generation process. May I know what document you are referring that suggests the use of KEK?

Regards,

Prashant

0 Huynh Nguyen 9 months ago in reply to Prashant Shivhare

Prodigy 240 points

Hi Prashant,

https://software-dl.ti.com/tisci/esd/latest/6_topic_user_guides/key_writer.html

Regards,

Huynh

0 Prashant Shivhare 9 months ago in reply to Huynh Nguyen

TI__Guru 50051 points

Hi Huynh,

The diagram in the link

https://software-dl.ti.com/tisci/esd/latest/6_topic_user_guides/key_writer.html#hs-fs-to-hs-se-conversion

does not suggest that KEK is used in the OTP Keywriter procedure. The diagram shows the programmed fields in the e-fuses before and after the OTP Keywrirer procedure.

So, the KEK and the TI keys already comes programmed in the e-fuses. After the OTP Keywriter procedure, the customer specific keys and other data also gets programmed in the e-fuses.

Regards,

Prashant

0 Huynh Nguyen 9 months ago in reply to Prashant Shivhare

Prodigy 240 points

Prashant,

If you look at the following page of the Procedure : step 1 where RGN AES256 key is used for encrypting all other customer's keys in steps 2 and 3 and finally signed with SMPK and BMPK in step 4. Isn't it KEK the RGN AES256 ?

If that is not then what is KEK is using for ? I understood that is what it is so the keywriter certificate is personalized PER CPU. If it is not correct then please explain the purpose of KEK and its usage .

Thanks,

Huynh

+1 Prashant Shivhare 9 months ago in reply to Huynh Nguyen

TI__Guru 50051 points

Hi Huynh,

The AES-256 Key in Step1 is just any random key used for encrypting the different data in Step2. The Step3 saves this random AES-256 key encrypted by the TIFEK in the certificate. The TIFS at run time decrypts it and gets the decrypted AES-256 key which is then used to decrypt all the other encrypted data from Step2.

Huynh Nguyen said:
If that is not then what is KEK is using for ?

Please refer to the following guide for the usage of KEK

https://software-dl.ti.com/tisci/esd/latest/6_topic_user_guides/dkek_management.html

Regards,

Prashant

Processors

Processors forum

PROCESSOR-SDK-AM64X: OTP Keys Certificate