AM6424: Security Boot

Zoey Wu

Part Number: AM6424

hi team

my customer is using AM64 and they have problems as below:

1. There is no tisdk_am64xx-hs-evm_defconfig in the SDK(08.06).
For SE device, is there any existing different configs & patches for the kernel?
If yes, could you please help share related info?
2. For security boot, the related binary images will be signed, but not encrypted currently.
Does AM64x support the binary encryption mode?
If yes, how to enable this mode in detail steps both for the OTP Keywriter & related image encryption & configs?
3. May I know what scenario will be used for the BMPKH/BMEK?
Could you please help elaborate more info about this KEY set if possible?

over 2 years ago

0 Prashant Shivhare over 2 years ago

TI__Guru* 81941 points

Hi,

1. The configs are common for HSFS and HSSE. There are no additional changes required in the Linux Kernel for HSSE.

2. The Processor SDK does not support encrypting the images.

3. The BMPK/BMEK is a set of backup keys. One scenario where you might activate B-keys and discard S-keys is:

Production

The OTP Keywriter is used in the factory to do the conversion from HSFS to HSSE. For conversion, at least the following are programmed:

S-keys (SMPK/SMEK)
B-keys (BMPK/BMEK)
KEYCNT => 2
KEYREV => 1 (active set of keys => S-keys)

Field

Suppose the SMPK is somehow compromised to an attacker so the attacker can boot their software signed with the compromised SMPK. In this case, you would want to discard the S-keys and activate the B-keys by triggering a KEYREV update.

[FAQ] AM6442/AM243: How to use the TISCI APIs (READ_KEYCNT_KEYREV & WRITE_KEYREV) to activate the backup key set - Processors forum - Processors - TI E2E support forums

After the KEYREV update:

KEYREV => 2 (active set of keys => B-keys)

Regards,

Prashant