PROCESSOR-SDK-AM64X: Secure boot

Expert 2831 points

Part Number: PROCESSOR-SDK-AM64X

Tool/software:

Hello,

My customer is developing AM6xx.

May I have question about secure boot?

I think if use SBL + **.appimage (MCU+SDK), all binary could encryption. (Security is x.509cert + code encryption)

But if use Linux, we can encryption only ATF, OPTEE. and U-boot/SPL and kernel image binary is not supported for encryption. (security is only x.509cert)

Is this correct?

Do you have plan for support encrypting U-boot, SPL, and kernel image(binary)?

If 1 is correct, I think it have probrem for security.

Because secure teritory is only x.509certificate, main code is not encrypted.

Or Is it mean it is enough for security only checking code's hash with image hash in x.509 certificate??

Thanks,

1 month ago

0 Hong Guan64 1 month ago

TI__Guru 63255 points

Hi GR,
There're two aspects in general:
- integrity via signatuere authentication
- confidentiality via encryption/decryption
Secure boot is currently supported in Linux SDK for integrity check only via signature authentication, but not for binary decryption.
Best,
-Hong

0 GR 1 month ago in reply to Hong Guan64

Expert 2831 points

Hello Hong,

Thanks for your information.

Hong Guan64 said:
Secure boot is currently supported in Linux SDK for integrity check only via signature authentication, but not for binary decryption.

I understand that Linux SDK does not support decryption.

So ATF and OPTEE are not cryptioned? is it only x.509 cert?

And is it enough generally only signature authentication(x.509) for device security ?

I would appreciate it if you could tell me if there is a document on Security risk.

Best regards,

+1 Hong Guan64 1 month ago in reply to GR

TI__Guru 63255 points

Hi GR,
RoT (Root-Of-Trust) secure boot is established starting from onchip boot rom verify the very first stage user bootloader, where the integrity of the bootloader is verified via signature authentication. The chain of secure boot is extensible by bootloader verifying the next stage SW binary, and so-on as necessary...

One reference is verified boot on integrity check via signature authentication in chrome OS
https://www.chromium.org/chromium-os/chromiumos-design-docs/verified-boot/
https://www.chromium.org/chromium-os/chromiumos-design-docs/verified-boot-crypto/

Best,
-Hong

0 GR 1 month ago in reply to Hong Guan64

Expert 2831 points

Hi Hong,

Thanks a lot for your information.

I understand.

Best regards,

Processors

Processors forum

PROCESSOR-SDK-AM64X: Secure boot