• State
  • +1 person also asked this people also asked this
  • Locked Locked
  • Replies 7 replies
  • Subscribers 100 subscribers
  • Views 412 views
  • Users 0 members are here
Support feedback
Options
Options
Related

This thread has been locked.

If you have a related question, please click the "Ask a related question" button in the top right corner. The newly created question will be automatically linked to this question.

AM6442: Does secure boot can not used if I could not get the RSA private key?

Jun SUN
Prodigy 40 points
Part Number: AM6442


Tool/software:

Hi, I'm work on am6442 HS-SE, and already run secure boot worked with TI dummy key(keys in SDK's uboot/board/ti/keys/).

And now, I'm finding out how to make am6442's secure boot run with the company's security keys.

In the company I worked, we unable to get the private key in any way.

What can we do is just give a file's hash to the security system, and then we will receive a signature in pkcs7 format. And we can get the signer's certificate(public key in it).

That's all.

But when I read the script which create the OTP Keywriter's input, keycert.h,

I found out that, the private key is needed for

1. Sign the aes256 key which used for encrypt other keys.

2. Get the public key.

3. Create a self signed x509 certificate which include "encrypted aes256 key" "encrypted digital sign of aes256 key" "encrypted public key hash" "encrypted key for encrypt boot".

I think I can make some changes in the script for "1" and "2", than the private key would be no needed, that's not a big deal.

But for 3, I can not imagine how to create the x509 without private key in my hand.

I'm not a expert about RSA key/encrypt/decrypt/certificate, but I already work on these for a little long time.

So, does it means that with the company's security rules, we have no ways to use am6442's secure boot?

  • 0
    TI__Guru 72891 points

    Hello,

    Jun SUN said:
    But for 3, I can not imagine how to create the x509 without private key in my hand.

    In the keywriter certificate generation script, the certificate is signed using the OpenSSL tool. Likewise, you may present the certificate to your security system & ask it to return the signed certificate.

    Regards,

    Prashant

  • 0 in reply to Prashant Shivhare
    Prodigy 40 points

    Thanks for your suggestion.

    Likewise, you may present the certificate to your security system & ask it to return the signed certificate.

    Before present the certificate to our security system, the certificate has to be created, I think.

    And in my understanding, create a certificate needs the private key.

    But in our security system, we can only provide a file's hash to get a cms format certificate(only hash's digital sign in it, can not add other attr or content in the certificate). There is no other api to do anther things with private key.

    Maybe my understanding is wrong, and I hope that.

  • 0 in reply to Jun SUN
    TI__Guru 72891 points
    Jun SUN said:
    Before present the certificate to our security system, the certificate has to be created, I think.

    The certificate is given as a template text file, which contains the extensions, to OpenSSL which then generates the signed certificate blob.

    Likewise, your security system could support such procedure.

  • 0 in reply to Prashant Shivhare
    Prodigy 40 points

    The certificate is given as a template text file, which contains the extensions, to OpenSSL which then generates the signed certificate blob.

    Likewise, your security system could support such procedure.

    Our security system is a web system, it has a web page to upload file's hash which we want to sign. That's all what we can do with the web system.

    Behind the web system, it may use OpenSSL, or others maybe.

    And you are suggestion that, the web system could add a new function(a new web page) to create a certificate by template file?

  • 0 in reply to Jun SUN
    TI__Guru 72891 points
    Jun SUN said:
    And you are suggestion that, the web system could add a new function(a new web page) to create a certificate by template file?

    Theoretically, yes.

    Please note this is not a recommendation or anything. This is your security system so it is your responsibility to evaluate how to generate the certificate blob. TI provides the reference script which is designed to generate the certificate assuming the keys are available in the local filesystem. If your design deviates from this, it is your responsibility to evaluate how to generate the final certificate blob.

    The following documentation explains the procedure for the keywriter certificate generation:

    https://software-dl.ti.com/tisci/esd/latest/6_topic_user_guides/key_writer.html#procedure

  • 0 in reply to Prashant Shivhare
    Prodigy 40 points

    Please note this is not a recommendation or anything. 

    I understand that. I just want to ensure that it is really no other way to create the certificate except I can get the private key or add new function in our security system.

    Because I'm not sure my understanding about rsa key is enough.

    Thanks for your reply and I will try discuss the situation with my colleague.

  • 0 in reply to Jun SUN
    TI__Guru 72891 points

    Hello,

    Jun SUN said:
    I just want to ensure that it is really no other way to create the certificate except I can get the private key or add new function in our security system.

    There definitely could be other ways but you would need to search the internet for that.

    Like the following Stack Overflow discussion

    https://stackoverflow.com/questions/28692034/sign-certificate-in-pkcs11

    There is similar response from the community as well on the following E2E:

    https://e2e.ti.com/support/processors-group/processors/f/processors-forum/1469566/am6442-extending-yocto-tiboot3-bin-build-to-support-hsm/5657046#5657046

    Regards,

    Prashant