AM6412: How to switch to BMPK in the field when the SMPK is compromised

Anh-Tuan Hoang

Part Number: AM6412

Tool/software:

TI team,

I am working on programming the SMPKH and BMPKH to enable secure boot on AM64x devices. My understanding is that we will need to update the KEYREV to 2 to enable authentication using the BMPK if the SMPK is compromised.

I am looking for guidance/recommendations on how to accomplish this in the field where we might have thousands of devices.

Can the KEYREV be updated via other mechanisms besides the OTP keywriter running on the R5?
Is possible to update the KEYREV from Linux or OPTEE?
Anything else needs to be updated besides the KEYREV to enable authentication using the BMPK?
What are TI's recommendation methods?

Thanks

Anh-Tuan

2 months ago

0 Prashant Shivhare 2 months ago

TI__Guru 57501 points

Hello,

1. The KEYREV is not updated using the OTP Keywriter.

2. It is possible but we don't have a guide for this. Instead, the MCU+ SDK has an example for KEYREV update (https://software-dl.ti.com/mcu-plus-sdk/esd/AM64X/10_01_00_32/exports/docs/api_guide_am64x/EXAMPLES_RUNTIME_KEYREV.html).

3. No. The KEYREV update is sufficient for activating the BMPK/BMEK keys.

4. It is the responsibility of the user to design the keyrev update mechanism.

Regards,

Prashant

0 Anh-Tuan Hoang 2 months ago in reply to Prashant Shivhare

Prodigy 50 points

Thank you for your response. Just a few follow up questions to confirm my understanding.

1. If we configured the sec-cfg to allow writes to the extended OTP from OPTEE (host 11), does that mean we will need to update the KEYREV from OPTEE as well?

2. TI provides an example to update the KEYREV in the MCU+SDK, does this means TI recommends updating the KEYREV via the bootloader?

3. How do I get access to version 10.01.00 of the MCU-SDK? Currently, I can only get access up to version 10.00.00.

0 Anh-Tuan Hoang 2 months ago in reply to Anh-Tuan Hoang

Prodigy 50 points

Clarification:

For #3, I meant the corresponding add-on keywriter for 10.01.00 MCU-SDK.

+1 Prashant Shivhare 2 months ago in reply to Anh-Tuan Hoang

TI__Guru 57501 points

Hello,

1. Yes. The `write_host_id` field in the Secure Board configurations dictates the single host id that can write to the OTP.

2. The example is only a reference not a recommendation. The only restriction is if using the MCU+ SDK, the KEYREV update can only be requested during the bootloader stage.

3. There is no add-on keywriter for MCU+ SDK v10.01.00. The Keywriter packages are released for specific SDK releases only.

Regards,

Prashant

0 Anh-Tuan Hoang 1 month ago in reply to Prashant Shivhare

Prodigy 50 points

I am looking into the option to update KEYREV via OPTEE/Linux. I noticed that TI currently defines TISCI_MSG_WRITE_KEYREV in the ti_sci_protocol.h, but does not provide an implementation for it in the TI OPTEE OS. See drivers « plat-k3 « arm « arch « core - optee/ti-optee-os - Texas Instruments OPTEE source and binary information.

1. Is possible to extend the driver to support TISCI_MSG_WRITE_KEYREV? Any reason why TI does not support this message?

2. TISCI_MSG_WRITE_KEYREV message requires the location of the dual signed certificate. How do we load the dual signed certificate into memory from OPTEE?

Thank you

0 Prashant Shivhare 1 month ago in reply to Anh-Tuan Hoang

TI__Guru 57501 points

Hello,

As I have already conveyed, it is possible to program the KEYREV from OPTEE but we don't have the support for the same.

Please have a look at the following thread:

https://e2e.ti.com/support/processors-group/processors/f/processors-forum/1443398/am6442-writing-to-swrv-and-keyrev-fuses-in-a-linux-environment

If it matters, some customers have indeed added OTP programming in the OPTEE on their own:

https://e2e.ti.com/support/processors-group/processors/f/processors-forum/1466424/am623-optee-message-not-acknowledged

Regards,

Prashant

Processors

Processors forum

AM6412: How to switch to BMPK in the field when the SMPK is compromised