• State
  • Locked Locked
  • Replies 6 replies
  • Subscribers 99 subscribers
  • Views 350 views
  • Users 0 members are here
Support feedback
Options
Options
Related

This thread has been locked.

If you have a related question, please click the "Ask a related question" button in the top right corner. The newly created question will be automatically linked to this question.

TDA4VM-Q1: Security Spec. Problem about TDA4

Gibbs Shih
Expert 5245 points
Part Number: TDA4VM-Q1
Other Parts Discussed in Thread: TDA4VP-Q1, DRA821U, TDA4AP-Q1, TDA4AH-Q1, TDA4VM, TDA4VL, TDA4VH-Q1

Tool/software:

Hi, Dear Expert

Some question need to be double check from customer,

  1. Does TDA4 has TPM or HSM? HSM
  2. Does TDA4 has secure flash to store filesystem encryption key? Secure firmware (ex:randisk), but not secure all flash (ex, eMMC)
  3. Does TDA4 has rachet fuse to support rollback prevention? NO

Pls help me double check "red replies mark"

Thank You

Gibbs

  • 0
    TI__Guru 56415 points

    HI Gibbs,

    Gibbs Shih said:
    • Does TDA4 has TPM or HSM? HSM

    Which device we are talking about here? TDA4VM, DRA821U are DMSC based security controller where we have only one M3 core, whereas TDA4VE TDA4AL TDA4VL TDA4VH-Q1, TDA4AH-Q1, TDA4VP-Q1, TDA4AP-Q1 has SMS based security controller where we have two M4 core, one for TIFS and other is for HSM.

    Gibbs Shih said:
    Does TDA4 has secure flash to store filesystem encryption key? Secure firmware (ex:randisk), but not secure all flash (ex, eMMC)

    They can store the keys into the effuses.

    Gibbs Shih said:
    1. Does TDA4 has rachet fuse to support rollback prevention? NO

    SWREV field in the Effuses used by the ROM and TIFS to support anti rollback protection.For more detail you can refer to the "K3 Security Hardware Architecture" present in secure resources.

    Regards
    Diwakar

  • 0 in reply to Diwakar Dhyani
    TI__Expert 5245 points

    Hi, Diwakar

    Thanks you replies

    Few question.

    1. TDA4VM only has DMSC based security controller. Is fuse access managed by DMSC? Does it support key derivation function?
    2. Is there a sample or reference guide for disk encryption? How may fuses could be applied as disk encryption key?
    1. Is there a sample or reference guide for rollback protection?

    Gibbs

  • 0 in reply to Gibbs Shih
    TI__Guru 56415 points

    HI Gibbs,

    Gibbs Shih said:
    TDA4VM only has DMSC based security controller. Is fuse access managed by DMSC? Does it support key derivation function?

    TIFS run on the DMSC core(M3) and it does provide a service to retrieve the derived version of the KEK.For more detail you can check the TISCI Documentation.

    Gibbs Shih said:
    Is there a sample or reference guide for disk encryption? How may fuses could be applied as disk encryption key?

    We dont have any example as such but one quick question , does customer want to encrypt the rootfile system or what, can you elaborate more on the usecase?

    Gibbs Shih said:
    Is there a sample or reference guide for rollback protection?

    This feature is already getting used in the secure boot flow. Currently we are singing the bootloader,TIFS,secure board config with the SWREV =1. As the default value of the SWREV bits in the effuses is 1  on HS-SE production devices.

    Do let me know if you have further question on this topic.

    Regards
    Diwakar

  • 0
    Expert 1095 points

    Hi Diwakar,

    1. Thanks for your information about KEK and rollback protection. I will see how to enable it in TDA4VM.

    Diwakar Dhyani said:
    We dont have any example as such but one quick question , does customer want to encrypt the rootfile system or what, can you elaborate more on the usecase?

    2. Our customer would like to encrypt the whole rootfs and also enable DM-verity in the same time. My question is that are these two features already implemented in TDA4VM and could these two features work together? If not yet, will TI implements them, or I have to implement them myself?

    3. Is there a way to disable JTAG/RCM/UART/SD card permanently for MP? I mean are there specific fuses for this purpose. 

  • 0 in reply to Jay Sun
    TI__Expert 5245 points

    Hi, Diwakar

    Jay Sun is mu customer, both of us have some questions for TDA4 encryption support.

    Share some idea what I know,

    Q2/A2 : Encrypted filesystems.

    Pls ref. https://e2e.ti.com/support/processors-group/processors/f/processors-forum/1387940/am62a7-emmc-full-disk-encryption?tisearch=e2e-sitesearch&keymatch=emmc%20encryption#

    Q3/A3 : Is there a way to disable JTAG/RCM/UART/SD card permanently for MP?

    Once TDA4 becomes HS-SE device, JTAG access was locked (disable). Buy what's mean "RCM"? 

    TIFS run on the DMSC core (M3), and it also responsible for Resource Management (RM) & TIFS also need authenticate & decrypt when boots.

    I think RM could be also manage peripheral access. so I guess the question should be how to disable UART/SD access in TIFS when TDA4 become HS-SE? Basically customer should  implement by themself, isn't?

    HI, Diwakar

    If I say anything wrong, pls correct me.

    Thank You Very Much

    Gibbs

  • 0 in reply to Gibbs Shih
    TI__Guru 56415 points

    HI Gibbs,

    Gibbs Shih said:

    Q2/A2 : Encrypted filesystems.

    Apart from this if you are looking for just want to implement secure storage, you can also refer https://optee.readthedocs.io/en/latest/architecture/secure_storage.html.

    Gibbs Shih said:

    Q3/A3 : Is there a way to disable JTAG/RCM/UART/SD card permanently for MP?

    Not sure what is RCM here.Correct JTAG is by default locked on HS-SE device to unlock the JTAG we need to pass debug certficate. Ref(https://software-dl.ti.com/tisci/esd/latest/6_topic_user_guides/secure_debug.html).

    Disabling the peripheral like UART,SD is customer responsibility.

    Regards
    Diwakar