• State Resolved
  • +1 person also asked this people also asked this
  • Locked Locked
  • Replies 5 replies
  • Subscribers 100 subscribers
  • Views 266 views
  • Users 0 members are here
Support feedback
Options
Options
Related

This thread has been locked.

If you have a related question, please click the "Ask a related question" button in the top right corner. The newly created question will be automatically linked to this question.

AM625: Different certificate for tisbl.bin and u-boot compared to tiboot3.bin

Magnus Lövdahl
Intellectual 570 points
Part Number: AM625

Tool/software:

Hello

Is it possible to use a different certificate for tisbl.bin and u-boot compared to tiboot3.bin?

What I want is tiboot3.bin to be authenticated with the fused “certificate” and tisbl and u-boot authenticated with a “certificate” compiled into tiboot3.bin.

Is this something that tiboot3.bin software supports?

Best regards

Magnus

  • 0
    TI__Guru 69561 points

    Hello,

    May I know the use case for such requirement?

    In normal boot flow, the `tispl.bin` & `u-boot.img` are authenticated with the programmed key on the HSSE device.

    Regards,

    Prashant

  • 0
    Intellectual 570 points

    Hello,

    I understand the normal boot flow use the programmed key on the HSSE device.

    In our case we use "Falcon boot" to speed up the boot. We use tiboot3.bin and then tispl.bin which includes linux and dtbs.

    If we in the future want to do software update on tisbl.bin eg Linux we want to have a separate "certificate" just for that image. The tiboot3.bin will use our "super secret" certificate and tispl.bin another certificate

    Regards

    Magnus

  • 0 in reply to Magnus Lövdahl
    TI__Guru 69561 points

    Hello,

    Magnus Lövdahl said:
    tispl.bin which includes linux and dtbs.

    This "tispl.bin" is a fitImage in which the individual components are signed at compile time and authenticated at run time. The authentication is done with the programmed active key on the HSSE device. This helps maintain the chain of trust.

    Regards,

    Prashant

  • 0
    Intellectual 570 points

    Hello,

    The chain of trust will not be broken if tispl.bin is authenticated with a async public key stored in tiboot3.bin which was authenticated with programmed key on the HSSE devices.

    Actually my question is. Is there any functionality in tiboot3.bin to authenticate tisbl.bin with a different key rather then the active programmed key in the HSSE device?

    Regards

    Magnus

  • +1 in reply to Magnus Lövdahl
    TI__Guru 69561 points

    Hello,

    Magnus Lövdahl said:
    Is there any functionality in tiboot3.bin to authenticate tisbl.bin with a different key rather then the active programmed key in the HSSE device?

    The TIFS only supports authentication with the active programmed key on HSSE device. So, this is not possible at least with the default secure boot architecture.

    You may evaulate if the generic U-Boot has authentication support in software. If yes, you may use that for your use case.

    Regards,

    Prashant