Part Number: AM6412
Tool/software:
Hi TI support,
I am working on enabling secure boot on our custom board. I would like to use RSA PSS scheme to sign the certificates for the bootloaders. I updated binman openssl.py to add the following ` '-sigopt', 'rsa_padding_mode:pss', '-sigopt', 'rsa_pss_saltlen:64'` to all functions that generate the certificate bases on Using OpenSSL for certificate creation — TISCI User Guide
The certificate has the expected signature algorithm (for tiboot3.bin in this case)
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
16:e4:45:eb:f5:77:a0:79:46:02:b3:ae:f2:db:bd:03:77:84:28:8b
Signature Algorithm: rsassaPss
Hash Algorithm: sha512
Mask Algorithm: mgf1 with sha512
Salt Length: 0x40
Trailer Field: 0x01 (default)
Issuer: C = US, ST = TX, L = Dallas, O = Texas Instruments Incorporated, OU = Processors, CN = TI Support, emailAddress = support@ti.com
Validity
Not Before: Mar 2 19:12:04 2025 GMT
Not After : Apr 1 19:12:04 2025 GMT
Subject: C = US, ST = TX, L = Dallas, O = Texas Instruments Incorporated, OU = Processors, CN = TI Support, emailAddress = support@ti.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (4096 bit)
The OPT has been programmed with SMPK, BMPK, and KeyRev. It is a HS-SE device, and it boots fine if I signed the certificate with PKCS#1 v1.5 padding (default), but it won't boot if I signed with PSS padding. No error on either UART0 or UART1.
1. Does TI support authentication/verification with PSS padding?
2. Any other update needed? What could be a potential issue?