AM6412: Different key terminology in secure boot process.

wei ye

Intellectual 410 points

Part Number: AM6412

Tool/software:

Hi,

I'm reading the AM64X_AM243X_OTP_Keywriter_User_Guide but I'm confused about the terminology for the different keys.

Could you please check if my understanding is correct?

1. AES-256 key is generated by customer's random number generator tool. This key is used to encrypt and decrypt OTP data/image content.

2. TI FEK is provided by TI which means you can decrypt any information which is encrypt by AES key theoretically. Or customer can replace TI FEK with their own key?

3. SMPK-Priv is RSA private key which generated by customer and should be keep secret. It is only used for sign.

4. SMPK-Pub is RSA public key which generated by customer as well and it will be in X509 certificate. It is used for verify sign.

5. I don't know how to get SMEK and what it exact means. Is it the same with AES-256 key?

Regards,

Wei

7 months ago

0 Prashant Shivhare 7 months ago

TI__Guru 73081 points

Hello,

Please see if the following guide clarifies the doubts:

https://software-dl.ti.com/tisci/esd/latest/6_topic_user_guides/key_writer.html

Thanks!

0 wei ye 7 months ago in reply to Prashant Shivhare

Intellectual 410 points

Hi,

I still didn't find the information I need.

SMEK looks like an encrypted key but what is the original key and how to generate SMEK?

Customer generated AES key, RSA public key, RSA private key. Why still need SMEK?

Regards,

Wei

0 Prashant Shivhare 7 months ago in reply to wei ye

TI__Guru 73081 points

Hello,

wei ye said:
SMEK looks like an encrypted key but what is the original key and how to generate SMEK?

The SMEK is supposed to be a AES256 encryption key. It is the user's responsibility to generate all the keys as per their requirements.

For ease of use, the keywriter script supports generating all the keys as shown below:

❯ ./gen_keywr_cert.sh -g
# Generating random keys in keys/folder
❯ ls keys
aes256.key  bmek.key  bmpk.pem  smek.key  smpk.pem

Regards,

Prashant

0 wei ye 7 months ago in reply to Prashant Shivhare

Intellectual 410 points

Hi Prashant,

Thanks for you explanation.

SMEK seems to be very important as it will be flashed into the OTP fuses along with SMPKH.

None of the flow diagrams in different TI documents describe the usage of this key.

Now I know how to get the SMEK, but I still don’t know what this key does.

Regards,

Wei

+1 Prashant Shivhare 7 months ago in reply to wei ye

TI__Guru 73081 points

Hello,

The SMEK is an encryption and is only needed if you require encrypted boot support.

The usage are described in the following docs:

https://software-dl.ti.com/tisci/esd/latest/6_topic_user_guides/authentication.html#authentication-sequence

https://software-dl.ti.com/tisci/esd/latest/6_topic_user_guides/secure_boot_signing.html#signing-an-encrypted-binary-for-secure-boot

The different key usage are described in the section "8.1 Booting Keys in EFUSE ROM" of the Security TRM as well.

Regards,

Prashant

Processors

Processors forum

AM6412: Different key terminology in secure boot process.