This thread has been locked.

If you have a related question, please click the "Ask a related question" button in the top right corner. The newly created question will be automatically linked to this question.

AM4372: Secure Storage feature support

Part Number: AM4372

Tool/software:

Hi AM437x and AM62x Champ !

My customer is investigation about security features on top of AM437x-HS and AM62x' security devices.

The followings are my initial research for both of them.

Please check and recommend of Secure Storage feature implementation.

Small blue diamond Secure Storage on TI Sitara AM437x

1. Security Capabilities

  • AM437x supports limited security features, and only some variants are available as High Security (HS) devices.

  • However, OP-TEE or TrustZone-based Secure Storage is not supported on AM437x.

  • Therefore, secure storage solutions typically rely on external hardware or software encryption.

2. Using External TPM (Trusted Platform Module)

  • You can integrate an external TPM 2.0 chip via I2C or SPI.

  • Use tpm2-tools, tpm2-tss, and related software to store encryption keys, certificates, etc., securely.

  • Linux applications can interact with TPM for secure key operations.

3. Encrypted File Systems

  • You can encrypt specific partitions using dm-crypt + LUKS or fscrypt.

  • Example: Store sensitive config or key files in an encrypted volume (e.g., /etc/secure_data).


Large blue diamond Secure Storage on TI AM62x

The AM62x is a newer Sitara platform and includes modern security capabilities:

1. High-Security (HS) Device Support

  • The AM62x supports secure boot, key storage, and access control using TI’s High Security (HS) variant.

  • Secure keys can be burned into One-Time Programmable (OTP) fuses.

2. OP-TEE and TIFS (TI Foundational Security)

  • AM62x supports TrustZone and comes with OP-TEE, a Trusted Execution Environment (TEE).

  • TI’s Linux SDK includes OP-TEE integrated with Secure Storage support.

  • Applications running in the TEE (Trusted Applications) can securely store keys and credentials.

Package OP-TEE Secure Storage Example:

  • Use TEE_CreatePersistentObject() from OP-TEE APIs.

  • Data is stored in an encrypted format in a secure file system (usually /data/tee).

  • Only Trusted Applications can access this storage, not regular Linux users.

3. RPMB (Replay Protected Memory Block) Support

  • AM62x can use the RPMB partition of eMMC to store data securely.

  • OP-TEE can integrate with RPMB for tamper-resistant secure storage.


Mag Summary Comparison: AM437x vs AM62x

Feature AM437x AM62x
Secure Boot Limited (HS only) Fully supported
TEE / OP-TEE Not supported Fully supported
Secure Storage Via TPM or Encrypted FS OP-TEE Secure Storage + RPMB
External TPM support Yes Yes (optional)
RPMB support No Yes
TI Secure Tools Limited Includes TIFS, Keywriter, etc.

White check mark Recommended Approaches

For AM437x:

  • Use external TPM 2.0 for secure key storage.

  • Protect sensitive files with dm-crypt or fscrypt.

  • Consider software encryption (e.g., OpenSSL AES) inside your application.

For AM62x:

  • Use OP-TEE Secure Storage APIs for key/certificate management.

  • Store secrets in RPMB if available.

  • Use TI Secure Boot and Keywriter tools to manage device provisioning securely.

Thanks.

Regards, Jack