Tool/software:
Hi AM437x and AM62x Champ !
My customer is investigation about security features on top of AM437x-HS and AM62x' security devices.
The followings are my initial research for both of them.
Please check and recommend of Secure Storage feature implementation.
Secure Storage on TI Sitara AM437x
1. Security Capabilities
-
AM437x supports limited security features, and only some variants are available as High Security (HS) devices.
-
However, OP-TEE or TrustZone-based Secure Storage is not supported on AM437x.
-
Therefore, secure storage solutions typically rely on external hardware or software encryption.
2. Using External TPM (Trusted Platform Module)
-
You can integrate an external TPM 2.0 chip via I2C or SPI.
-
Use
tpm2-tools
,tpm2-tss
, and related software to store encryption keys, certificates, etc., securely. -
Linux applications can interact with TPM for secure key operations.
3. Encrypted File Systems
-
You can encrypt specific partitions using
dm-crypt
+LUKS
orfscrypt
. -
Example: Store sensitive config or key files in an encrypted volume (e.g.,
/etc/secure_data
).
Secure Storage on TI AM62x
The AM62x is a newer Sitara platform and includes modern security capabilities:
1. High-Security (HS) Device Support
-
The AM62x supports secure boot, key storage, and access control using TI’s High Security (HS) variant.
-
Secure keys can be burned into One-Time Programmable (OTP) fuses.
2. OP-TEE and TIFS (TI Foundational Security)
-
AM62x supports TrustZone and comes with OP-TEE, a Trusted Execution Environment (TEE).
-
TI’s Linux SDK includes OP-TEE integrated with Secure Storage support.
-
Applications running in the TEE (Trusted Applications) can securely store keys and credentials.
OP-TEE Secure Storage Example:
-
Use
TEE_CreatePersistentObject()
from OP-TEE APIs. -
Data is stored in an encrypted format in a secure file system (usually
/data/tee
). -
Only Trusted Applications can access this storage, not regular Linux users.
3. RPMB (Replay Protected Memory Block) Support
-
AM62x can use the RPMB partition of eMMC to store data securely.
-
OP-TEE can integrate with RPMB for tamper-resistant secure storage.
Summary Comparison: AM437x vs AM62x
Feature | AM437x | AM62x |
---|---|---|
Secure Boot | Limited (HS only) | Fully supported |
TEE / OP-TEE | Not supported | Fully supported |
Secure Storage | Via TPM or Encrypted FS | OP-TEE Secure Storage + RPMB |
External TPM support | Yes | Yes (optional) |
RPMB support | No | Yes |
TI Secure Tools | Limited | Includes TIFS, Keywriter, etc. |
Recommended Approaches
For AM437x:
-
Use external TPM 2.0 for secure key storage.
-
Protect sensitive files with dm-crypt or fscrypt.
-
Consider software encryption (e.g., OpenSSL AES) inside your application.
For AM62x:
-
Use OP-TEE Secure Storage APIs for key/certificate management.
-
Store secrets in RPMB if available.
-
Use TI Secure Boot and Keywriter tools to manage device provisioning securely.
Thanks.
Regards, Jack