• State
  • Locked Locked
  • Replies 3 replies
  • Subscribers 101 subscribers
  • Views 342 views
  • Users 0 members are here
Support feedback
Options
Options
Related

This thread has been locked.

If you have a related question, please click the "Ask a related question" button in the top right corner. The newly created question will be automatically linked to this question.

AM623: Cybersecurity Inquiries for AM623x: authenticating ROOTFS, key management, uboot FitImage error

Chris Yorkey
Genius 15855 points
Part Number: AM623

Tool/software:

Team,

Some cybersecurity inquiries from our customer with my first-pass at answers (please review and also comment on the last #3 question please):

 

1.How to authenticate ROOTFS before mounting it by kernel? What is TI’s recommendation?

 Use NFS to mount the root filesystem. The boot loader will tell the kernel where to look for the root filesystem1.

  1. SK-AM62A-LP: How to set U-Boot environment values to mount NFS on AM62A custom board - Processors forum - Processors - TI E2E support forums
  2. Getting Started with U Boot on Arm

 2.How crts and keys are managed? Currently I see they are part of U-boot source i.e. u-boot/board/ti/keys directory

 The management of cryptographic keys and certificates on the AM62x system12345 involves high-security field-securable (HS-FS) silicon, asymmetric cryptography, and custom keys1234The system uses a combination of public and private keys for secure boot and protection of ROM code and security peripherals24.

 Foundational security enablers | Video | TI.com

Introduction to Secure Boot | Video | TI.com

(There are more videos in planning)

 Trainings for AM62x:

Device Identity and Keys

Security overview:  Security

 

3.I am getting below error while u-boot authenticating fitImage, I verified uboot dtb has signature node and gone through many E2E’s but no solution found.

 This is the one I’d like to lean on our experts for …. Stay tuned for more…

 Also, do you already have the AM62X Security documentation (I think you do)?

ti.com/secureresources/AM62X-RESTRICTED-SECURITY?

 

TY,

CY

  • 0
    TI__Genius 15855 points

    Prashant and Team,

    TO summarize further - questions are specifically focused on secure boot—particularly, how the root filesystem is authenticated and how it fits into the chain of trust in the secure boot process.

    1.How to authenticate ROOTFS before mounting it by kernel? What is TI’s recommendation?

    2.How crts and keys are managed? Currently I see they are part of U-boot source i.e. u-boot/board/ti/keys directory

    3.I am getting below error while u-boot authenticating fitImage, I verified uboot dtb has signature node and gone through many E2E’s but no solution found.

       ## Loading kernel from FIT Image at 82000000 ...

       Using 'conf-ti_k3-am625-xxx_xxxx.dtb' configuration

       Verifying Hash Integrity ... fit_config_verify_required_keys: No signature node found: FDT_ERR_NOTFOUND

    Bad Data Hash

    ERROR: can't get kernel image!

    Your comments indeed welcomed and appreciated!

    TY,

    CY

  • 0 in reply to Chris Yorkey
    TI__Guru 70231 points

    Hello,

    Chris Yorkey said:
    1.How to authenticate ROOTFS before mounting it by kernel? What is TI’s recommendation?

    I think this is not officially supported as of now.

    This seems to be supported in the latest SDK:

    software-dl.ti.com/.../Auth_boot.html

    Chris Yorkey said:
    2.How crts and keys are managed? Currently I see they are part of U-boot source i.e. u-boot/board/ti/keys directory

    It is the user's responsibility to manager the keys. The default architecture assumes the keys are present in the local filesystem. In case of a custom architecture like HSM server managing the keys, the signing procedure would have to be accordingly modified in the U-Boot source code.

    Chris Yorkey said:
    I am getting below error while u-boot authenticating fitImage, I verified uboot dtb has signature node and gone through many E2E’s but no solution found.

    Please see the following related thread:

    (+) PROCESSOR-SDK-AM62X: [AM6231] [secure boot] [HS-SE] Verifying Hash Integrity ... fit_config_verify_required_keys: No signature node found: FDTD Bad Data Hash - Processors forum - Processors - TI E2E support forums

    It should mostly be a problem with the A53 U-Boot image. Please note the U-Boot needs to be rebuilt after creating the fitImage.

    In case of doubts, please share the full logs.

    Regards,

    Prashant

  • 0 in reply to Prashant Shivhare
    Prodigy 90 points

    Does this mean TI does not plan to add proper HSM support for keys themselves? This seems like a critical missing feature to me and I would hope TI can add the proper support themselves as this is becoming more and more a requirement and I'm sure this is the case for many others as well