Other Parts Discussed in Thread: AM62P
Tool/software:
Dear Team,
I am working on implementing secure boot for a FreeRTOS application on the AM62P HS-FS platform. Could you provide detailed guidance on the following:
- Signing a FreeRTOS Image:
- What is the recommended process for signing a FreeRTOS binary image for secure boot on the AM62P HS-FS? Are there specific tools or scripts in the Processor SDK (e.g., for generating ECDSA or RSA signatures) to create a signed image compatible with the boot ROM?
- Does the AM62P require a specific image format (e.g., FIT image, appended certificate, or header) for secure boot?
- Signature Verification:
- How does the AM62P HS-FS boot ROM or bootloader verify the signature of a FreeRTOS image during secure boot? What cryptographic algorithms (e.g., ECDSA NIST P-256, RSA-2048) are supported?
- Are there specific APIs or libraries (e.g., in the Processor SDK) for integrating signature verification with the HSM or bootloader?
- HSM Key Management:
- How can I generate or import a public-private key pair into the AM62P’s HSM for secure boot? Does the HSM support PKCS#11, and are there TI-specific tools for key management?
- What is the process for preburning the public key (or its hash) into OTP fuses or storing it in the HSM for signature verification? Are there factory programming requirements for HS-FS devices?
- Can you provide an example of configuring the HSM to store and use keys for signing and verification?
- Additional Details:
- Are there specific sections in the AM62P Technical Reference Manual (TRM) or Processor SDK documentation that detail the secure boot process, HSM configuration, and OTP programming for the HS-FS variant?
- If using a custom bootloader (e.g., U-Boot), how should it be configured to interface with the HSM for FreeRTOS image verification?
How to verify the above concept with a signed and non-signed image?
Best regards,
Libin Jose
