• State Resolved
  • Locked Locked
  • Replies 1 reply
  • Subscribers 99 subscribers
  • Views 76 views
  • Users 0 members are here
Support feedback
Options
Options
Related

This thread has been locked.

If you have a related question, please click the "Ask a related question" button in the top right corner. The newly created question will be automatically linked to this question.

PROCESSOR-SDK-AM64X: Keyring Support

Walter Stoll
Intellectual 490 points
Part Number: PROCESSOR-SDK-AM64X
Other Parts Discussed in Thread: AM62P

Tool/software:

Hi Team

I recently learned that keyring support was added to the AM64xx family of SoCs. For that reason I checked if keyring support could provide a mechanism to replace the SMPK root key in situations where the SMPK must be revoked due to incident.

Based on this description https://software-dl.ti.com/tisci/esd/latest/6_topic_user_guides/keyring.html#keyring-import I found, that keyring import requires a X.509 certificate signed with the SMPK (or possibly BMPK). Therefore I conclude that a key in the keyring cannot be used if the SMPK must be reverted. Can you confirm this ?

The only possibility to revert SMPK is to switch to BMPK, correct ?

Please note root key integrity is one of our biggest security concerns regarding the AM64x family. SMPK and BMPK must be commissioned a t the same time. We must burn the BMPK which we do not need yet but might need in the future. If however the SMPK (RSA4k) becomes vulnerable (we have 20 years of life time), then the BMPK does not help much because the same algorithm is used. If our SMPK is disclosed, then the BMPK is most probably disclosed also unless we store the BMPK physically and logically separated from the SMPK (which is not really feasible).

Did TI ever consider to support additive commissioning ? This would allow us to add a BMPK when we really need it.

Was key revocation ever a considered use case which lead to the introduction of a BMPK ? I suspect that key revocation is a misuse of what the BMPK was originally intended for.

Up to my knowledge ECDSA support was once on the roadmap. What is the status of ECDSA support ?

Regards

Walter

  • +1
    TI__Guru 70231 points

    Hello,

    Walter Stoll said:
    I found, that keyring import requires a X.509 certificate signed with the SMPK (or possibly BMPK)

    This is required to extend the RoT to the keys in the keyring certificate through SMPK or BMPK (whichever is active).

    Walter Stoll said:
    Therefore I conclude that a key in the keyring cannot be used if the SMPK must be reverted. Can you confirm this ?

    The keyring certificate is part of the customer software itself and comes into existence only in the context of SYSFW. The ROM still relies on the SMPK or BMPK for the RoT. The only way to revoke SMPK is to switch the RoT to BMPK.

    Walter Stoll said:
    Did TI ever consider to support additive commissioning ? This would allow us to add a BMPK when we really need it.

    It is not supported. However, I do have one doubt here. How would you program the BMPK in the field devices with compromised SMPK? There would be no RoT anymore for the SYSFW to confirm if the BMPK is really coming from you.

    Walter Stoll said:
    Up to my knowledge ECDSA support was once on the roadmap. What is the status of ECDSA support ?

    It is not confirmed yet. The feature needs evaluation which would happen after the support has been added for AM62P devices.

    Regards,

    Prashant