AM623: Secure Boot Flow, KEY security, BMPK strategy

Chris Yorkey

Genius 15925 points

Part Number: AM623

Tool/software:

Team,

Our customer has a few security queries we'd like further input on if we may please:

We have a few queries regarding secure boot and key management on TI AM62XX.

In the secure boot flow, is it possible to update KEY_REV=2 to switch from S-keys to the B-set keys from the A53 user space?
We understand, we can load M4 firmware using remoteproc, but is it feasible to load an M4 image that includes the OTP key writer to update the KEY_REV in the eFuses?

What is TI’s recommended approach to update the KEY_REV securely for field-deployed devices without requiring manual intervention (e.g., JTAG or physical access)?
We are looking for a secure, automated method to manage key transitions in production environments while maintaining the integrity of the secure boot process.

If the BMPK is compromised what is the recommended mitigation strategy?
Does TI provide a fallback or recovery mechanism in such scenarios, and how can we ensure continued secure boot validation in the field?

We would appreciate your inputs on this at the earliest, as we are currently evaluating our secure boot strategy for production.

TY,
CY

2 months ago

0 Mukul Bhatnagar 2 months ago

TI__Guru* 84035 points

I have assigned this post, but responses may come in early next week, as few folks our out of office tomorrow.

Has the customer been given access to AM62x security collateral under NDA?

0 Chris Yorkey 2 months ago in reply to Mukul Bhatnagar

TI__Genius 15925 points

Hi Mukul,

Thank you! That's fine. I do believe they already have access to:

ti.com/secureresources/AM62X-RESTRICTED-SECURITY?

I will double-check with this particular engineer/team however.

Regards,

Chris

0 Chris Yorkey 2 months ago in reply to Chris Yorkey

TI__Genius 15925 points

Hi Mukul,

I've confirmed the customer, and this engineer in particular, has access to the RESTRICTED SECURITY docs for AM62X.

Appreciate your support in helping to achieve initial responses to these questions.

TY,

Chris

0 Hong Guan64 2 months ago in reply to Chris Yorkey

TI__Guru 69070 points

Hi Chris,
Please refer to the FAQs on the topic.
[FAQ] SYSFW API on key revoke in OPTEE on AM62x
[FAQ] AM6442/AM243: How to use the TISCI APIs (READ_KEYCNT_KEYREV & WRITE_KEYREV) to activate the backup key set

This is an early e2e
RE: AM623: Does AM62x support revocable Root of Trust (RoT) or Certificate Authority keys

Best,
-Hong

0 Chris Yorkey 2 months ago in reply to Hong Guan64

TI__Genius 15925 points

Hello Hong,

Customer appreciates the previous answers/collateral and has several follow up questions:

How do I create and deploy a Trusted Application (TA) in this setup?

Is there any reference or sample TA source code available that demonstrates invoking the ti_sci_set_keyrev() functionality?

The patch 0001-add-optee-TISCI-key-revoke-test-code.patch appears fine, but how exactly does the TA call the ti_sci_set_keyrev() function, considering this function is part of OP-TEE and the TA is a separate binary?

How does OP-TEE verify and trust the TA and What is the process for signing the TA? Are there specific tools or certificates required?

Is the dual-signed certificate part of the TA, or does it belong to the OP-TEE?

Is there any recommendation from TI for complete flow to update key_rev = 2 from A53 userspace and load newly signed binaries remotely.

I could probably answer some of these right now, but probably without the level of detail needed. For instance, the TI (TIFS) and OP_TEE (for questions 1, 2, 5) however your insight is appreciated.

TY,

0 Hong Guan64 1 month ago in reply to Chris Yorkey

TI__Guru 69070 points

Hi Chris,
I'd recommend to refer to the OPTEE online user guide.
https://optee.readthedocs.io/en/latest/architecture/index.html
The FAQ is essentially the optee core driver code.
The user will need to implement additionally 1/. TA/PTA, and 2/. user land code.
- TA/PTA
https://optee.readthedocs.io/en/latest/architecture/trusted_applications.html#pseudo-trusted-applications
- User land code (optee example)
https://optee.readthedocs.io/en/latest/building/gits/optee_examples/optee_examples.html
Best,
-Hong

Processors

Processors forum

AM623: Secure Boot Flow, KEY security, BMPK strategy