PROCESSOR-SDK-AM62X: AM62x – Secure Boot: Signed-only → Signed+Encrypted Migration

Jakob Hilmer

Prodigy 51 points

Part Number: PROCESSOR-SDK-AM62X

Tool/software:

Hi,

For AM62x secure boot setup:

I will burn smpk (Secure Master Public Key) into OTP.
I also plan to burn an AES-256 key into OTP at the same time.

Questions:

Can I start by deploying signed-only images (no encryption flag in certificate)?
Later, can I switch to signed+encrypted images without any further OTP programming?
Is my understanding correct that:
- smpk only fused → signed boot only (HS-FS).
- smpk + AES key fused → BootROM can accept both signed-only or signed+encrypted images depending on cert?
Does SDK support generating encrypted images?

Just want confirmation that provisioning the AES key upfront allows migration from signed-only to signed+encrypted by updating images/certs only.

Thanks.

25 days ago

+1 Hong Guan64 25 days ago

TI__Guru 68430 points

Hi Jakob,
It is highly recommended to program the user SMPK(sign) + SMEK (decryption) to OTP efuse at the same time. Once SMPK+SMEK are programmed to convert the device state from HS-FS to HS-SE, secure boot is enforced, where both image options is supported by boot ROM to verify or verify/decrypt the first stage bootloader.
- signed only image
- signed + encrypted image

Both image options is supported in AM62x MCU+SDK,
https://software-dl.ti.com/mcu-plus-sdk/esd/AM62X/11_01_00_16/exports/docs/api_guide_am62x/SECURE_BOOT.html
and signed only image option is supported in AM62x Linux SDK.
https://software-dl.ti.com/processor-sdk-linux/esd/AM62X/11_01_05_03/exports/docs/linux/Foundational_Components_Migration_Guide.html

Best,
-Hong

Processors

Processors forum

PROCESSOR-SDK-AM62X: AM62x – Secure Boot: Signed-only → Signed+Encrypted Migration