• State
  • Replies 3 replies
  • Subscribers 99 subscribers
  • Views 63 views
  • Users 0 members are here
Support feedback
Options
Options
Related

AM625: PKI chain in secure boot?

Henri Sundelin
Prodigy 10 points
Part Number: AM625

Tool/software:

I'm developing a new PKi-based service for Sitara secure boot. This would include everything from initial SBL, u-boot and yocto.

I noticed in the restricted documentation that it mentions PKI, but in diagrams its says that it simply compares the firmware public key to one in eFuse. That is clearly not PKI!

In PKI there is a root of trust, and that should have nothing direct to do with used boot keys.

So is the boot PKI or not? Is there a way to evaluate the chain of trust in SBL, or is this just using X.509 format for "wannabe PKI"?

The use case would be that we'd want to burn a Root CA certificate to eFuse, and use a software signing certificate, signed by an intermediate CA to issue the keys for each firmware release. 

I'm sure we can sort it from u-boot forwards, but that leaves the SBL open. -> Boot is not that secure.

Best,

//HS

  • 0
    TI__Guru 71551 points

    Hello,

    Henri Sundelin said:
    In PKI there is a root of trust, and that should have nothing direct to do with used boot keys.

    The root of trust here is established from the fact that the keys once programmed in the efuses cannot be altered and the keys must have been programmed in a secure environment.

    Regards,

    Prashant

  • 0 in reply to Prashant Shivhare
    Prodigy 10 points

    So if I understand it correctly there are no support for PKI.

    OK, that can be managed, we'll put the security to u-boot. For that I'd need to know the actual size of the eFuse flash, and whether there is free space. If not we'd have to use the backup key area. I'd like to store the actual full root certificate in eFuse area. It would be pretty small since we can use compressed ECC key. We are happy to sacrifice the backup key functionality, but we'd need as many bytes in the eFuse OTP as possible. If its fragmented we can manage that.

    I'm also hoping to get support on how to use keywriter to actually write the certificate to eFuses.

    I'm well aware this is not something that has been done before - that is the whole point of this exercise.

  • 0 in reply to Henri Sundelin
    Prodigy 10 points

    Also is there a memory map of the eFuse area? I cannot find anything.