AM623: Derived Key Encryption Key in U-Boot

TimL

Part Number: AM623

Tool/software:

Hello,

we are using a HS-FS variant of the AM6234 CPU and want to use the Derived Key Encryption Key (DKEK) in U-Boot for Encyption. We tried to get the DKEK using TISCI_MSG_CRYPTO_GET_DKEK function from the
https://software-dl.ti.com/tisci/esd/latest/2_tisci_msgs/security/dkek_management.html DKEK Management documentation but we always are getting a NACK (Not Acknowledged) back.

We did not use the keywriter to write the required keys into the AM62 CPU. Since the documentation states the message type is "Secure Queue Only", we think we need to wirte the keys first before we are able to use the DKEK functions.

Can you please confirm our assumption that the keys must first be written to the AM62 HS-FS CPU using the keywriter before the DKEK management functions can be used?

Thank you and regards

Tim

1 day ago

0 Prashant Shivhare 1 day ago

TI__Guru 69891 points

Hello,

TimL said:
Since the documentation states the message type is "Secure Queue Only", we think we need to wirte the keys first before we are able to use the DKEK functions.

The "Secure Queue Only" dictates whether the particular can be sent only on Secure Queues. This is YES for DKEK messages meaning these can only be sent on secure threads which are tied to secure host ids.

The U-Boot is a non-secure host so it cannot request any DKEK messages. The ATF/OPTEE are Secure Hosts so you may request the same from there.

https://github.com/OP-TEE/optee_os/blob/master/core/arch/arm/plat-k3/drivers/ti_sci.c#L308-L308

Regards,

Prashant

Processors

Processors forum

AM623: Derived Key Encryption Key in U-Boot