This thread has been locked.

If you have a related question, please click the "Ask a related question" button in the top right corner. The newly created question will be automatically linked to this question.

DRA821U: Security documentation for DRA821

Part Number: DRA821U
Other Parts Discussed in Thread: DRA821

Is there any guidance / docuementation about general secure boot implementation of secure boot and chain of trust on this SoC? E.g. what OTP to burn, how to calculate their values and so on, how the secure boot on this board works in general.

 

 Will be grateful for any suggestion.

  • Hi P B,

    Is there any guidance / docuementation about general secure boot implementation of secure boot and chain of trust on this SoC?

    Are you looking for documentation from h/w perspective or from s/w perspective?

    The TI SDKs do support a KeyWriter application that is used on a HS-FS device to convert into a HS-SE device. The SDK does support signing of images and boot support for HS-SE devices for development purposes, but the images typically would have to be signed using your HSM Server for production purposes.

    regards

    Suman

  • Hi, from SW. In general a comprehensive guide on how make a device secure and how to boot all the firmware components securely. What are the OTPs that needs to be fused, how many keys can be used to sign and verify the fw, how to revoke keys and so on. 

    E.g. on other platform I could check in manual that for example - the OTPx stores the hash of all public keys used for verification. 

    Then the OTPy stores e.g. OTPMK (master key). 

    Something like this - so that before I use any tools I will know what I'm doing.

  • Hi P B,

    In general a comprehensive guide on how make a device secure and how to boot all the firmware components securely.

    There is a not a single comprehensive guide, the documents are spread depending on the bootloader you are using.

    What bootloader and OS will you be using? I can give additional information based on your bootloader here. 

    The typical expectation is that you sign every image starting from bootloaders to your firmware images to maintain the Root-of-Trust chain of the s/w you are running.

    In anycase, I would recommend you to start with the Jacinto7 HS Device Development and Jacinto7 HS Device Flashing Solution Application Notes.

    What are the OTPs that needs to be fused, how many keys can be used to sign and verify the fw, how to revoke keys and so on.

    You would need to efuse atleast an SMPK, SMEK and a KEYREV and KEYCNT efuses at a minimum to convert the device from HS-FS to HS-SE.

    The KeyWriter pieces of the documentation are explained in 5.17. OTP KEYWRITER and the Key Writer sections.

    regards

    Suman

  • I've been using u-boot and Linux. In general I understand what conceptually needs to be done as I've already done it on other SoC from other vendor but I would like to understand how it works on DRA821. E.g. you mentioned SMPK, SMKEK, KEYREV, KEYCNT - these mean nothing to me as they are your specific names, I can only suspect what they mean - so where can I find the details about them and other relevant things that are crucial for securing devices? If the information is spread across multiple documentation - can you please provide with some links that are must read in the context of making a device secure? 

  • Hi P B,

    I've been using u-boot and Linux.

    These are open-source projects, and have extensive documentation of their own.

    so where can I find the details about them and other relevant things that are crucial for securing devices?

    Please see the Boot Flow OverviewJ7200 Platforms and Secure Boot sections of the U-Boot documentation for details around booting DRA821 and Secure-Boot in general for the TI K3 family of SoCs.

    The TI SDKs for the J7200 EVMs do support Secure Boot using TI Dummy Keys, and provides a ready-made build support for HS devices. Please see the 1.1.7. Simplified SDK Build Using Top-Level Makefile section for details.

    These are development references, but your product deployment and signing will depend on the signing of images with your HSM Server. The SDK 

    can you please provide with some links that are must read in the context of making a device secure? 

    You appear to be starting out with TI devices. The Security Training materials are all NDA materials, I recommend you to contact your TI Sales/Marketing team for links to your Secure Resources which has the introductory slides and information you are looking for Secure Boot.

    regards

    Suman