Because of the holidays, TI E2E™ design support forum responses will be delayed from Dec. 25 through Jan. 2. Thank you for your patience.

  • State Resolved
  • Locked Locked
  • Replies 5 replies
  • Subscribers 102 subscribers
  • Views 1581 views
  • Users 0 members are here
Support feedback
Options
Options
Similar topics

This thread has been locked.

If you have a related question, please click the "Ask a related question" button in the top right corner. The newly created question will be automatically linked to this question.

Secure Boot with Asymmetric Encrypted Signature - OMAP-L138

Paulo Roberto
Prodigy 50 points
Other Parts Discussed in Thread: OMAP-L138, AES-128, OMAPL138, 66AK2E05, 66AK2G02

We are planning to use OMAP-L138 for a third party certified product. To attend certification requirements, we need to ensure a secured boot solution with asymmetric encrypted signature.

A symetric key policy (AES-128) is not suitable for us, because the certification office signs the developed firmware with their private key and provide us only the public key to ensure the secure boot of the certified devices.

I noted that there is a RSA option on INI configuration file for SecureHexAIS tool, as below. However it is not present on the processor documentation (TMS320C674x/OMAP-L1x Processor Security - User's Guide).

; Binary file containing RSA key info (public and private) for custom secure device
; Can be in PEM/DER format (OpenSSL), or XML format (Mono or .Net Framework)  
rsaKeyFileName=The filename (relative to path program executes from) to the private RSA key
                 needed to generate the load module signature (only applies to CUSTOM secure
                 devices).

Is it possible to use RSA asymmetric key to sign OMAP-L1x images?
How could we use a asymmetric key policy to sign images and secure boot the OMAP-L1x?

  • 0
    TI__Guru** 116100 points
    Checking with internal team on your post.
    He will reply soon to your post.
    Thanks for your patience.
  • 0
    TI__Guru** 115880 points
    Paulo,

    The asymmetric key signing is not supported on Basic secure OMAPL138 parts. We had this option, built into the bootROM and associated utilities as there were plans to support creating custom secure parts with symmetric and asymmetric keys burned into the parts as part of the manufacturing processes similar to some of the other OMAP parts.

    This option was descoped on Basic OMAPL138 secure parts so unfortunately you can`t use this option for the certification.

    Regards,
    Rahul
  • 0 in reply to Rahul Prabhu
    Prodigy 50 points

    Rahul, thank you for the information.

    Does C674x family have asymmetric key signing on secure boot?

    Which TI DSP family have asymmetric key signing on secure boot?


    Regards,

    Paulo

  • 0 in reply to Paulo Roberto
    TI__Guru** 115880 points
    Paulo,

    C674x DSP is a subset of the OMAPL138 device family and supports the same features as OMAPL138.

    For asymmetric key signing, you can look at AM437x (ARM only device), 66AK2E05 (4 A15 + DSP device).

    We are also planning to enable security with asymmetric key signing on other devices like AM335x and 66AK2G02 etc so let us know if any of these devices suits your application requirements.

    Regards,
    Rahul
  • 0 in reply to Rahul Prabhu
    Prodigy 50 points

    Dear Rahul,

    There is no AM437xHS (High-Security version) to purchase on TI or distributors sites. How the HS version of AM437x processor could be purchased?

    Best regards,

    Paulo