PROCESSOR-SDK-DRA7X: Protect IP of an algorithm on DRA7xx

Hatem,

It sounds like you are not in control of the HW system that this code will be running on. The only way to provide reasonable assurance of your algorithm being kept confidential (which is what I presume you mean when you say protected) is if the DRA7xx device in question is a secure variant with JTAG locked down, the code content is encrypted while at rest in external flash, and internal memory firewalls are used to prevent other processors from accessing the memory the code will be in while it is running (and therefore has been decrypted).

Without a secure DRA7xx device, it doesn't matter what protections the external flash offers, the code will be vulnerable to capture at some point in the device execution. Even if you use chip or SW features to try and obfuscate the code/data, the entire software chain is open to manipulation on non-secure devices such that any countermeasures in use could be circumvented by changing and manipulating the underlying firmware/SW. 

Ultimately, the level of effort you expend to protect your asset depends on numerous factors, including understanding the value of what you are trying to protect, an understanding of who you are protecting it from, and and understanding of possible attack channels.

Regards,

Daniel

Hatem said:

Is the " DRA7xx  with  secure  variant and  JTAG locked down" pin compatible with the normal DRA7xx device ?

Yes.

Hatem said:

What are the hardware and software implications by replacing a normal DRA7xx device with secure variant ?

Please explain .

There are some potential SW implications depending on how you are currently using the device and what security features you might wish to leverage. But for the most part, especially if you are only interested in secure authenticated boot and the JTAG/debug lockdown, the SW execution can remain the same.

Hatem said:

Do you have a PDF specs for the DRA7xx secure variant with JTAG locked down ?

There is additional collateral (documentation, tools, etc) for High Security (HS) parts. You should reach out to your local TI sales and/or support team if you are interested in learning more.

Regards,

Daniel

Hatem said:

Since the two variant of the DRA7xx are pin compatible, swapping the two devices will not compromise the IP in the encrypted code which resides in the Flash. Because I believe the key for decryption is stored in the secure device safely and is unique to the device and can not be hacked ?

Am I correct ?

Also when you say the flash, do you mean the SD card or you refer to another Flash memory chip soldiered to the board.?

When I say flash, I mean any non-volatile external memory that stores the code/data/firmware that your system will boot and run when it starts up. If you have some kind of flash memory device with its own internal encryption or protected memory regions, that is good. It could prevent someone from extracting the content at rest and accessing that protected content.

However, the previous point still stands that the content could be extracted from a running system, so protections within the device that this code executes on offer much greater protection. But the level of protection desired has to be balanced with the value of the thing you are trying to protect and the extra complexity or work required to implement those protections.

Regards, Daniel