• State Resolved
  • Locked Locked
  • Replies 2 replies
  • Answers 1 answer
  • Subscribers 39 subscribers
  • Views 236 views
  • Users 0 members are here
Support feedback
Options
Options
Related

This thread has been locked.

If you have a related question, please click the "Ask a related question" button in the top right corner. The newly created question will be automatically linked to this question.

Original question:

LAUNCHCC3220MODASF: Enable default Trusted Root Catalog via OTA

LAUNCHCC3220MODASF: OTP vendor certificate switch back

Roman Jordan
Expert 2051 points

Part Number: LAUNCHCC3220MODASF

Hello all,

to prevent any misunderstanding on my side I want to ask about the use of the OTP block for a customer root CA certificate.
The documentation swru547.pdf names this mode Customized Authentication Flow and states in section 6 OTP Overview:


The OTP block contains the root-of-trust of the system and is a fundamental block for the vendor
certificate catalog. This block binds the hardware to a specific vendor by allowing a specific hardware to
load only applications that are signed by this specific vendor.

I created my own customer root certificate, flashed it into the OTP using UniFlash and made some OTA update tests.
All the tests were running fine.
As expected, I was not able to switch back to the default TI trusted root CA catalog by OTA.

It is correct or did I miss a possible way to switch back from customized certifcates by OTA?

I thought word "bind" in the sentence shown above means that this hardware only works with images where the MCU file is signed with the customer certificate(s).
I was surprised that it is still possible to use UniFlash to flash projects using the TI trusted root ca catalog or projects using the TI playground certificates.

Is that right what I found out?
It is possible to flash non-vendor customized projects/ images on a module that contains a vendor customized OTP block by a serial connection?

All tests were done with UniFlash 6.1, image mode *Production*.
As expected, I was not able to flash a second different OTP block.

Best regards and may thanks,
Roman

  • 0
    TI__Guru 64455 points

    Hi,

    The OTP allows to have a separate path where you can have your own certificate store but the regular TI path is still there since the Servicepack is still signed by TI and required to be authenticated against TI root-of-trust. If I am not mistaken, it is still possible to use Uniflash and go back to TI store if you uncheck the "Use Vendor Specific Catalog". The OTP would remain programmed of course but it wouldn't be used.

    Regards,

    Shlomi

  • 0 in reply to Shlomi Itzhak
    Expert 2051 points

    Hello Shlomi,

    many thanks for your answer.

    >> If I am not mistaken, it is still possible to use Uniflash and go back to TI store if you uncheck the "Use Vendor Specific Catalog".

    ;)

    This matches what my tests have shown.

    @TI: It would be great if such things were described in more detail in the documentation.

    Best regards,
    Roman