• State Resolved
  • Locked Locked
  • Replies 17 replies
  • Answers 2 answers
  • Subscribers 42 subscribers
  • Views 725 views
  • Users 0 members are here
Support feedback
Options
Options
Similar topics

This thread has been locked.

If you have a related question, please click the "Ask a related question" button in the top right corner. The newly created question will be automatically linked to this question.

CC3220SF: Obtaining Certificates for production for Secure boot

sanath rai
Genius 3875 points
Part Number: CC3220SF
Other Parts Discussed in Thread: UNIFLASH, TIDC-01005

Hello,

I have been working on CC3220sf on one of my wifi application.

Till now while using uniflash i was using the “dummy-root-ca-cert" “dummy-root-ca-cert-key" “dummy-root-ca-cert “dummy-trusted-ca-cert" “dummy-trusted-ca-cert-key" for flashing my development and running my application.

Now to go for production i need to use my own certificate.

What is the procedure to obtain and create the certificate ? and which are needed certificates?

In my application for my MQTT feature i am using the secured way to connect to the AWS broker where  i am using AWS certificates.

it has a private key ,a certificate and star field class 2 certificate root CA.

Can the same root CA and private key be used?

Or on the device side for secure boot do i need my own certificate? i am confused how its done?

i have referred SimpleLink™ Wi-Fi® Certificates Handling document still i have my doubts uncleared.

Regards

Sanath Rai

  • 0
    Guru 78255 points

    Hi,

    Personally I recommend to buy this certificate. It costs $474 and you can buy only for one year (because you can sign code with expired certificate without any problem).

    Jan

  • 0 in reply to Jan D
    Genius 3875 points

    Hi Jan,

    Thanks for the Reply.

    So every CC3220SF device needs only one certificate to authenticate my application image right?

    so when i select my MCU image using Uniflash i need to attach this obtained certificate in Signature File Name:  section right?

    and why is the certificate only for one year when it can work even after expiry date ? i didn't get the point there?

    Regards

    Sanath Rai

  • 0 in reply to sanath rai
    Guru 78255 points

    Hi,

    For safe boot you need to use code signing certificate. This certificate you can buy from one of the supported CA (e.g. DigiCert). As 2nd option you can use vendor certificate. But I don't recommand to use vendor certificate, because it complicate end product manufacturing (you can't use gang programming and you need to use Uniflash only).

    Via Uniflash GUI you can insert your private key (see drop-down-box "Signature File Name") for signing your firmware binary.

    You can buy certificate for more years, but it will cost you more. And certificate for one year is enough for purpose of secured boot. ROM bootloder during boot does not test expiration of code signing certificate. Because bootlaoder don't know current date. There is no security risk of using expired code signing certificate at CC3220, until you keep your private key in secret.

    Jan

  • 0 in reply to Jan D
    Genius 3875 points

    Hi,

    Thanks for the detailed explanation.

    But My application is based on WIFI door lock reference design TIDC-01005 which has MQTT as one of the feature and we are planning AWS as the broker where we need to generate different certificates and need to dump it via Uniflash which right now i am doing for my testing.

    Now for secure boot it may be only one certificate for code signing but in MQTT  each cc3220sf device needs different certificates right?

    Regards,

    Sanath

  • 0 in reply to sanath rai
    Guru 78255 points

    Hi Sanath,

    I suppose so, but I can't confirm that because I don't use AWS.

    Jan

  • 0 in reply to Jan D
    Genius 3875 points

    Hi Jan,

    Ok.

    One last doubt about code signing certificate.

    so all the below certificates

    dummy-root-ca-cert" “dummy-root-ca-cert-key"  “dummy-trusted-ca-cert" “dummy-trusted-ca-cert-key 

    which i am using in development mode will be replaced by one code signed certificate ?

    sorry if its a silly question.I am new to this .

    regards,

    Sanath

  • 0 in reply to sanath rai
    Guru 78255 points

    Hi Sanath,

    You will need to upload all certificates from the chain (root certificate, intermediate certificate, your code signing certificate). Please see image from this my older post.

    Jan

  • 0 in reply to Jan D
    Genius 3875 points

    Hi Jan,

    Ok.Got it.

    I will look into it once we get the certificates .

    Thanks for the explanation.

    Regards,

    Sanath

  • 0 in reply to sanath rai
    Guru 78255 points

    Hi,

    Yes, you need to buy right certificate.

    • root certificate need to be in certificate catalogue (see SDK)
    • buy certificate with supported signature - PKCS#1, RSA 256 or 128 bytes, SHA_1 (the signature length is 256 or 128 bytes). Do not buy certificate with SHA-384 or SHA-512. SHA-384 or SHA-512 cannot be at certificate chain.
    • do not buy certificate with private key at USB token (private key need to be inside file)

    Jan

  • 0 in reply to Jan D
    Genius 3875 points

    Hi Jan,

    Thanks for the information.

    will the root certificate be included in the Digicert certificate chain inside filesystem we  buy?

    Regards

    Sanath

  • 0 in reply to sanath rai
    Guru 78255 points

    Hi Sanath,

    Root certificate and intermediate certificate you can download from webpages of your CA. This files you will need to upload into sFlash with exact name as is CN filed in certificate.

    After you buy certificate you will probably get *.pfx file from CA. You will need to extract your private key and certificate from this *.pfx. Certificate you will upload into sFlash (same way as root and intermediate certificate) and your private key you will use inside Uniflash to sign code binary.

    Jan

  • 0 in reply to Jan D
    Genius 3875 points

    Hi Jan,

    OK.Got it.

    We will follow the information given by you.

    Thank you

    Regards

    Sanath

  • 0 in reply to Jan D
    Genius 3875 points

    Hello Jan,

    Yesterday i forgot to mention the below point.

    Until now the method i used to program our custom board is as below

    Firstly in SOP2 mode i used to flash the MQTT certificates into the external flash.

    and then in SOP0 mode i used to debug in SWD interface using Code composer studio and flash my application code and it was working fine for me even after power on reset.

    Now i am trying to flash my application code using the dummy certificates of ti using UNIFLASH.  i am able to flash it but the code is not booting from flash.its not working.

    i don't understand what is happening?

    Regards

    Sanath

  • 0 in reply to sanath rai
    Guru 78255 points

    Hi Sanath,

    Hard to say what can be wrong...

    • Maybe your application is not properly builded (mismatch between linker files for S/SF devices). As I remember you already had some issue with your linker files before.
    • Maybe you not use Uniflash properly.
    • Or maybe you have build your code with __SF_DEBUG__ macro.

    Jan

  • 0 in reply to Jan D
    Genius 3875 points

    Hi Jan,

    Yes i have built my code with _SF_DEBUG__ macro. and the same bin  i am using in uniflash.

    regards

    Sanath

  • 0 in reply to sanath rai
    Guru 78255 points

    Hi Sanath,

    If you want to upload binary into sFlash, you need to build without this macro.

    Jan

  • 0 in reply to Jan D
    Genius 3875 points

    Hi Jan,

    Thank you so much Jan ,

    That was the issue.using __SF_DEBUG__  macro in CCS.

    Regards

    Sanath