• State TI Thinks Resolved
  • Locked Locked
  • Replies 1 reply
  • Answers 1 answer
  • Subscribers 40 subscribers
  • Views 309 views
  • Users 0 members are here
Support feedback
Options
Options
Related

This thread has been locked.

If you have a related question, please click the "Ask a related question" button in the top right corner. The newly created question will be automatically linked to this question.

Original question:

CC3220SF: CC3220SF SECURE BOOT: MORE INFORMATION

CC3220SF: SECURE BOOT DETAILS

YOUNG LIN
Intellectual 395 points
Part Number: CC3220SF


Hi,

This consult is related with a previous consult:  https://e2e.ti.com/support/wireless-connectivity/wifi/f/968/p/887381/3281785#3281785

I'd like to add some more questions:

According to my understanding the bootloader will check for any new image on the serial flash, this is detected using SHA-1 Hash which was stored in "/sys/mcuflashimghash.bin". any change in the content of the serial flash the Hash will mismatch. That indicates either a new image or tamper attempt. In case of tamper attempt the On-Chip flash is mass erased. If it detects the new image it will copy the image to On-Chip flash

Now the question is how does boot loader differentiate between tamper attempt and new code, does it verify the signature before copying to the on-chip flash? After copying to on-chip flash it will verify the 20 bytes hash, but before copying any checks are performed?. after copying the image if 20 bytes hash does not match the internal flash binary is there a chance to roll back to the previous version ?.

what if the 20 bytes Hash is also tampered to match ?

  • 0
    TI__Mastermind 40965 points

    Hi,

    In the new code case, the file contents of the mcuflashimg.bin will match what is recorded in the filesystem. As part of the file write and file close procedure for secure files, the device will save the new signature in the filesystem. If the file is tampered with, then the file signature will no longer match what is recorded in the filesystem. This is how the filesystem detects an tamper attempt. The bootloader will perform the signature checks before copying the image to the internal flash.

    The 20 byte hash of the internal flash will match the 20 byte hash stored on the external flash, as the mcuflashimg is copied from the external serial flash to begin with. The only case where this hash shouldn't match after this copy the hash was incorrect to begin with (since it is added to the binary as part the process of programming the mcuflashimg.bin to the serial flash). In this case, either you simply reprogram the device if this hash error was part of the original image, or if this is through OTA the OTA bundle will automatically revert through the failsafe mechanism as the bootloader will not boot the internal flash image.

    Let me know if you need more clarification or have further questions.

    Regards,

    Michael