• State TI Thinks Resolved
  • Locked Locked
  • Replies 3 replies
  • Answers 2 answers
  • Subscribers 40 subscribers
  • Views 308 views
  • Users 0 members are here
Support feedback
Options
Options
Related

This thread has been locked.

If you have a related question, please click the "Ask a related question" button in the top right corner. The newly created question will be automatically linked to this question.

CC3220SF-LAUNCHXL: AWS-IOT - Encrypted OTA Firmware Update

Naga SuresH
Intellectual 560 points
Part Number: CC3220SF-LAUNCHXL
Other Parts Discussed in Thread: CC3220SF
HI,
I am using TICC3220SF along with an AWS-FreeRTOS OTA example.
Currently with signed OTA firmware update (application binary uploading to AWS -Cloud )  OTA application code is working fine, Now I am planning to update Encrypted + signed OTA binary.
1. CC3220SF Bootloader- Supports any decrypt options? So that AWS-OTA example can receive an Encrypted binary and then the device's bootloader can decrypt it?
2. If the bootloader doesn't support, Where exactly need to decrypt the OTA-Firmware and sign verification process with respect to the AWS-OTA example code, so that bootloader can process decrypted OTA firmware.
please help me out with the process to achieve this feature.
Regards,
Suresh
  • 0
    TI__Guru 63006 points

    Hi Suresh,

    No. The bootloader will not work with an image encrypted by AWS.

    Such decryption should be handled by the application before the image is stored on the flash.

    When you store a secure file (like the MCU image) on the CC3220SF flash - it will get encrypted using the device key. The bootloader will then use the device key to decrypt the file when it is copied to the internal XiP flash. but it will not be able to use file that was decrypted with an external key.

    I'm not familiar with the AWS FreeRTOS encryption that you are referring to. The signature verification is being supported (you'll need to follow the instructions in the FreeRTOS OTA documentation and sign the image with the private that is associated to a public key stored on the device).

    Br,

    Kobi

  • 0 in reply to Kobi Leibovitch
    Intellectual 560 points

    Hi Kobi,

    Thanks for your response.

    I am Planning TI's AES-Crypto API to Encrypt MCU Image and load it to AWS Cloud (as OTA update). Not from AWS-FreeRTOS Encryption.

    So you mean to say, any Encryption (like AES DES and HMAC) CC3220SF-Bootloader doesn't support flashing the encrypted MCU Image directly with respect to OTA procedure?

    In any case, the application must handle decryption and process to the bootloader. Is my understanding correct?

    Regards,

    Suresh

  • 0 in reply to Naga SuresH
    TI__Guru 63006 points

    yes, that's right.

    Just to clarify, the application doesn't have any direct interface with the bootloader.

    The application will need to decrypt the image and then write it as a secure file in the file system (where it will be kept encrypted using the device key).

    After reset, the bootloader will identify the new file and will use it to program the internal flash and run from it.

    Note that both the OTA server and the file transfer are expected to be secure (e.g. secure MQTT/HTTP over TLS) so the image encryption might be redundant but it is your choice to add it.

    Br,  

    Kobi