• State Resolved
  • Locked Locked
  • Replies 4 replies
  • Answers 2 answers
  • Subscribers 30 subscribers
  • Views 350 views
  • Users 0 members are here
Support feedback
Options
Options
Similar topics

This thread has been locked.

If you have a related question, please click the "Ask a related question" button in the top right corner. The newly created question will be automatically linked to this question.

AM2432: OTP keywriter – encryption key

ma2teo
Prodigy 120 points
Part Number: AM2432

Dear TI Experts,
I am facing the burning of my custom keys into the eFUSEs and I have some doubts regarding the SMEK key.
I have an HS device and I want to know the effective employment of the SMEK key and its consequences.

According the AM243x SDK documentation ( https://software-dl.ti.com/mcu-plus-sdk/esd/AM243X/08_05_00_24/exports/docs/api_guide_am243x/SECURE_BOOT.html#autotoc_md312 ) the devconfig.mak file requires to compile the CUST_MEK variable with the custom SMEK key file (hex content!). The CUST_MEK variable is copied in the APP_ENCRYPTION_KEY variable.
In the same devconfig.mak file, it is required the encryption for the SBL image: ENC_SBL_ENABLED?=yes.

Observing the makefile_ccs_bootimage_gen files from the SBL projects inside the AM243x SDK, I notice that the APP_ENCRYPTION_KEY is never used.
1) I don’t understand if the SMEK key is effective used. From the devconfig.mak file the SBL encryption is required, but in the post-build steps of a SBL project, it seems like the SBL image isn’t encrypted. So is SMEK key really employed or not?.

In the OTP keywriter documentation, in the building of the keywriter certificate (gen_keywr_cert.sh), it is possible specify the SMEK key file (binary content) through the option --smek.
2) if the SBL image seems to be not really encrypted (see above considerations), what happens fusing the SMEK key in the OTP? Maybe the ROM code expects to find an encrypted SBL image? And if my SBL image isn’t really encrypted, does the ROM code load the SBL image anyway?.

According the help of the gen_keywr_cert.sh script, the --smek option requires:
--smek               Path to file 256 bit (symmetric key, binary file) SMEK key to be used
What is the proper command to generate this key? Is it enough a 256 bit random number (i.e. : openssl rand -out smek.key 32)?.

Thanks in advance.
Best regards,
Matteo

  • 0
    TI__Mastermind 25995 points

    Hi ,

    ma2teo said:
    1) I don’t understand if the SMEK key is effective used. From the devconfig.mak file the SBL encryption is required, but in the post-build steps of a SBL project, it seems like the SBL image isn’t encrypted. So is SMEK key really employed or not?.

    You are right. I think this is a miss. I will raise a ticket for the same.

    Workaround for this problem --

    Can you use makefiles instead of CCS build flow ?

    Details are mentioned here - software-dl.ti.com/.../MAKEFILE_BUILD_PAGE.html

    Path to makefile - MCU_PLUS_SDK/examples/drivers/boot/sbl_ospi/am243x-evm/r5fss0-0_nortos/ti-arm-clang/makefile

    ma2teo said:
    2) if the SBL image seems to be not really encrypted (see above considerations), what happens fusing the SMEK key in the OTP? Maybe the ROM code expects to find an encrypted SBL image? And if my SBL image isn’t really encrypted, does the ROM code load the SBL image anyway?.

    If your SBL certificate has the following extension -

    then only RBL decrypts the SBL to the memory. If the certificate does not have the extension, it would expect the SBL to be in plain format.

    ma2teo said:
    What is the proper command to generate this key? Is it enough a 256 bit random number (i.e. : openssl rand -out smek.key 32)?.

    Yes, a 256-bit random number would be a good way to generate this key.

    Hope it helps.

    Best Regards,
    Aakash

  • 0 in reply to Aakash Kedia
    Prodigy 120 points

    Hi Aakash,
    Thanks a lot for the answers.

    Just a confirm about the point 2).
    So, if I fuse the SMEK inside the OTP and the SBL is in plain format, there is no problem for the RBL to load the plain SBL. Basically for the RBL it’s important what it’s written in the SBL certificate and not the presence or not of a SMEK in the OTP. Is my reasoning right?.

    Thanks again.
    Regards,
    Matteo

  • 0 in reply to ma2teo
    TI__Mastermind 25995 points

    Hi ma2teo,

    ma2teo said:
    So, if I fuse the SMEK inside the OTP and the SBL is in plain format, there is no problem for the RBL to load the plain SBL. Basically for the RBL it’s important what it’s written in the SBL certificate and not the presence or not of a SMEK in the OTP. Is my reasoning right?.

    Only if the above mentioned extension is not part of certificate. Also, apart from OTP KW, there is no other way to program the SMEK. So its highly recommended to do the programming, because even if user decides to use the same in future, it will not be allowed.

    Best Regards,
    Aakash

  • 0 in reply to Aakash Kedia
    Prodigy 120 points

    Hi Aakash,

    Perfect, thanks again.

    Regards,
    Matteo