This thread has been locked.

If you have a related question, please click the "Ask a related question" button in the top right corner. The newly created question will be automatically linked to this question.

AM2434: Secure boot with OSPI boot and keywriter

Part Number: AM2434

Dear TI Support,

We would like to use the secure boot feature of the AM243x, however we would like to ask for some clarification about it.

We have found some info about OSPI boot is not compatible with the secure boot, however in some support ticket answers it's the opposite. source: "Encryption of application image not possible in SBL OSPI"

  • Could you please confirm that secure boot with OSPI boot option on the AM243x HS-FS is possible?
  • Or is it possible, but the firmware image can't be encrypted, only signed?

I have found the otp_keywriter_am243x_09_00_00-windows-installer, which has a few scripts for generating x509 certifications.

  • Would you recommend to use these or there's a possibility these are deprecated and it would be better to implement our own process (using openssl or similar)?
  • Regarding the keywriter - I assume not - but is there any possibility to re-write the security key in a development environment (on a launchpad or EVM) for testing purposes?

Thanks,
Mark

  • Hi ,

    Could you please confirm that secure boot with OSPI boot option on the AM243x HS-FS is possible?

    NO! Secure Boot is not supported on HSFS devices. It is only supported over HSSE devices.

    Or is it possible, but the firmware image can't be encrypted, only signed?

    We don't use the term "Secure Boot" for authenticated boot which is still an optional feature for HSFS devices. However this is still possible.

    Would you recommend to use these or there's a possibility these are deprecated and it would be better to implement our own process (using openssl or similar)?

    We have only provided an example scripts with the flow diagram of how the script works. Users are expected to have trusted HSM vendors to provide a secure server which can provide signed images as well as help in provisioning the keys in secure eFuses. We don't claim any production quality use with these scripts.

    Regarding the keywriter - I assume not - but is there any possibility to re-write the security key in a development environment (on a launchpad or EVM) for testing purposes?

    Yes your assumption is correct. The keys are written in the eFuses which are One-time programmable for a device's lifecycle. Hence it cannot be overwritten (in a specific pattern).

    1. Bits in eFuses can be written from 0 to 1 if the rows are not write-locked.
    2. Bits in eFuses cannot be written from 1 to 0.

    So the keys can only be programmed once in a lifetime of a device.

    Hope it helps.

    Best Regards,
    Aakash

  • Hi Aakash,

    Thanks for the quick answers!

    NO! Secure Boot is not supported on HSFS devices. It is only supported over HSSE devices.

        Of course I meant that we have HS-FS devices at the moment, and we want to move to HS-SE by writing in the keys.

    We don't use the term "Secure Boot" for authenticated boot which is still an optional feature for HSFS devices. However this is still possible.

        I'm sorry, but it is still not clear for me what is "still possible". So if I understand it correctly, authenticated boot is when the firmware is only signed, but not encrypted? So with OSPI boot only authenticated boot is possible, or even secure boot?

    Can you please confirm the note "Encryption of application image not possible in SBL OSPI" is still valid?

    Thanks, Mark

  • Hi Mark Orkenyi,

      I'm sorry, but it is still not clear for me what is "still possible". So if I understand it correctly, authenticated boot is when the firmware is only signed, but not encrypted? So with OSPI boot only authenticated boot is possible, or even secure boot?

    The reason why we don't claim HSFS boot as secure boot even though it supports authenticated boot because the authentication of bootloader in HSFS devices is optional. Hence, authentication can be disabled if certificate is changed.

    However the Authenticated Boot feature is supported in HSFS.

    Can you please confirm the note "Encryption of application image not possible in SBL OSPI" is still valid?

    Yes, due to memory limitation in device the current SDK and SYSFW version does not support Encryption of Application Image in case of OSPI based Application boot. This is being addressed for future release. However this is only valid for HSSE device.

    I hope this helps.

    Best Regards,
    Aakash

  • Thanks Aakash!

    In this case, if we are using OSPI boot at the moment(and thus can't encrypt our application image), it would not make sense to move to HS-SE by burning the keys in, but probably use the authenticated boot feature in HS-FS. Would you agree with this?

    One last question regarding this. 

    "This is being addressed for future release."
    Is there any timeline available on when to expect this feature? Even an estimation would be helpful for us.

    Mark

  • Hi ,

    it would not make sense to move to HS-SE by burning the keys in, but probably use the authenticated boot feature in HS-FS. Would you agree with this?

    Well not exactly. The authentication method in HSFS is not dependent on any key. In case of HSSE, the authentication is fixed for root keys in the eFuses which is programmed by customer. In case of HSFS, you can simply change the image with any key and valid authentication and it would still work.

    HSFS is not recommended for production if you have valid concerns regarding security.

    "This is being addressed for future release."

    I don't have a timeline for this. Most likely 09.02 release (Q1'24) or 10.00 release (Q2'24).

    Best Regards,
    Aakash

  • Hi Aakash,

    Thanks for the clarifications!

    Best,

    Mark

  • Hi Aakash,

    Sorry for opening up the case, I just have another question regarding this.

    We would like to use the authenticated boot for now, until encryption of the application in OSPI flash is supported.

    I didn't find any info about how to enable/disable the optional application decryption for secure boot in HS-SE.

    If I write in the SMEK & SMPK using the keywriter, does that automatically mean that we must upload an encrypted application image, or it's somehow possible to disable the decryption of the application during boot and only use authenticated boot? If yes, how?

    Thanks,

    Mark

  • Hi ,

    If I write in the SMEK & SMPK using the keywriter, does that automatically mean that we must upload an encrypted application image, or it's somehow possible to disable the decryption of the application during boot and only use authenticated boot? If yes, how?

    It depends on the certificate of the application image.

    It should not have the "encryption" field as mentioned here - https://downloads.ti.com/tisci/esd/latest/2_tisci_msgs/security/sec_cert_format.html#sample-x509-template

    If encryption is not available, the image will not be decrypted. However, the verification of the image is compulsory.

    I hope this helps.

    Best Regards,
    Aakash

  • Thanks Aakash, it helps!