AM2431: SSH Server and Keys storage

Emmanuel Lude

Prodigy 35 points

Part Number: AM2431

Hi,

I'm wondering what are the best practices for storing public and private keys on the sitara AM243 SoC?

This is in the context of using SSH server on the R5

Thanks for your advices.

over 1 year ago

0 Prashant Shivhare over 1 year ago

TI__Guru 59091 points

Hi Emmanuel,

Emmanuel Lude said:
This is in the context of using SSH server on the R5

The SSH server should not require Private keys as these are used by SSH clients only. The public keys required by SSH server are anyways public so they can be stored in Flash storage.

Regards,

Prahsant

0 Emmanuel Lude over 1 year ago in reply to Prashant Shivhare

Prodigy 35 points

Hi Prashant,

Thanks for your reply.

But I disagree, from my point of view, and my current knowledge, a server ssh needs a private and public key.
That's part to authenticate the server.

The public key is derivate from a private key. And this private key has to be embed into the device. I guess it is used during the connection establishment to generate the session key.

In this case , do you know where I can store securely the private key ? Or what could be the good practices ? I'm using RSA keys

Thanks

0 Prashant Shivhare over 1 year ago in reply to Emmanuel Lude

TI__Guru 59091 points

Hi Emmanual,

Emmanuel Lude said:
But I disagree, from my point of view, and my current knowledge, a server ssh needs a private and public key.

You are right. I oversimplified and ignored the authentication of SSH Server. We do need a SSH Server key pair for SSH client to authenticate it.

Emmanuel Lude said:
do you know where I can store securely the private key ?

Please see if the following helps

https://e2e.ti.com/support/microcontrollers/arm-based-microcontrollers-group/arm-based-microcontrollers/f/arm-based-microcontrollers-forum/1108699/am2431-secure-boot

Regards,

Prashant

0 Emmanuel Lude over 1 year ago in reply to Prashant Shivhare

Prodigy 35 points

Thanks for the link Prashant, but from my point of view it cover secure boot, and unfortunately it doesn't answer to my question

0 Prashant Shivhare over 1 year ago in reply to Emmanuel Lude

TI__Guru 59091 points

Hi Emmanuel,

Emmanuel Lude said:
but from my point of view it cover secure boot

Yes, the eFuse is the only secure storage available and is primarily used for secure boot. Let me discuss internally if there is any known/implemented solutions for your use case.

Regards,

Prashant

0 Emmanuel Lude over 1 year ago in reply to Prashant Shivhare

Prodigy 35 points

Yes, thanks a lot,

I understand the usage of eFuse for a hash of a public key.
But for the case of private key of 2048 bit length, the capability of the eFuse are too limited I think?
Have a good day

+1 Prashant Shivhare over 1 year ago in reply to Emmanuel Lude

TI__Guru 59091 points

Hi Emmanuel,

Apologies for the delay in response.

There is no secure storage available other than the General Purpose OTP which is of only 384 bits so won't be sufficient for your use case. There is OPTEE which supports secure storage but it's for A53 cores only which are not there on AM243x.

Regards,

Prashant

0 Emmanuel Lude over 1 year ago in reply to Prashant Shivhare

Prodigy 35 points

Hi Prashant,

Thanks for the reply

Arm-based microcontrollers

Arm-based microcontrollers forum

AM2431: SSH Server and Keys storage