Secured Keys and Secured Boot - test before writing secure_device flag to OTP ?

Learn MoreFAQsTutorials

2 posts / 0 new
Last post
Fri, 2020-04-24 09:33
#1
bobspam@free.fr
Offline
Last seen:3 weeks 19 hours ago
加入:2018-06-20 08:07
Secured Keys and Secured Boot - test before writing secure_device flag to OTP ?

Hello

I am using AES 256 CBC to transmit data to web servers using my own keys. I would like to activate security features so my symetric keys are not disclosed on the field.

Main idea is to

- have one binary loaded on all devices produced (I wish to avoid to execute some complex scripts generating keys on production lines. Furthermore the hardware number generator should provide better randomness than computer script)

- use the bootloader key generation feature (generate_symmetric_keys(void); in secure_hooks.c

- have a test software at the end of production line that read the keys and store them together with test results and various uniq ids I have on my board so my critical information are transmitted to me by the factory.

- have the test software finally write otp flags to enable product_ready and secure_device, in case of test success.

Can you confirm to me

- that this overall procedure is feasible,

- that it is relevant to have one set of asymmetric key for all devices,

- what is the procedure to write only asymmetric keys (leaving symmetric keys blank so the bootloader generates them at first boot)

- I am working under linux without eclipse. What script may allow me to do this ? initial_flash.py does not have any option not to write product_ready and secure_device. I could find the set of script in Reference_files_for_Secure_Boot_683.zip that are in windows batch format. Do you have the same splitted scripts in Linux bash or python ?

Furthermore I need some API advices:

I am currently using

- hw_aes_hash_store_keys(HW_AES_256, key_pointer, HW_AES_PERFORM_KEY_EXPANSION); to achieve ciphering and

- crypto_hmac_sha256 (data_in、size_in、关键_pointer_2, 32, data_out, CRYPTO_HMAC_NO_OPTION, OS_MS_2_TICKS(1)); to achieve hmac

How do I use keys in OTP instead than the one that I am currently using in RAM ?

Is replacing the pointer using OTP adress enough ?

Do I need to achieve OTP init / wake-up before calling ciphering api ?

Thank you in advance

Best Regards

Keywords:
DA14683; secure_device; product_ready
Device:
DA1468x
Tue, 2020-04-28 13:55
PM_Dialog
Offline
Last seen:9 hours 55 min ago
Staff
加入:2018-02-08 11:03
Hi There,

Hi There,

Please take a look at theDA14682/DA14683 Secure Boot Tutorial

The key goals of this tutorial are to:

  • Provide a basic understanding of the secure boot mechanism
  • Set up a working demonstration of firmware digitally signed and securely executed
  • Explain the various options the security boot toolbox has to offer.

Thanks, PM_Dialog