All trademarks are the property of their respective owners.
In the different customer stages from development to volume production, the J7 series SoC provides several device types according to the different requirements of security, as shown in Figure 1-1.
Different device types bring different security features, but also different restrictions. The GP device has no safety features, so the JTAG port is unlocked and all the binaries do not need to be signed and encrypted, so it is usually used as a development device. The HS device enforces the security feature, but the JTAG port is locked and all the binaries must be signed and encrypted, so it is usually used as a production device. The customer can see the development flow in Figure 1-2 to complete the HS process.
The recommended process is:
Lot of keys are used during the security process in the J7 device, as shown in Table 1-1. The notes describe important keys during HS development. The SMPKH, SMEK, BMPKH, and BMEK are programmed into eFuse to authenticate and decrypt the system image. The AES-256 key and TI FEK public key are used to protect the key programming process.
TI also provides test keys in the Keywriter package. Customers can use these test keys to go through the complete HS process, then setup up their HSM and use customer keys to complete these tasks before production.
| Acronym | Name | Status | Owner | Notes |
|---|---|---|---|---|
| KEK | Key Encryption Key | Necessary | Device | 256-bit statistically unique random number per device |
| MPK hash | Manufacturer Public Key hash | Necessary | TI | 512-bit SHA2 hash of MPK. MPK is a 4096-bit key programmed by TI in factory. |
| MEK | Manufacturer Encryption Key | Necessary | TI | 256-bit initial encryption key for the device, used for encrypted boot, programmed by TI in factory. |
| SMPK hash | Secondary Manufacturer Public Key hash | Necessary | Customer | 512-bit SHA2 hash of SMPK. SMPK is a 4096-bit key used to authenticate the signed binary. |
| SMEK | Secondary Manufacturer Encryption Key | Necessary | Customer | 256-bit customer encryption key for encrypted boot used to decrypt the encrypted binary. |
| BMPK hash | Back up Manufacturer Public Key hash | Optional | Customer | Back up 512-bit SHA2 hash of SMPK. SMPK is a 4096-bit key used to authenticate the signed binary. |
| BMEK | Back up Manufacturer Encryption Key | Optional | Customer | Back up 256-bit customer encryption key for encrypted boot used to decrypt the encrypted binary. |
| AES-256 | Advanced Encryption Standard 256-bit Key | Optional | Customer | Random 256-bit number to be used as a temporary AES encryption key for protecting the OTP extension data. |
| TI FEK Pub | TI Factory Encryption Key | Necessary | TI | RSA 4K encryption key to protect the customer key material before they are written to the eFuses. |
HS-SE-TIDK device is security enforced silicon, which has TI dummy key programmed in customer area. The customer needs to use the TI dummy key to sign and encrypt their system image, if they want to verify the functionality in the HS-SE-TIDK device. This step is necessary to help customers familiarize the process of signing and encrypting binaries with security keys. But the TI dummy key is public for all the customers, so the HS-SE-TIDK device can never be a production device.
The TI dummy keys are included in the default RTOS SDK. You can download the SDK from RTOS SDK for DRA829 & TDA4VM Jacinto™ Processors. You can find TI dummy keys in the following folder. All the processes tested in SDK7.1 software work fine.
# cp ${PSDKRA_PATH}/pdk/packages/ti/build/makerules/k3_dev_mpk.pem ~/TIDummyKey/smpk.pem
# cp ${PSDKRA_PATH}/pdk/packages/ti/build/makerules/k3_dev_mek.txt ~/TIDummyKey/smek.txt
