SPRADN0 December   2024 F29H850TU , F29H859TU-Q1

 

  1.   1
  2.   Abstract
  3.   Trademarks
  4. 1Programming Fundamentals
  5. 2Introduction
    1. 2.1 Hardware Security Module
    2. 2.2 ROM Bootloader
    3. 2.3 Combined Image with X.509 Certificate
  6. 3Flash Kernel Implementation
    1. 3.1 CPU1 Firmware Upgrade (HS-FS)
    2. 3.2 Key Provision (HS-FS to HS-KP)
    3. 3.3 CPU1 Secure Firmware Upgrade (HS-KP/SE to HS-SE)
    4. 3.4 HSM Firmware Upgrade (HS-KP/SE to HS-SE)
    5. 3.5 SECCFG Code Provisioning (HS-KP/SE to HS-SE)
  7. 4Host Application: UART Flash Programmer
    1. 4.1 Overview
    2. 4.2 Build UART Flash Programmer with Visual Studio
    3. 4.3 Build UART Flash Programmer with CMake
    4. 4.4 Packet Format
    5. 4.5 Kernel Commands
  8. 5Example Usage
    1. 5.1 Loading the Flash Kernel onto the Device
      1. 5.1.1 Hardware Setup
      2. 5.1.2 Running the UART Flash Programmer
    2. 5.2 CPU1 Device Firmware Upgrade (HS-FS only)
    3. 5.3 Convert HS-FS to HS-SE
    4. 5.4 Loading a RAM-based HSMRt Image
    5. 5.5 Key Provision (HS-FS to HS-KP)
    6. 5.6 Code Provision (HS-KP/SE to HS-SE)
  9. 6Troubleshooting
    1. 6.1 General
    2. 6.2 UART Boot
    3. 6.3 Application Load
  10. 7Summary
  11. 8References

2.1 Hardware Security Module

The primary difference between the flash kernel design for C28-based devices and the F29H85x flash kernel is the integration of the Hardware Security Module (HSM). The HSM is a subsystem that provides security and cryptographic functions. The C29 CPUs interface with the HSM to perform cryptographic operations required for code authentication, secure boot, secure firmware upgrades, and encrypted run-time communications.

During the UART boot sequence, the HSM is responsible for authentication of the incoming image. For the authentication to succeed, the incoming image must include an X.509 certificate. To properly generate an X.509 certificate with the flash kernel, refer to Section 2.2.

The HSM introduces the concept of different device security states. The device states are High Security - Field Securable (HS-FS), High Security - Key Provisioned (HS-KP), and High Security - Security Enabled (HS-SE). By default, the F29H85x device ships with HS-FS. Table 2-1 describes the differences between these three states.

Table 2-1 Device Security State

HS-FS

HS-KP

HS-SE

C29 boot image (flash kernel)

Secure boot not enforced

Secure boot enforced with customer keys programmed by keywriter

Secure boot enforced with customer keys programmed by keywriter

HSM boot image

 Secure boot enforced (with default TI-provided key) Secure boot enforced with customer keys programmed by keywriter Secure boot enforced with customer keys programmed by keywriter

C29 JTAG

Open by default

 Open by default

Closed by default

SoC firewalls

 Open by default

Disabled for HSM and enabled for C29

Disabled for HSM and enabled fro C29

C29 CPU access to C29 flash banks

Enabled

Disabled

Enabled

TI provides OTP (One Time Programmable) Keywriter that can be used to transition an HS-FS device to HS-KP or HS-SE. OTP Keywriter is a combination of TI delivered HSM Run Time Firmware and Tools (Certificate generation) which together when executed on device enables the following:

  • Provisioning up to two sets of Customer Keys (both public keys for root of trust of boot images and encryption keys for decryption of boot images).
  • Programming of Extended OTP fields which are additional OTP fields available for customer specific usage.
  • Programming of OTP fields KEY_COUNT, KEY_REVISION which enables device transition from HS-FS (Field Securable) to HS-KP (Key Provisioned).
  • Programming of OTP fields like SWREV for SBL, HSM, APP, SECCFG images which enforce Anti Roll Back checks by Secure Boot on HS-KP as well as HS-SE device.

Once these fields are programmed, the device state is transitioned to HS-KP, boot ROM enforces secure boot with Image Authentication and decryption based on the keys provisioned and configured in the device. Secure boot requires an image to be encrypted (optional) and signed using customer keys. This image is then verified by the SoC using the active MPK Hash (to verify the signature) and the MEK (for decryption).

CAUTION:
  • This action of burning the keys is irreversible across the fields, so caution needs to be exercised to provide the key values in correct format and correct key configurations.
  • The action of programming fields is irreversible and providing incorrect values or configuration can permanently damage the device.

For more information on the OTP Keywriter, request the Restricted Security Package from the F29H85x MCU SDK download page.

The firmware upgrade process differs between HS-FS, HS-KP, and HS-SE devices.