Here are the differences between HS-FS and
HS-SE.
HS-FS Device
- Allows customers to run diagnostics code on HS device without
creating signed images.
- No secure boot
- JTAG open
HS-SE Device
- Fully secure HS device
- All security policies applied
- Enforce secure boot
- JTAG closed
- Firewalls engaged
- All available security features
active
During the development, customers must use
Keywriter to convert HS-FS to HS-SE.
OTP Keywriter
The OTP writer for K3 platforms is developed
as a single binary that runs on HS-FS devices and program the customer eFuse keys.
The OTP writer is a single image and
contains a secure part and a non-secure part.
- Non-secure part, or the OTP app, runs on
the R5
- Secure part, which is essentially an OTP
driver, runs as part of SYSFW on the DMSC subsystem
Non-secure factory key provisioning
support:
- Keywriter contains the encrypted TI FEK
Private Key
- FEK Public Key given to customer to
encrypt symmetric keys (SMEK and BMEK)
User configurable parameters are input using
a X509 certificate. This OTP config cert contains:
- SMPK Hash and FEK encrypted SMEK, options
and BCH
- BMPK Hash and FEK encrypted BMEK, options and BCH
- SWREV, KEYREV (to select the active key), KEYCNT (number of keys used)
- GPIO used for VPP (optional for 16FF devices)
- UART mux cfg for wkup UART
- TI FEK Private Key, encrypted using key derived from TI Symmetric key (MEK)
- Signed certificate with full Root Key (cloning protection)