Security

Table of Contents

• Introduction
  • Getting started
    • HSMRt SRV DISABLED Firmware
    • Services

Introduction

Getting started

The HSM or Hardware security Module is a subsystem that acts as the secure host by offering security services to the rest of the system. TI offers HS-FS (High Security - Field Securable) as the primary device for the customers which can be converted to HS-SE (High Security - Security Enforced) by provisioning the customer keys using OTP KeyWriter Tool. HS devices supports loading the HSMRt firmware (MMWAVE_TIFS Firmware, or HSM-RT) which enables access to the hardware resources for cryptographic operations for R5FSS.

Note

1. In the following document and in MMWAVE_TIFS document the term used to refer to the Firmware which runs on HSM core is MMWAVE_TIFS Firmware. Please note that the terms 1. HSMRt Firmware and 2. HSMRt are synonymous to MMWAVE_TIFS Firmware.
2. Please contact TI representative to get OTP Keywriter Tool to convert HS-FS device to HS-SE, and to get MMWAVE_TIFS add-on package that can used on HS-SE device.

• HSMRt Firmware is not provided OOB in SDK.
• Please contact TI representative to get MMWAVE_TIFS add-on package and build hsm_firmware example there.
• This generates HSMRt Firmware in "${SDK_INSTALL_PATH}/tools/security/hsmrt/tifs_xwrL684x_hs_se/"

HSMRt SRV DISABLED Firmware

• In functional mode, R5FSS is in halted state for HS-SE (High Security - Security Enforced) devices. HSM core has to unhalt R5FSS.
• Since, HSMRt Firmware is not provided OOB in SDK, HSMRt SRV DISABLED Firmware in provided as a substitute.
  • HSMRt SRV DISABLED Firmware is similar to HSMRt Firmware. Only difference is that all services are disabled in HSMRt SRV DISABLED Firmware.
  • It's primary objective is to unhalt R5FSS to provide support to run SDK examples on HS-SE (High Security - Security Enforced) devices which do not require access to services.
  • It is placed in "${SDK_INSTALL_PATH}/tools/security/hsmrt/tifs_xwrL684x_srv_disabled/"

Note

• Appimages for secure devices require an x509 Certificate to be passed along with the application binaries. Certificate generation requires an x509 template file. This file is not provided as part of MMWAVE_L_SDK, it is provided as part of MMWAVE_TIFS.
• So, before building any appimages for secure devices, please copy and rename the x509 template file from "${TIFS_INSTALL_PATH}/tools/MetaImageGen/config/x509_templates/x509_config_str_{ver}.txt" to "${SDK_INSTALL_PATH}/tools/MetaImageGen/config/x509_config_str.txt".
• Where {ver} is the OpenSSL version being used:
  • 1_x for OpenSSL 1.x.x
  • 3_x for OpenSSL 3.x.x

Services

The MMWAVE_TIFS firmware that gets loaded on HSM provides a variety of services. For more information refer HSM client

This module contains APIs for different security drivers that are supported on xWRL684x .

It consists of below sub-modules:

• HSM client
• SIPC Notify
• MPU FIREWALL