Security Subsystem

Hi all,

Following the datasheet:

I learn a bit more about the PSC and security Engine. Could you elaborate on the specific that they do?
For example, the developer Guide shows more on secure boot and key management. It doesnt mention the Security Monitor features.

“continually assessing the security status of the SoC” what kind of status? can user determine what to assess and add ports for PSC to service?
“actively monitor known or potential attack
patterns (for example, such as voltage glitching or thermal attacks)” what does the PSC do next if it monitored a pattern? what pattern does it look for? where is that stored? can user set its reaction?

on the Security Engine side, it claims:
“NIST-compliant asymmetric, symmetric cryptography and hashing” is there a CAVP or CMVP number? is there a FIPS-140 cert or ISO equivalent?
“Side channel countermeasures” since SE is a real HW is it implemented on the hardware? what is the countermeasure?
“Hardware Key Access Controls (KAC)” and the keyslot implementation, arent cryptovalues (inclusive of passphrase, keys, FV, or IV) either in the headers or fuses? the control isnt depended on SE, so what is this key access referring to?

thank you in advance,
Andrew

hello andrew.law,

it looks like a follow-up from Topic 292675.

>>Q1, the security status of the SoC
as you can see… Secure Boot, there’re PKC, SBK, KEK…etc.
for instance,
PKC for sign: if PKC is burned, then the KEYFILE users provide is for signing the images.
SBK for encryption: if SBK is burned, then the SBKFILE users provide is for encrypting the images.
KEKs for encryption keys: they are keys to encrypt your keys. KEK0, KEK1, KEK2 are 128-bit key files; KEK256 is 256-bit key file.

>>Q2, potential attack patterns
you may refer to The Threat Model.

>> Q3, NIST-compliant asymmetric, symmetric cryptography and hashing
please refer to OP-TEE section.
there’s no FIPS-140 cert or ISO equivalent, may I know what’s the real use-case?

>> Q4, key access
please check Secure Samples for reference, there’s a pair of TA (hwkey-agent) / CA (hwkey-app) for demonstration.

hope these replies helps.