Introduction

K3 HS devices have a randomly generated 256 bit key written into the efuses in TI Factory. This key is called a Key Encryption Key (KEK) and is unique to each device. The key is only accessible via an AES engine which is controlled by the DMSC. System controller firmware uses CMAC as the Pseudo Random Function(PRF) in counter mode to derive a new KEK, called DKEK. The DKEK can be accessed in the following ways:

Indirectly by having DMSC program the DKEK into the SA2UL registers and accessing through the USE_DKEK flag in the security context.
Directly by having DMSC derive the key and return the key value over the secure queue for CPU-based encryption routines.

Files
file	sciclient_dkek.h
	This file contains the definition of all the message IDs, message formats to be able to interact with the System Controller firmware for DKEK management.

Functions
int32_t	Sciclient_setDKEK (const struct tisci_msg_sa2ul_set_dkek_req req, struct tisci_msg_sa2ul_set_dkek_resp resp, uint32_t timeout)
	Request to derive a KEK and set SA2UL DKEK register. More...

int32_t	Sciclient_releaseDKEK (const struct tisci_msg_sa2ul_release_dkek_req req, struct tisci_msg_sa2ul_release_dkek_resp resp, uint32_t timeout)
	Request to erase the DKEK register. More...

int32_t	Sciclient_getDKEK (const struct tisci_msg_sa2ul_get_dkek_req req, struct tisci_msg_sa2ul_get_dkek_resp resp, uint32_t timeout)
	Request for getting the firewall permissions. More...

Function Documentation

◆ Sciclient_setDKEK()

int32_t Sciclient_setDKEK	(	const struct tisci_msg_sa2ul_set_dkek_req *	req,
		struct tisci_msg_sa2ul_set_dkek_resp *	resp,
		uint32_t	timeout
	)

Request to derive a KEK and set SA2UL DKEK register.

Message: TISCI_MSG_SA2UL_SET_DKEK
Request: tisci_msg_sa2ul_set_dkek_req
Response: tisci_msg_sa2ul_set_dkek_resp

Parameters

req	Pointer to DKEK set request payload
resp	Pointer to DKEK set response payload
timeout	Gives a sense of how long to wait for the operation. Refer SystemP_Timeout.

Returns: SystemP_SUCCESS on success, else failure

◆ Sciclient_releaseDKEK()

int32_t Sciclient_releaseDKEK	(	const struct tisci_msg_sa2ul_release_dkek_req *	req,
		struct tisci_msg_sa2ul_release_dkek_resp *	resp,
		uint32_t	timeout
	)

Request to erase the DKEK register.

Message: TISCI_MSG_SA2UL_RELEASE_DKEK
Request: tisci_msg_sa2ul_release_dkek_req
Response: tisci_msg_sa2ul_release_dkek_resp

Parameters

req	Pointer to DKEK release request payload
resp	Pointer to DKEK release response payload
timeout	Gives a sense of how long to wait for the operation. Refer SystemP_Timeout.

Returns: SystemP_SUCCESS on success, else failure

◆ Sciclient_getDKEK()

int32_t Sciclient_getDKEK	(	const struct tisci_msg_sa2ul_get_dkek_req *	req,
		struct tisci_msg_sa2ul_get_dkek_resp *	resp,
		uint32_t	timeout
	)

Request for getting the firewall permissions.

Message: TISCI_MSG_SA2UL_GET_DKEK
Request: tisci_msg_sa2ul_release_dkek_req
Response: tisci_msg_sa2ul_release_dkek_resp

Parameters

req	Pointer to DKEK get request payload
resp	Pointer to DKEK get response payload
timeout	Gives a sense of how long to wait for the operation. Refer SystemP_Timeout.

Returns: SystemP_SUCCESS on success, else failure

Introduction

Files

Functions

Function Documentation

◆ Sciclient_setDKEK()

◆ Sciclient_releaseDKEK()

◆ Sciclient_getDKEK()