Secure Data Encryption on board without TPM support ( AM62P)

public inbox for cip-dev@lists.cip-project.org
 help / color / mirror / Atom feed

From: "Gupta, Ayush" <a-gupta4@ti.com>
To: "cip-dev@lists.cip-project.org" <cip-dev@lists.cip-project.org>
Cc: "Raghavendra, Vignesh" <vigneshr@ti.com>,
	"Adivi, Sai Sree Kartheek" <s-adivi@ti.com>,
	"jan.kiszka@siemens.com" <jan.kiszka@siemens.com>
Subject: Secure Data Encryption on board without TPM support ( AM62P)
Date: Mon, 2 Jun 2025 18:03:42 +0000	[thread overview]
Message-ID: <82039e1a1c384350af46fe375650472c@ti.com> (raw)

[-- Attachment #1: Type: text/plain, Size: 1227 bytes --]

Dear CIP Development Team,

I am currently working on enabling encrypted storage for the TI's AM62P platform, which, as per current hardware capabilities, does not include TPM support.

To address this, I have implemented a working initramfs-crypt-hook-nontpm (link provided at the end)  solution that removes TPM dependencies. It utilizes a keyfile embedded directly into the initramfs for unlocking encrypted partitions during boot. The initramfs itself is considered secure as it is protected by verified boot (Secure Boot is enabled on the platform).

I would like to know if this is an acceptable and secure approach from the CIP security perspective for boards without TPM support. Additionally, are there any recommended alternatives or best practices for strengthening this method in scenarios where TPM support is not available?

Looking forward to your guidance.

Patch for

initramfs-crypt-hook-nontpm

recipes-initramfs/initramfs-crypt-hook-nontpm * main * 22CSB0C01_AYUSH GUPTA / am62x-security-features * GitLab<https://gitlab.com/ag22csb0c01/am62x-security-features/-/tree/main/recipes-initramfs/initramfs-crypt-hook-nontpm?ref_type=heads>

Best regards,
Ayush Gupta
Texas Instruments

[-- Attachment #2: Type: text/html, Size: 3901 bytes --]

next             reply	other threads:[~2025-06-02 18:03 UTC|newest]

Thread overview: 4+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2025-06-02 18:03 Gupta, Ayush [this message]
2025-06-02 18:37 ` [cip-dev] Secure Data Encryption on board without TPM support ( AM62P) Heinisch, Alexander
2025-06-03 11:16 ` Jan Kiszka
2025-06-05 11:38   ` Ayush Gupta

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=82039e1a1c384350af46fe375650472c@ti.com \
    --to=a-gupta4@ti.com \
    --cc=cip-dev@lists.cip-project.org \
    --cc=jan.kiszka@siemens.com \
    --cc=s-adivi@ti.com \
    --cc=vigneshr@ti.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox