OMAP L138 Secure Boot


I am testing the secured boot of the OMAP L138. 

I successfully had boot the OMAP without security using example provided in the "OMAPL138-DSP-LED" wich is part of "Using the OMAP-L1x8 Bootloader" doc.

What I understood that I need to generate the combined AIS file from ARM and DSP "*.OUTs", programm it to the SPI FLASH and restart the board (I did all using the provided TI's utilities: "AISgen for D800K600" and the "sfh_OMAP-L138.exe").

Currently I don't want to encrypt the KEK.

  1. In the case of the secured boot I don't understand the steps need to be done with TI's utilities.  Executable of the ARM should be not encrypted (so I use the non secure utility), the executable of the DSP need to be encrypted (so I use secure AIS).  Now I need to combined this two images.  Do I need ro write my own application or this application is provided?
  2. In SPI FLASH boot mode DSP loads application from zero address of the flash, unless it's mentioned otherwise (entry point in non secure case), this managed internally by the OMAP like in the first (non secure) scenario hen combined images was progammed into the SPI FLASH (DSP image was the second image, therefore not located from the start of the flash).  How do I specify this entry point if I'll need to write my own application for combining two images?




2 Replies

  • Dani,

      I apologize for the delayed response.

      Do you currently have secure OMAP L138 parts?  There are two different types of parts:  Secure and Non-secure.  Non-secure images will not work with secure parts and Secure images will not work with non-secure parts.

      When creating a boot image for a secure part, you use the secure AIS tools.  These tools add additional information to the boot image that allows the device to decrypt and authenticate the various sections of the boot image.  You will have the .out files for both the ARM and the DSP and you will use the secure AIS tools to wrap those binaries appropriately.  It should be pretty much the same as you did before.  The one additional step is the creation of the header that contains your encryption key for the boot image. 

      Just for some clarification, the KEK is a device specific random number that is known only to the device.  It is used to encrypt your encryption key used during secure boot so that the image is bound to the device (ie the same flash image cannot be used on other devices b/c two different devices will not have the same KEK). 

      I'm not exactly sure what you mean when you say "Currently I don't wan tot encrypt the KEK".

      Please let me know if this helps and if you have any additional information or questions.



  • In reply to Erik Welsh:

    Hi, Erik

    Since the C6748 has secured boot know, we will use it and not the OMAP, thanks.

    Regarding the C6748.

    I need to build a secured secondary boot loader (SBL) for this device.

    Is it possible and what exact steps I need to do?  Is it simmply a use of  decrypt module function?