• State Resolved
  • Locked Locked
  • Replies 3 replies
  • Subscribers 102 subscribers
  • Views 553 views
  • Users 0 members are here
Support feedback
Options
Options
Similar topics

This thread has been locked.

If you have a related question, please click the "Ask a related question" button in the top right corner. The newly created question will be automatically linked to this question.

secure OMAP-L138 boot from NOR flash

zhongfeng chen
Intellectual 275 points
Other Parts Discussed in Thread: OMAP-L138, OMAPL138, OMAP-L132

HI:

 we have some problems with secure omap-l138 device boot from nor flash.

We convert a dsp_ubl.out to ais format dsp_ubl_ais.bin with SecureHexAIS_OMAP-L138.exe tool and a ini file.

in the ini file, when we set the secure kernel exit type "bootExitType = NONSECURE" ,We boot  from nor flash succeed, however, we only change the secure kernel exit type to "bootExitType = SECUREWITHSK" in the ini file, and it can't boot. 

And for UART boot mode, we test above two, both work succeed.

How to deal with this prolem ?

Thanks!

  • 0
    TI__Guru** 116100 points

    Hi,

    Have you tried to secure boot from NOR flash any other time ?

    What boot method are you working ?

    I think, if it is NOR direct boot, it won't be a secure.

    All non-AIS boot modes is NON-SECUREd one.

    Please refer to the section 3.1 in OMAPL138 secure guide (sprugq9).

  • 0 in reply to Titusrathinaraj Stalin
    Intellectual 275 points

    Hi.

    We can open the dsp_ubl_ais.bin file, the first word value is 21 00 00 00,which indicates that it is AIS NOR boot mode,refer to the  sections 3.1 in Using the OMAP-L132/L138 Boot loader. And refer to section 3.1 in TMS320C674x/OMAP-L1x Processor Security User's Guide, all ais boot modes are support in secure OMAP-L138 device.

    Thanks!

    following is our ini file:

    ; *********************** INI ************************
    ; General settings that can be overwritten in the host code
    ; that calls the AISGen library.
    [General]
    ; Can be 8 or 16 - used in emifa
    busWidth=16

    ; SPIMASTER,I2CMASTER,EMIFA,NAND,EMAC,UART,PCI,HPI,USB,MMC_SD,VLYNQ,RAW
    ;BootMode=UART
    BootMode=EMIFA

    ; NO_CRC,SECTION_CRC,SINGLE_CRC
    crcCheckType=NO_CRC
    ; Security settings (keys, options, list of sections to encrypt, etc.)
    [Security]
    ; Security Type: GENERIC, CUSTOM, NONE
    securityType=GENERIC
    ;securityType=CUSTOM
    ; Boot Exit Type: NONSECURE, SECUREWITHSK
    ; NONSECURE = Device switches from secure type to non-secure type, jumping to loaded code
    ; (no secure kernel since no longer secure device).
    ; SECUREWITHSK = Device remains as secure type, secure kernel is loaded, allowing run-time
    ; security context switching.
    ;bootExitType = NONSECURE
    bootExitType = SECUREWITHSK

    ; Encrypt section list (ALL or comma-separated list of section names)
    encryptSections=ALL

    ; CEK used for AES encryption of data - must be string of 32 hexadecimal characters
    ; Device uses KEK to encrypt CEK, and then SECURE KEY LOAD command load this CEK, uses to
    ; decrypt the data by ENCRYPTED SECTION LOAD command
    encryptionKey=4A7E1F56AE545D487C452388A65B0C05
    ;encryptionKey=0123456789abcdeffedcba9876543210
    ; SHA Algorithm Selection
    genericSHASelection = SHA1

    ; No Params required - simply include this section for the fast boot function to be called
    [FASTBOOT]

    ; This section allows configuration of one the systme IOPUs.
    ; The iopuNum field must be valid (0-5) and then mppaStart
    ; and mppaend fields allow setting a range of mppa MMRs to the
    ; same supplied mppa value.
    ; IOPUSELECT: | RSVD | iopuNum| mppaStart | mppaEnd |
    ; MPPAVALUE: | mppaValue |
    [IOPUCONFIG]
    IOPUSELECT = 0x000000FF
    MPPAVALUE = 0xFFFFFFFF

    [IOPUCONFIG]
    IOPUSELECT = 0x000100FF
    MPPAVALUE = 0xFFFFFFFF

    [IOPUCONFIG]
    IOPUSELECT = 0x000200FF
    MPPAVALUE = 0xFFFFFFFF

    [IOPUCONFIG]
    IOPUSELECT = 0x000300FF
    MPPAVALUE = 0xFFFFFFFF

    ; This section allow setting the MPU1 or MPU2. If the
    ; rangenum is out of the allowed range then all the ranges
    ; (including the fixed range) take the start, end, and
    ; protection values.
    ; |------24|------16|----------8|----------0|
    ; MPUSELECT: | RSVD | mpuNum | rangeNum |
    ; STARTADDR: | startAddr |
    ; ENDADDR: | endAddr |
    ; MPPAVALUE: | mppaValue |
    [MPUCONFIG]
    MPUSELECT = 0x000001FF
    STARTADDR = 0x00000000
    ENDADDR = 0xFFFFFFFF
    MPPAVALUE = 0xFFFFFFFF

  • 0 in reply to zhongfeng chen
    TI__Guru** 114410 points

    Hi Zhongfeng,

    Basic OMAPL138 secure parts only support secure boot and doesn`t support runtime secuirty so we don`t recommend SECUREWITHSK EXit Type unless you are trying to bind the image to the device during the first time boot.  It would be recommended that you set the boot Exit TYpe to NONSECURE in your production image to prevent any issues resulting from IO protection built into the IP to prevent boot time security.

    However, there is one thing you can try in your experiments. Add the following lines of code in your INI file in the same order as speciifed below:

    //This will set all security bits in IOPU6 registers to unlock security protection on all IOs protected but will lock the SYCFG registers to access only by secure supervisor ROM or secure kernel.

    [IOPUCONFIG]
    IOPUSELECT = 0x000600FF
    MPPAVALUE    = 0xFFFFFFFF

    // This will set bit 7 of IOPU6 to 0 that will unlock the security protection on SYSCFG registers which is ideally what you need to configure PINMUX and other system registers.

    [IOPUCONFIG]
    IOPUSELECT = 0x00060707
    MPPAVALUE    =  0x00000000

    Note: These setting are only required in SECUREWITHSK mode, as in nonsecure environment IOPU and MPU settings will not have any effect.

    Let us know if you are still facing the same issue.

    Regards,

    Rahul