Hi,
I do following some experiments:
The test environment:
Device : OMAPL132BZTE Basic Secure Boot Enabled
Oscillator clock: 12MHz
mDDR : 128MB MT46H8M16LFBF
NoR flash : 8MB ST M58WR064KB -- 16bit , conect emifa CS2
The test program: app_test.out make by ccs 4.2 IDE
run on C6748 dsp core, loading and Entering address : 0x11820000 at L2 RAM , function: Loop to print string from uart2
PC terminal : SecureCRT.exe -- A serial port monitoring software
boot mode : Secure AIS NOR BOOT mode
flash tool : sfh_sec_OMAP-L138.exe -- I Modify serial download tools from non secure device software "OMAP-L138_FlashAndBootUtils_2_40.tar.gz" with SecureHexAIS
Secure HEX tool : SecureHexAIS_OMAP-L138.exe
ini.file : The following
;***************************************************************
; TI OMAP-L138 / C6748 Security Utilities *
; (C) 2009-2012 Texas Instruments, Inc. *
;***************************************************************
;
; This INI file will create a header that contains:
; NOR config word (1 word)
; AIS magic number (1 word)
; AIS key load command (1 word)
; AIS key header (8 words)
; AIS set exit type (2 words)
; AIS set command + params (5 words)
; Signature (16 words)
;
; The AIS set command at the bottom of the INI file is a dummy write
; in order to force a signature check. This is necessary in order to
; create a well defined header that can be bound to the device. If
; the AIS set command is not used, then you will have to determine
; where the first signature occurs so that you can bind the entire
; section.
;
; *********************** INI ************************
; General settings that can be overwritten in the host code
; that calls the AISGen library.
[General]
; Can be 8 or 16 - used in emifa
busWidth=16
; SPIMASTER,I2CMASTER,EMIFA,NAND,EMAC,UART,PCI,HPI,USB,MMC_SD,VLYNQ,RAW
BootMode=EMIFA
; NO_CRC,SECTION_CRC,SINGLE_CRC
crcCheckType=NO_CRC
; Security settings (keys, options, list of sections to encrypt, etc.)
[Security]
; Security Type: GENERIC, CUSTOM, NONE
securityType=GENERIC
; Boot Exit Type: NONSECURE, SECUREWITHSK
; NONSECURE = Device switches from secure type to non-secure type, jumping to loaded code
; (no secure kernel since no longer secure device).
; SECUREWITHSK = Device remains as secure type, secure kernel is loaded, allowing run-time
; security context switching.
bootExitType = SECUREWITHSK
; Encrypt section list (ALL or comma-separated list of section names)
encryptSections=ALL
; CEK used for AES encryption of data - must be string of 32 hexadecimal characters
; Device uses KEK to encrypt CEK, and then SECURE KEY LOAD command load this CEK, uses to
; decrypt the data by ENCRYPTED SECTION LOAD command
encryptionKey=4A7E1F56AE545D487C452388A65B0C05
; SHA Algorithm Selection
genericSHASelection = SHA256
;<<OMAP-L132 DSP+ARM Technical Reference Manual>> Chapter 6: Processor Memory Protection Unit (MPU) 6.2.8 Reset Considerations
; After reset, the memory protection page attribute registers (MPPA) default to 0. This disables all protection features. 1: enable protection.
; This section allow setting the MPU1 or MPU2. If the
; rangenum is out of the allowed range then all the ranges
; (including the fixed range) take the start, end, and
; protection values.
; |------24|------16|----------8|----------0|
; MPUSELECT: | RSVD | mpuNum | rangeNum |
; STARTADDR: | startAddr |
; ENDADDR: | endAddr |
; MPPAVALUE: | mppaValue |
[MPUCONFIG]
MPUSELECT = 0x000001FF
STARTADDR = 0x00000000
ENDADDR = 0xFFFFFFFF
MPPAVALUE = 0xFFFFFFFF
[MPUCONFIG]
MPUSELECT = 0x000002FF
STARTADDR = 0x00000000
ENDADDR = 0xFFFFFFFF
MPPAVALUE = 0xFFFFFFFF
; This section allows configuration of one the systme IOPUs.
; The iopuNum field must be valid (0-5) and then mppaStart
; and mppaend fields allow setting a range of mppa MMRs to the
; same supplied mppa value.
; IOPUSELECT: | RSVD | iopuNum| mppaStart | mppaEnd |
; MPPAVALUE: | mppaValue |
[IOPUCONFIG]
IOPUSELECT = 0x000000FF
MPPAVALUE = 0xFFFFFFFF
[IOPUCONFIG]
IOPUSELECT = 0x000100FF
MPPAVALUE = 0xFFFFFFFF
[IOPUCONFIG]
IOPUSELECT = 0x000200FF
MPPAVALUE = 0xFFFFFFFF
[IOPUCONFIG]
IOPUSELECT = 0x000300FF
MPPAVALUE = 0xFFFFFFFF
[IOPUCONFIG]
IOPUSELECT = 0x000600FF
MPPAVALUE = 0xFFFFFFFF
;[TAPSCONFIG]
;TAPSCFG = 0x0000FFFF
[AIS_Set]
; Generic AIS set instruction to a reserved register to force a signature check
TYPE=2
ADDRESS=0x01E2C020
DATA=0
SLEEP=0
【test1】: Secure AIS NOR BOOT mode with bootExitType = SECUREWITHSK
step1: use In front of the ini.file ,
use "SecureHexAIS_OMAP-L138.exe" convert "app_test.out" application image file into secure boot image "app_test_secais.bin"
step2: Dial the code switch to set uart2 boot way, use "sfh_sec_OMAP-L138.exe" bund "app_test_secais.bin" at 0x60000000 start adress of nor flash.
step2: Dial the code switch to set nor boot way, run pc software "SecureCRT.exe" to monitor data from uart 2 or omapl132 device;
result: failure , no any data received.
【test2】: Secure AIS NOR BOOT mode with bootExitType = NONSECURE
step1: use In front of the ini.file , only modify: "bootExitType = NONSECURE " ,other same with test1 seep1;
step2: same with test1.
step2: same with test1;
result: successful , received string in accordance with "app_test.out" application.
Due to can't finding Search Similar routines in TI E2E Community and guide documentation from "C674x_OMAPL1x_Generic_Security_Flash_Boot_Utils.tar.gz" and "Security_collateral_update.zip"
so I make other test:
【test3】: "app_test.out" app run Secure AIS UART BOOT mode(modify "BootMode=UART") with bootExitType = SECUREWITHSK or NONSECURE , downloaded by GenericSecureUartHost.exe tool.
two bootExitType way Can all be successful.
note: at bootExitType = SECUREWITHSK ,modify ini file : delete IOPUs seting. application can't print any data on uart.
【test4】: "nor_test.out" app run Secure AIS UART BOOT mode(modify "BootMode=UART") with bootExitType = SECUREWITHSK or NONSECURE , downloaded by GenericSecureUartHost.exe tool.
1) Initialize nor failure at "bootExitType = SECUREWITHSK";
2) Initialize nor OK, after, can write and read nor at "bootExitType = NONSECURE";
As so far our test,For“bootExitType = SECUREWITHSK”, We guess there are some resources are protected (protect IOPUS and MPUS such as:IO connect nor flash 、DSP ), and currently we haven't find this in TI's documents.
Could someone provide detail documents for Secure AIS NOR BOOT with “bootExitType = SECUREWITHSK”, and we are appreciating someone could provide demo for AIS nor flash boot mode in secure kernel mode.
Thanks!