• State
  • Locked Locked
  • Replies 3 replies
  • Subscribers 102 subscribers
  • Views 643 views
  • Users 0 members are here
Support feedback
Options
Options
Similar topics

This thread has been locked.

If you have a related question, please click the "Ask a related question" button in the top right corner. The newly created question will be automatically linked to this question.

bind image to the device on secure omapl138

zhongfeng chen
Intellectual 275 points

Hi,

I have some problems with binding image to a device on secure device.

I have a DSP_ubl_ais.bin image, which is burned into NOR FLASH, and i can call secure kernel's API to encrypt the

CEK struct head. And then write encrypted CEK struck back to where just read it. NOR flash's drivers are work well.

After write CEK's struck back to nor flash, power off device, and then power on device, i can't see any informations on PC terminal.

following is my ini file

; *********************** INI ************************
; General settings that can be overwritten in the host code
; that calls the AISGen library.
[General]
; Can be 8 or 16 - used in emifa
busWidth=16

; SPIMASTER,I2CMASTER,EMIFA,NAND,EMAC,UART,PCI,HPI,USB,MMC_SD,VLYNQ,RAW
BootMode=EMIFA

; NO_CRC,SECTION_CRC,SINGLE_CRC
crcCheckType=NO_CRC
; Security settings (keys, options, list of sections to encrypt, etc.)
[Security]
; Security Type: GENERIC, CUSTOM, NONE
securityType=GENERIC

; Boot Exit Type: NONSECURE, SECUREWITHSK
; NONSECURE = Device switches from secure type to non-secure type, jumping to loaded code
; (no secure kernel since no longer secure device).
; SECUREWITHSK = Device remains as secure type, secure kernel is loaded, allowing run-time
; security context switching.

bootExitType = SECUREWITHSK


; Encrypt section list (ALL or comma-separated list of section names)
encryptSections=ALL

; CEK used for AES encryption of data - must be string of 32 hexadecimal characters
; Device uses KEK to encrypt CEK, and then SECURE KEY LOAD command load this CEK, uses to
; decrypt the data by ENCRYPTED SECTION LOAD command
encryptionKey=4A7E1F56AE545D487C452388A65B0C05
;encryptionKey=0123456789abcdeffedcba9876543210
; SHA Algorithm Selection
genericSHASelection = SHA1


; This section allows configuration of one the systme IOPUs.
; The iopuNum field must be valid (0-5) and then mppaStart
; and mppaend fields allow setting a range of mppa MMRs to the
; same supplied mppa value.
; IOPUSELECT: | RSVD | iopuNum| mppaStart | mppaEnd |
; MPPAVALUE: | mppaValue |
[IOPUCONFIG]
IOPUSELECT = 0x000000FF
;MPPAVALUE = 0xFFFFFFFF
MPPAVALUE = 0x80

[AIS_Set]
; Generic AIS set instruction to a reserved register to force a signature check
TYPE=2
ADDRESS=0x01E2C020
DATA=0
SLEEP=0

[IOPUCONFIG]
IOPUSELECT = 0x000100FF
;MPPAVALUE = 0xFFFFFFFF
MPPAVALUE = 0x80


[IOPUCONFIG]
IOPUSELECT = 0x000200FF
;MPPAVALUE = 0xFFFFFFFF
MPPAVALUE = 0x80


[IOPUCONFIG]
IOPUSELECT = 0x000300FF
;MPPAVALUE = 0xFFFFFFFF
MPPAVALUE = 0x80


;This will set all security bits in IOPU6 registers to unlock security
;protection on all IOs protected but will lock the SYCFG registers to
;access only by secure supervisor ROM or secure kernel.
[IOPUCONFIG]
IOPUSELECT = 0x000600FF
MPPAVALUE = 0xFFFFFFFF

;This will set bit 7 of IOPU6 to 0 that will unlock the security protection
;on SYSCFG registers which is ideally what you need to configure PINMUX and
;other system registers.
[IOPUCONFIG]
IOPUSELECT = 0x00060707
MPPAVALUE = 0x00000000

; This section allow setting the MPU1 or MPU2. If the
; rangenum is out of the allowed range then all the ranges
; (including the fixed range) take the start, end, and
; protection values.
; |------24|------16|----------8|----------0|
; MPUSELECT: | RSVD | mpuNum | rangeNum |
; STARTADDR: | startAddr |
; ENDADDR: | endAddr |
; MPPAVALUE: | mppaValue |
[MPUCONFIG]
MPUSELECT = 0x000001FF
STARTADDR = 0x00000000
ENDADDR = 0xFFFFFFFF
MPPAVALUE = 0xFFFFFFFF

I follow the demo's process,:

step 1:  

    Uint16   usNorArry[NOR_BLOCK_SIZE];

      magicWord = (Uint32 *)&usNorArry[2]; //AIS magic number (1 word)
      AISKeyLoad = (Uint32 *)&usNorArry[4]; //AIS key load command (1 word)
      pUserKey = (SL_usrKeyStruc *)&usNorArry[6]; //AIS key header (8 words)
      AISExitType = (Uint32 *)&usNorArry[22]; //AIS set exit type (2 words)

      pDutyCmd = (Uint32 *)&usNorArry[26]; // AIS func command + params (12 words )
 
      AISSetCmd = (Uint32 *)&usNorArry[50]; //AIS set command + params (5 words)
      pSigData = (Uint32 *)&usNorArry[60]; //Signature (16 words)

step2: 

    Create the Initialization vector (IV) for the encryption, and then call secure kernel API  SK_setUserKey to encrypt CEK ,

step3:

   Create the hash of the encrypted header.

  And in this point, shall me update the pDutyCmd  data by calling SHA_update function?

  SHA_update(currHashAlgorithm, &ctx, (Uint8 *) pDutyCmd, sizeof(Uint32) * 12);

step 4:

    Encrypt the digest for the signature.

Step 5:

   write back into nor flash .

And then power off device, and power on device again.But there is nothing spits to PC terminal. 

  • 0
    TI__Mastermind 35645 points

    Hi,

    We are working on this and we will provide an update as soon as possible.

    Thanks & regards,

    Sivaraj K

  • 0
    TI__Guru** 114420 points

    This should have worked as the steps look right to me. Have you ensured that there is no overlap in your DSP UBL and the secure kernel. After the boot what do you expect to see on the PC terminal?  have you inserted UART prints to view the log. can you share the piece of code for us to review ? Have you changed the Load buffer size in the example to match your AIS image

    Are you using SHA1 in your source code as you have specified in the INI file.

    Recommendations:

    1. try to add the following statement in the INI file to force a signature check

    [AIS_Set]
    ; Generic AIS set instruction to a reserved register to force a signature check
    TYPE=2
    ADDRESS=0x01E2C020
    DATA=0
    SLEEP=0

    Note: AIS_set command is of 5 bytes so place the signature data at appropriate location.

    2.Also, you can try to generate the encrypted key data on device and then output it back to your PC for generating the new image with the SecureHexAIS tool?  Generate the new image directly using the encrypted key using the options in the INI file and then you could at least check what hash is generated by the PC and compare it against the one generated by the device in your binding app.

    Regards,

    Rahul

     

     

    Regards,

    Rahul

  • 0 in reply to Rahul Prabhu
    Intellectual 275 points

    Hi Rahul,

     

    Rahul Prabhu said:

    Have you ensured that there is no overlap in your DSP UBL and the secure kernel. After the boot what do you expect to see on the PC terminal?  have you inserted UART prints to view the log. can you share the piece of code for us to review ? Have you changed the Load buffer size in the example to match your AIS image

    Are you using SHA1 in your source code as you have specified in the INI file.

    Recommendations:

    1. try to add the following statement in the INI file to force a signature check

    [AIS_Set]
    ; Generic AIS set instruction to a reserved register to force a signature check
    TYPE=2
    ADDRESS=0x01E2C020
    DATA=0
    SLEEP=0

    Note: AIS_set command is of 5 bytes so place the signature data at appropriate location.

    2.Also, you can try to generate the encrypted key data on device and then output it back to your PC for generating the new image with the SecureHexAIS tool?  Generate the new image directly using the encrypted key using the options in the INI file and then you could at least check what hash is generated by the PC and compare it against the one generated by the device in your binding app.


    I have inserted UART prints to view the log, and if works well, on the PC termianl should see string "This is DSP CORE UBL printf info:".

    I checked the .map file and there is no overlap of memory.

    one more question:

    [AIS_Set]
    ; Generic AIS set instruction to a reserved register to force a signature check
    TYPE=2
    ADDRESS=0x01E2C020
    DATA=0
    SLEEP=0

    Have any special request of these statements' location? Or can be placed any where in the ini file?

    Thanks!