OMAP-L138 Secure Boot

Hi Joe,

I unpacked the tar.gz (What kind of installer doesn't unpack files anyways?) and was able to find the tool, but when using the SecureHexAIS_OMAP-L138.exe with the example ini. I receive an error stating that the program could not find key_hdr_sha256_enc.bin.

I think that "ini" file has embedded with  "key_hdr_sha256_enc.bin" binary's file name.

I don't see it in the ini file. The only lines that mention SHA256 are

; SHA Algorithm Selection
genericSHASelection = SHA256

; Binary file containing secure key header for generic device
genKeyHeaderFileName=key_hdr_sha256_enc.bin

and key_hdr_sha256_enc.bin is not anywhere in the installation directory.

I'm also having trouble with an error: "ERROR: Not a valid object file". Could you provide a dummy AIS file for me to test the application with?

Thanks,

Joe

Thanks,

I'm having trouble in step 1 as I posted above.

Hi Joseph,

Before 1st step , you need to unllock the JTAG.

Have you done that ?

If no, you might have seen the "unlockjtag.ais" file to unlock the JTAG.

If not, create any simple .out and change JTAG settings option in "ini" file then it would unlock the JTAG for next operation.

If you unlock the JTAG successfully, write your encrypted image with unencryoted header into SPI flash through given SPI flash tool.

Then do the rest of the steps as mentioned in earlier replies.

When running the SecureHexAIS command below, I receive an error during processing. See below.

Command: "SecureHexAIS_OMAP-L138 -ini ini_generic\OMAP-L138_generic_secure.ini"

Response:

-----------------------------------------------------
   TI Secure AIS Hex File Generator for OMAP-L138
   (C) 2011, Texas Instruments, Inc.
   Ver. 1.25
-----------------------------------------------------


Creating boot image for a generic secure device.
INFO: Boot exit type has been selected as NONSECURE.
WARNING: Encrypted Key Header data is absent - generating plaintext version.
         The Customer Encryption Key will be transferred in plaintext!
INFO: Current SHA algorithm is SHA256.
Begining the Secure AIS file generation.
AIS file being generated for bootmode: NONE.
Parsing the input object file, OMAPL138-DSP-LED-ARM.out.
Encrypting section .text, since ALL was specified for encryptSections in ini fil
e.
Encrypting section .cinit, since ALL was specified for encryptSections in ini fi
le.
        Signature Hash: 5B-AB-E2-B7-9B-1C-0B-BF-EC-C3-AA-3F-73-46-05-F3-45-C7-30
-8B-34-F8-98-95-3E-27-7F-92-C6-AC-90-56
        Signature Byte Count = 1320
        Signature Hash: 29-01-20-03-DC-FE-25-B6-B0-E3-13-A4-4B-F1-96-EC-C8-13-37
-5E-3C-72-48-45-3A-C9-96-55-CB-0C-DC-63
        Signature Byte Count = 40
        Signature Hash: 35-6D-A7-4D-37-26-3E-38-AE-0B-0C-DA-91-73-68-63-4A-10-3C
-3A-59-3B-0A-76-4F-88-63-53-4A-FC-F5-DF
        Signature Byte Count = 24
        Signature Hash: 44-BA-AD-61-79-77-DC-E8-5E-17-C3-49-91-6F-9E-01-48-9D-10
-AD-11-4B-41-56-72-1E-A6-F4-E6-35-3A-38
        Signature Byte Count = 16
        Signature Hash: 8A-DD-4B-C8-83-56-4A-0F-B3-DB-14-06-79-B5-6D-A3-44-7B-4B
-E8-BB-1A-C1-90-EF-76-CC-0E-0B-8B-52-22
        Signature Byte Count = 16
        Signature Hash: D7-1D-EB-18-0F-32-8E-F9-C3-5B-12-FE-27-B9-FE-C9-59-43-7E
-9F-7C-E9-87-BA-EE-EA-74-B0-CE-A7-D2-E3
        Signature Byte Count = 16
        Signature Hash: B8-13-64-A6-66-78-FC-FE-B8-FA-42-6F-65-63-06-E0-27-34-E0
-A4-BE-59-02-9F-95-3D-45-94-8A-C2-66-C5
        Signature Byte Count = 16
        Signature Hash: 5D-7A-14-49-19-41-A0-56-09-FB-61-D6-1F-1C-B1-62-DC-FD-D9
-58-94-29-81-21-C9-6D-F4-7E-8B-59-09-C0
        Signature Byte Count = 16
        Signature Hash: 12-59-5B-FB-12-5D-D8-72-2B-26-CF-4F-AF-9C-7E-CF-89-04-34
-47-84-E1-C0-EE-E1-AF-45-7E-B9-4F-E0-D4
        Signature Byte Count = 12
   at TI.AISLib.AISGen.SecureGenAIS(AISGen devAISGen, List`1 inputFileNames, Ini
File iniFile)
   at TIBootAndFlash.Program.Main(String[] args)
Object reference not set to an instance of an object.
Unhandled Exception!!! Application will now exit.

I found a work around here: http://e2e.ti.com/support/dsp/omap_applications_processors/f/42/p/318355/1108395.aspx

Any idea as to why the .ini setting did not work?

Also, could you explain step 4 in more detail or point to some documentation?

Thanks,

Joseph

"4) Use secure boot application is the first time boot image that is used to bind the image in the SPI flash to the device specific Key (KEK) on the device. The image reads in the unencrypted header from the flash media encrypts the header and signs the image and writes the image back to the flash."

Any information on this? I'm not sure how to encrypt the header. Does this automatically happen when programming with the GenericSecureUartHost.exe?

Hi Joseph,

What board are you using ?

TI EVM board ?

If it is EVM, it has SPI flash in it and image could be flashed on SPI with unencrypted header , need to encrypt boot header using SPI's 'secureboot" CCS project for the first time and it is called binding.

http://processors.wiki.ti.com/index.php/Basic_Secure_Boot_for_OMAP-L138_C6748

Hi,

We are not currently using secure boot - I am looking into how to implement it before we order secure parts for our custom board - it uses SPI Flash as well. I am not sure how to implement "binding". I could not find this word in any of the documentation. I only found this:

"One additional detail is that after the application development is complete the user needs to add code to bind the image to the device. this process requires the user to add a control statement at the start of his application that will check if the software header is encrypted or not. hence after the first boot the device will check for this information, if the header is not encrypted the device will encrypt the header using the unique device encryption key called (KEK) that is burnt in the efuse of the secure device."

However, it does not specify how to implement, what the "control statement" is that will activate the header encryption, or how to verify this has been done.

Thanks for your help so far.