This thread has been locked.

If you have a related question, please click the "Ask a related question" button in the top right corner. The newly created question will be automatically linked to this question.

Need help for C6748 basic secure boot.

Other Parts Discussed in Thread: OMAPL138, OMAP-L138

Hi TI experts:

we built our board based on C6748_LCDK with C6748 E chip on it. I started to do generic security boot. I used the tool from OMAPL138_C6748_Generic_Security-1.0.2-Setup.zip.  First I used 'SecureHexAIS_OMAP-L138' to generate AIS file with .INI file as follows:

 

/********************************************************

; General settings that can be overwritten in the host code ; that calls the AISGen library. [General] ; Can be 8 or 16 - used in emifa busWidth=16           

; SPIMASTER,I2CMASTER,EMIFA,NAND,EMAC,UART,PCI,HPI,USB,MMC_SD,VLYNQ,RAW BootMode=NAND

; 8,16,24 - used for SPI,I2C ;AddrWidth=8         

; NO_CRC,SECTION_CRC,SINGLE_CRC crcCheckType=NO_CRC

; TRUE/ON or FALSE/OFF seqReadEn=ON

; Specify the symbol name for the boot finalize function ;FinalFxnSymbolName=none

; Security settings (keys, options, list of sections to encrypt, etc.) [Security]

; Security Type: GENERIC, CUSTOM, NONE securityType=GENERIC

; Boot Exit Type: NONSECURE, SECUREWITHSK, SECURENOSK ; NONSECURE = Device switches from secure type to non-secure type, jumping to loaded code ;             (no secure kernel since no longer secure device). ; SECUREWITHSK = Device remains as secure type, secure kernel is loaded, allowing run-time ;                security context switching. bootExitType = NONSECURE

; Option to include in the generated key header the flag to force the JTAG off ;genericJTAGForceOff=FALSE

; Encrypt section list (ALL or comma-separated list of section names) encryptSections=ALL

; CEK used for AES encryption of data - must be string of 32 hexadecimal characters encryptionKey=4A7E1F56AE545D487C452388A65B0C05

; Debug key ;keyEncryptionKey=0B94A91D33E597097F6C426F8F016872

; SHA Algorithm Selection genericSHASelection = SHA256

; Binary file containing secure key header for generic device ;genKeyHeaderFileName=key_hdr_sha256_enc.bin

;genKeyHeaderFileName=Specify binary file containing key header for generic devices. If this ;                       is not given, an unencrypted key header is generated from the ;                       genericSHASelection and the encryptionKey.

 

; This section allows setting the PLL0 system clock with a  ; specified multiplier and divider as shown. The clock source ; can also be chosen for internal or external. ;           |------24|------16|-------8|-------0| ; PLL0CFG0: | CLKMODE| PLLM   | PREDIV | POSTDIV| ; PLL0CFG1: | RSVD   | PLLDIV1| PLLDIV3| PLLDIV7| [PLL0CONFIG] PLL0CFG0 = 0x00190102 PLL0CFG1 = 0x00010306

; This section allows setting up the PLL1. Usually this will ; take place as part of the EMIF3a DDR setup. The format of ; the input args is as follows: ;           |------24|------16|-------8|-------0| ; PLL1CFG0: |    PLLM| POSTDIV| PLLDIV1| PLLDIV2| ; PLL1CFG1: |           RSVD           | PLLDIV3| ;[PLL1CONFIG] ;PLL1CFG0 = 0x00000000 ;PLL1CFG1 = 0x00000000

; This section lets us configure the peripheral interface ; of the current booting peripheral (I2C, SPI, or UART). ; Use with caution. The format of the PERIPHCLKCFG field ; is as follows: ; SPI:        |------24|------16|-------8|-------0| ;             |           RSVD           |PRESCALE| ; ; I2C:        |------24|------16|-------8|-------0| ;             |  RSVD  |PRESCALE|  CLKL  |  CLKH  | ; ; UART:       |------24|------16|-------8|-------0| ;             | RSVD   |  OSR   |  DLH   |  DLL   | ;[PERIPHCLKCFG] ;PERIPHCLKCFG = 0x00000000

; This section allow setting the MPU1 or MPU2. If the ; rangenum is out of the allowed range then all the ranges ; (including the fixed range) take the start, end, and ; protection values. ;            |------24|------16|----------8|----------0| ; MPUSELECT: |      RSVD       |   mpuNum  | rangeNum  | ; STARTADDR: |              startAddr                  | ; ENDADDR:   |               endAddr                   | ; MPPAVALUE: |              mppaValue                  | ;[MPUCONFIG] ;MPUSELECT = 0x000001FF ;STARTADDR = 0x00000000 ;ENDADDR   = 0xFFFFFFFF ;MPPAVALUE = 0xFFFFFFFF

 

; This section can be used to configure the PLL1 and the EMIF3a registers ; for starting the DDR2 interface. ; See PLL1CONFIG section for the format of the PLL1CFG fields. ;            |------24|------16|-------8|-------0| ; PLL1CFG0:  |              PLL1CFG              | ; PLL1CFG1:  |              PLL1CFG              | ; DDRPHYC1R: |             DDRPHYC1R             | ; SDCR:      |              SDCR                 | ; SDTIMR:    |              SDTIMR               | ; SDTIMR2:   |              SDTIMR2              | ; SDRCR:     |              SDRCR                | ; CLK2XSRC:  |             CLK2XSRC              | ; my change [EMIF3DDR] PLL1CFG0 = 0x19020102 PLL1CFG1 = 0x00000003 DDRPHYC1R = 0x000000C5 SDCR = 0x00134832 SDTIMR = 0x264A3209 SDTIMR2 = 0x3C14C722 SDRCR = 0x00000492 CLK2XSRC = 0x00000000

; This section allow setting the MPU1 or MPU2. If the ; rangenum is out of the allowed range then all the ranges ; (including the fixed range) take the start, end, and ; protection values. ;            |------24|------16|----------8|----------0| ; MPUSELECT: |      RSVD       |   mpuNum  | rangeNum  | ; STARTADDR: |              startAddr                  | ; ENDADDR:   |               endAddr                   | ; MPPAVALUE: |              mppaValue                  | ; ; This MPU control must happen after the DDR init or else the ; MPU control has no effect ;[MPUCONFIG] ;MPUSELECT = 0x000002FF ;STARTADDR = 0x00000000 ;ENDADDR   = 0xFFFFFFFF ;MPPAVALUE = 0xFFFFFFFF

; This section can be used to configure the EMIFA to use ; CS0 as an SDRAM interface.  The fields required to do this ; are given below. ;                     |------24|------16|-------8|-------0| ; SDBCR:              |               SDBCR               | ; SDTIMR:             |               SDTIMR              | ; SDRSRPDEXIT:        |             SDRSRPDEXIT           | ; SDRCR:              |               SDRCR               | ; DIV4p5_CLK_ENABLE:  |         DIV4p5_CLK_ENABLE         | ;[EMIF25SDRAM] ;SDBCR = 0x00004421 ;SDTIMR = 0x42215810 ;SDRSRPDEXIT = 0x00000009 ;SDRCR = 0x00000410 ;DIV4p5_CLK_ENABLE = 0x00000001

; This section can be used to configure the async chip selects ; of the EMIFA (CS2-CS5).  The fields required to do this ; are given below. ;           |------24|------16|-------8|-------0| ; A1CR:     |                A1CR               | ; A2CR:     |                A2CR               | ; A3CR:     |                A3CR               | ; A4CR:     |                A4CR               | ; NANDFCR:  |              NANDFCR              | ;[EMIF25ASYNC] ;A1CR = 0x00000000 ;A2CR = 0x00000000 ;A3CR = 0x00000000 ;A4CR = 0x00000000 ;NANDFCR = 0x00000000

; This section should be used in place of PLL0CONFIG when ; the I2C, SPI, or UART modes are being used.  This ensures that ; the system PLL and the peripheral's clocks are changed together. ; See PLL0CONFIG section for the format of the PLL0CFG fields. ; See PERIPHCLKCFG section for the format of the CLKCFG field. ;               |------24|------16|-------8|-------0| ; PLL0CFG0:     |              PLL0CFG              | ; PLL0CFG1:     |              PLL0CFG              | ; PERIPHCLKCFG: |              CLKCFG               | ;[PLLANDCLOCKCONFIG] ;PLL0CFG0 = 0x00000000 ;PLL0CFG1 = 0x00000000 ;PERIPHCLKCFG = 0x00000000

; This section should be used to setup the power state of modules ; of the two PSCs.  This section can be included multiple times to ; allow the configuration of any or all of the device modules. ;           |------24|------16|-------8|-------0| ; LPSCCFG:  | PSCNUM | MODULE |   PD   | STATE  | ;[PSCCONFIG] ;LPSCCFG = 0x01030003

; This section allows setting of a single PINMUX register. ; This section can be included multiple times to allow setting ; as many PINMUX registers as needed. ;         |------24|------16|-------8|-------0| ; REGNUM: |              regNum               | ; MASK:   |               mask                | ; VALUE:  |              value                | ;[PINMUX] ;REGNUM = 5 ;MASK = 0x00FF0000 ;VALUE = 0x00880000

; No Params required - simply include this section for the fast boot function to be called ;[FASTBOOT]

; This section allows configuration of one the systme IOPUs. ; The iopuNum field must be valid (0-5) and then mppaStart ; and mppaend fields allow setting a range of mppa MMRs to the ; same supplied mppa value. ; IOPUSELECT: |  RSVD  | iopuNum| mppaStart |  mppaEnd  | ; MPPAVALUE:  |              mppaValue                  | ;[IOPUCONFIG] ;IOPUSELECT = 0x000000FF ;MPPAVALUE  = 0xFFFFFFFF

;[IOPUCONFIG] ;IOPUSELECT = 0x000100FF ;MPPAVALUE  = 0xFFFFFFFF

;[IOPUCONFIG] ;IOPUSELECT = 0x000200FF ;MPPAVALUE  = 0xFFFFFFFF

;[IOPUCONFIG] ;IOPUSELECT = 0x000300FF ;MPPAVALUE  = 0xFFFFFFFF

;[IOPUCONFIG] ;IOPUSELECT = 0x000600FF ;MPPAVALUE  = 0xFFFFFFFF

; This section allow setting the MPU1 or MPU2. If the ; rangenum is out of the allowed range then all the ranges ; (including the fixed range) take the start, end, and ; protection values. ;            |------24|------16|----------8|----------0| ; MPUSELECT: |      RSVD       |   mpuNum  | rangeNum  | ; STARTADDR: |              startAddr                  | ; ENDADDR:   |               endAddr                   | ; MPPAVALUE: |              mppaValue                  | ;[MPUCONFIG] ;MPUSELECT = 0x000001FF ;STARTADDR = 0x00000000 ;ENDADDR   = 0x00000000 ;MPPAVALUE = 0xFFFFFFFF

; This function allows the user to selectively open up the ; the debug TAPs of the device.  Since the function is not ; executed until the signature is checked, it does not ; pose a security issue. ;          |------24|------16|----------8|----------0| ; TAPSCFG: |      RSVD       |       tapscfg         | [TAPSCONFIG] TAPSCFG = 0x0000FFFF

/********************************************************

 

I have USB-UART FT232RQ on the board as in C6748_LCDK, when I tried to use serial port to flashing as did for non-secures,   it has the following issue:

(AIS parse): read magic word 0x41504954

(AIS Parse): Waiting for BOOTME... (power on)

(AIS Parse): BOOTME received!

(AIS Parse): Performing Start-Word Sync...

(AIS Parse): Performing Ping Opcode Sync...

(AIS Parse) :  Processing command 0: 0x58535901

(AIS Parse): Performing Opcode Sync...

(Serial Port): Read error! (The operation has timed out)

(AIS Parse): I/O error in read.

 

Then I tried  JTAG with NANDWriter supplied from TI, it has error in CCS5 as follows:

C674X_0: Error connecting to the target: Connect to PRSC failed

I tried both serial port and JTAG, both can not go through. Could you please help  me what I should do and  what I am missing?

Thanks!

Mike

 

 

  • Hi Mike,

    Have you modified the mDDR/DDR2 timing parameters in ini file ?

    Then I tried  JTAG with NANDWriter supplied from TI, it has error in CCS5 as follows:

    C674X_0: Error connecting to the target: Connect to PRSC failed

    You have to unlock the JTAG through ini.

    First, convert any C6748_LCDK supported program .out to .bin through ini file with JTAG ON option.

    I have used the below ini file for C6748 LCDK secure board and just I replaced with non-secure processor from it.

    [General]
    busWidth=16            
    
    BootMode=NAND
    
    crcCheckType=NO_CRC
    
    seqReadEn=ON
    
    [Security]
    securityType=GENERIC
    ;bootExitType = SECURENOSK
    bootExitType = NONSECURE
    ;bootExitType = SECUREWITHSK
    
    encryptSections=ALL
    
    encryptionKey=4A7E1F56AE545D487C452388A65B0C05
    
    genericSHASelection = SHA256
    
    
    ;           |------24|------16|-------8|-------0|
    ; PLL0CFG0: | CLKMODE| PLLM   | PREDIV | POSTDIV|
    ; PLL0CFG1: | RSVD   | PLLDIV1| PLLDIV3| PLLDIV7|
    
    [PLLANDCLOCKCONFIG]
    PLL0CFG0 = 0x00180001
    PLL0CFG1 = 0x00000B05
    PERIPHCLKCFG = 0x00010064
    
    ;           |------24|------16|-------8|-------0|
    ; PLL1CFG0: |    PLLM| POSTDIV| PLLDIV1| PLLDIV2|
    ; PLL1CFG1: |           RSVD           | PLLDIV3|
    [PLL1CONFIG]
    PLL1CFG0 = 0x18010001
    PLL1CFG1 = 0x00000002
    
    ; This section lets us configure the peripheral interface
    ; of the current booting peripheral (I2C, SPI, or UART).
    ; Use with caution. The format of the PERIPHCLKCFG field 
    ; is as follows:
    ; SPI:        |------24|------16|-------8|-------0|
    ;             |           RSVD           |PRESCALE|
    ;
    ; I2C:        |------24|------16|-------8|-------0|
    ;             |  RSVD  |PRESCALE|  CLKL  |  CLKH  |
    ;
    ; UART:       |------24|------16|-------8|-------0|
    ;             | RSVD   |  OSR   |  DLH   |  DLL   |
    ;[PERIPHCLKCFG]
    ;PERIPHCLKCFG = 0x00000000
    
    
    ; This section allow setting the MPU1 or MPU2. If the 
    ; rangenum is out of the allowed range then all the ranges
    ; (including the fixed range) take the start, end, and 
    ; protection values.
    ;            |------24|------16|----------8|----------0|
    ; MPUSELECT: |      RSVD       |   mpuNum  | rangeNum  |
    ; STARTADDR: |              startAddr                  |
    ; ENDADDR:   |               endAddr                   |
    ; MPPAVALUE: |              mppaValue                  |
    [MPUCONFIG]
    MPUSELECT = 0x000001FF
    STARTADDR = 0x00000000
    ENDADDR   = 0xFFFFFFFF
    MPPAVALUE = 0xFFFFFFFF
    
    
    
    ; This section can be used to configure the PLL1 and the EMIF3a registers
    ; for starting the DDR2 interface. 
    ; See PLL1CONFIG section for the format of the PLL1CFG fields.
    ;            |------24|------16|-------8|-------0|
    ; PLL1CFG0:  |              PLL1CFG              |
    ; PLL1CFG1:  |              PLL1CFG              |
    ; DDRPHYC1R: |             DDRPHYC1R             |
    ; SDCR:      |              SDCR                 |
    ; SDTIMR:    |              SDTIMR               |
    ; SDTIMR2:   |              SDTIMR2              |
    ; SDRCR:     |              SDRCR                |
    ; CLK2XSRC:  |             CLK2XSRC              |
    ;status |= DEVICE_ExternalMemInit(0x000000C5, 0x00134832, 0x264A3209, 0x3C14C722, 0x00000492, 0x00000000);
    ;[EMIF3DDR]
    ;PLL1CFG0 = 0x18010001
    ;PLL1CFG1 = 0x00000002
    ;DDRPHYC1R = 0x000000C4
    ;SDCR = 0x0A034622
    ;SDTIMR = 0x184929C8
    ;SDTIMR2 = 0xB80FC700
    ;SDRCR = 0x00000406
    ;CLK2XSRC = 0x00000000
    
    [EMIF3DDR]
    PLL1CFG0 = 0x18010001
    PLL1CFG1 = 0x00000002
    DDRPHYC1R = 0x000000C5
    SDCR = 0x00134832
    SDTIMR = 0x264A3209
    SDTIMR2 = 0x3C14C722
    SDRCR = 0x00000492
    CLK2XSRC = 0x00000000
    
    
    ; This section allow setting the MPU1 or MPU2. If the 
    ; rangenum is out of the allowed range then all the ranges
    ; (including the fixed range) take the start, end, and 
    ; protection values.
    ;            |------24|------16|----------8|----------0|
    ; MPUSELECT: |      RSVD       |   mpuNum  | rangeNum  |
    ; STARTADDR: |              startAddr                  |
    ; ENDADDR:   |               endAddr                   |
    ; MPPAVALUE: |              mppaValue                  |
    ;
    ; This MPU control must happen after the DDR init or else the
    ; MPU control has no effect
    [MPUCONFIG]
    MPUSELECT = 0x000002FF
    STARTADDR = 0x00000000
    ENDADDR   = 0xFFFFFFFF
    MPPAVALUE = 0xFFFFFFFF
    
    ; This section can be used to configure the EMIFA to use 
    ; CS0 as an SDRAM interface.  The fields required to do this
    ; are given below.
    ;                     |------24|------16|-------8|-------0|
    ; SDBCR:              |               SDBCR               |
    ; SDTIMR:             |               SDTIMR              |
    ; SDRSRPDEXIT:        |             SDRSRPDEXIT           |
    ; SDRCR:              |               SDRCR               |
    ; DIV4p5_CLK_ENABLE:  |         DIV4p5_CLK_ENABLE         |
    ;[EMIF25SDRAM]
    ;SDBCR = 0x00004421
    ;SDTIMR = 0x42215810
    ;SDRSRPDEXIT = 0x00000009
    ;SDRCR = 0x00000410
    ;DIV4p5_CLK_ENABLE = 0x00000001
    
    ; This section can be used to configure the async chip selects
    ; of the EMIFA (CS2-CS5).  The fields required to do this
    ; are given below.
    ;           |------24|------16|-------8|-------0|
    ; A1CR:     |                A1CR               |
    ; A2CR:     |                A2CR               |
    ; A3CR:     |                A3CR               |
    ; A4CR:     |                A4CR               |
    ; NANDFCR:  |              NANDFCR              |
    ;[EMIF25ASYNC]
    ;A1CR = 0x00000000
    ;A2CR = 0x00000000
    ;A3CR = 0x00000000
    ;A4CR = 0x00000000
    ;NANDFCR = 0x00000000
    
    ; This section should be used in place of PLL0CONFIG when
    ; the I2C, SPI, or UART modes are being used.  This ensures that 
    ; the system PLL and the peripheral's clocks are changed together.
    ; See PLL0CONFIG section for the format of the PLL0CFG fields.
    ; See PERIPHCLKCFG section for the format of the CLKCFG field.
    ;               |------24|------16|-------8|-------0|
    ; PLL0CFG0:     |              PLL0CFG              |
    ; PLL0CFG1:     |              PLL0CFG              |
    ; PERIPHCLKCFG: |              CLKCFG               |
    ;[PLLANDCLOCKCONFIG]
    ;PLL0CFG0 = 0x00000000
    ;PLL0CFG1 = 0x00000000
    ;PERIPHCLKCFG = 0x00000000
    
    ; This section should be used to setup the power state of modules
    ; of the two PSCs.  This section can be included multiple times to
    ; allow the configuration of any or all of the device modules.
    ;           |------24|------16|-------8|-------0|
    ; LPSCCFG:  | PSCNUM | MODULE |   PD   | STATE  |
    ;[PSCCONFIG]
    ;LPSCCFG = 0x01030003
    
    ;EMIFA -> NAND
    [PSCCONFIG]
    LPSCCFG = 0x00030003
    
    ;GPIO
    ;[PSCCONFIG]
    ;LPSCCFG = 0x01030003
    
    
    ; This section allows setting of a single PINMUX register.
    ; This section can be included multiple times to allow setting
    ; as many PINMUX registers as needed.
    ;         |------24|------16|-------8|-------0|
    ; REGNUM: |              regNum               |
    ; MASK:   |               mask                |
    ; VALUE:  |              value                |
    ;[PINMUX]
    ;REGNUM = 5
    ;MASK = 0x00FF0000
    ;VALUE = 0x00880000
    
    ; No Params required - simply include this section for the fast boot function to be called
    ;[FASTBOOT]
    
    ; This section allows configuration of one the systme IOPUs.
    ; The iopuNum field must be valid (0-5) and then mppaStart
    ; and mppaend fields allow setting a range of mppa MMRs to the 
    ; same supplied mppa value.
    ; IOPUSELECT: |  RSVD  | iopuNum| mppaStart |  mppaEnd  |
    ; MPPAVALUE:  |              mppaValue                  |
    [IOPUCONFIG]
    IOPUSELECT = 0x000000FF
    MPPAVALUE  = 0xFFFFFFFF
    
    [IOPUCONFIG]
    IOPUSELECT = 0x000100FF
    MPPAVALUE  = 0xFFFFFFFF
    
    [IOPUCONFIG]
    IOPUSELECT = 0x000200FF
    MPPAVALUE  = 0xFFFFFFFF
    
    [IOPUCONFIG]
    IOPUSELECT = 0x000300FF
    MPPAVALUE  = 0xFFFFFFFF
    
    [IOPUCONFIG]
    IOPUSELECT = 0x000600FF
    MPPAVALUE  = 0xFFFFFFFF
    
    [IOPUCONFIG]
    IOPUSELECT = 0x00060707
    MPPAVALUE  = 0x00000000
    
    ; This section allow setting the MPU1 or MPU2. If the 
    ; rangenum is out of the allowed range then all the ranges
    ; (including the fixed range) take the start, end, and 
    ; protection values.
    ;            |------24|------16|----------8|----------0|
    ; MPUSELECT: |      RSVD       |   mpuNum  | rangeNum  |
    ; STARTADDR: |              startAddr                  |
    ; ENDADDR:   |               endAddr                   |
    ; MPPAVALUE: |              mppaValue                  |
    [MPUCONFIG]
    MPUSELECT = 0x000001FF
    STARTADDR = 0x00000000
    ENDADDR   = 0x00000000
    MPPAVALUE = 0xFFFFFFFF
    
    ; This function allows the user to selectively open up the
    ; the debug TAPs of the device.  Since the function is not
    ; executed until the signature is checked, it does not 
    ; pose a security issue.
    ;          |------24|------16|----------8|----------0|
    ; TAPSCFG: |      RSVD       |       tapscfg         |
    [TAPSCONFIG]
    TAPSCFG = 0x0000FFFF

  • Hi Titusrathinaraj Stalin:

    Thanks very much!

    I used your .INI file and command SecureHexAIS_OMAP-L138 generated .bin file, then I used GenericSecureUartHost to flash to my new board with  secure chip. seems flash works, but when I switch to nand boot, application does not work.

    (File IO): Read 53552 bytes from file C:\OMAPL138_C6748_Generic_Security\OMAP-L138_Secure_FlashAndBootUtils_trunk\OMAP-L138_Secure\GNU\AISUtils\mcaspPlayBk.bin.

    (Serial Port): Opening COM8 at 115200 baud...

    (AIS Parse): Read magic word 0x41504954.

    (AIS Parse): Waiting for BOOTME... (power on or reset target now)

    (AIS Parse): BOOTME received!

    (AIS Parse): Performing Start-Word Sync...

    (AIS Parse): Performing Ping Opcode Sync...

    (AIS Parse): Processing command 0: 0x58535920.

    (AIS Parse): Performing Opcode Sync...

    (AIS Parse): Secure key loading, entering secure mode.

    (AIS Parse): Processing command 1: 0x58535923.

    (AIS Parse): Performing Opcode Sync...

    (AIS Parse): Setting boot exit mode...

    (AIS Parse): Set exit mode to 0x00000000.

    (AIS Parse): Processing command 2: 0x5853590D.

    (AIS Parse): Performing Opcode Sync...

    (AIS Parse): Executing function...

    (AIS Parse): Secure mode; sending signature.

    (AIS Parse): Processing command 3: 0x5853590D.

    (AIS Parse): Performing Opcode Sync...

    (AIS Parse): Executing function...

    (AIS Parse): Secure mode; sending signature.

    (AIS Parse): Processing command 4: 0x5853590D.

    (AIS Parse): Performing Opcode Sync...

    (AIS Parse): Executing function...

    (AIS Parse): Secure mode; sending signature.

    (AIS Parse): Processing command 5: 0x5853590D.

    (AIS Parse): Performing Opcode Sync...

    (AIS Parse): Executing function...

    (AIS Parse): Secure mode; sending signature.

    (AIS Parse): Processing command 6: 0x5853590D.

    (AIS Parse): Performing Opcode Sync...

    (AIS Parse): Executing function...

    (AIS Parse): Secure mode; sending signature.

    (AIS Parse): Processing command 7: 0x5853590D.

    (AIS Parse): Performing Opcode Sync...

    (AIS Parse): Executing function...

    (AIS Parse): Secure mode; sending signature.

    (AIS Parse): Processing command 8: 0x5853590D.

    (AIS Parse): Performing Opcode Sync...

    (AIS Parse): Executing function...

    (AIS Parse): Secure mode; sending signature.

    (AIS Parse): Processing command 9: 0x5853590D.

    (AIS Parse): Performing Opcode Sync...

    (AIS Parse): Executing function...

    (AIS Parse): Secure mode; sending signature.

    (AIS Parse): Processing command 10: 0x5853590D.

    (AIS Parse): Performing Opcode Sync...

    (AIS Parse): Executing function...

    (AIS Parse): Secure mode; sending signature.

    (AIS Parse): Processing command 11: 0x5853590D.

    (AIS Parse): Performing Opcode Sync...

    (AIS Parse): Executing function...

    (AIS Parse): Secure mode; sending signature.

    (AIS Parse): Processing command 12: 0x5853590D.

    (AIS Parse): Performing Opcode Sync...

    (AIS Parse): Executing function...

    (AIS Parse): Secure mode; sending signature.

    (AIS Parse): Processing command 13: 0x5853590D.

    (AIS Parse): Performing Opcode Sync...

    (AIS Parse): Executing function...

    (AIS Parse): Secure mode; sending signature.

    (AIS Parse): Processing command 14: 0x5853590D.

    (AIS Parse): Performing Opcode Sync...

    (AIS Parse): Executing function...

    (AIS Parse): Secure mode; sending signature.

    (AIS Parse): Processing command 15: 0x5853590D.

    (AIS Parse): Performing Opcode Sync...

    (AIS Parse): Executing function...

    (AIS Parse): Secure mode; sending signature.

    (AIS Parse): Processing command 16: 0x58535921.

    (AIS Parse): Performing Opcode Sync...

    (AIS Parse): Loading encoded section...

    (AIS Parse): Loaded 43168-Byte section to address 0xC0010000.

    (AIS Parse): Processing command 17: 0x58535921.

    (AIS Parse): Performing Opcode Sync...

    (AIS Parse): Loading encoded section...

    (AIS Parse): Loaded 2720-Byte section to address 0xC00237E0.

    (AIS Parse): Processing command 18: 0x58535921.

    (AIS Parse): Performing Opcode Sync...

    (AIS Parse): Loading encoded section...

    (AIS Parse): Loaded 1356-Byte section to address 0xC0024280.

    (AIS Parse): Processing command 19: 0x58535921.

    (AIS Parse): Performing Opcode Sync...

    (AIS Parse): Loading encoded section...

    (AIS Parse): Loaded 128-Byte section to address 0xC0024C00.

    (AIS Parse): Processing command 20: 0x58535921.

    (AIS Parse): Performing Opcode Sync...

    (AIS Parse): Loading encoded section...

    (AIS Parse): Loaded 5316-Byte section to address 0xC0024C80.

    (AIS Parse): Processing command 21: 0x58535906.

    (AIS Parse): Performing Opcode Sync...

    (AIS Parse): Performing jump and close...

    (AIS Parse): Secure mode; sending signature.

    (AIS Parse): AIS complete. Jump to address 0xC0024C00.

    (AIS Parse): Waiting for DONE...

    (AIS Parse): Boot completed successfully.

    (Serial Port): Closing COM8.

    Then I tried  JTAG with NANDWriter supplied from TI, it has error in CCS5 as follows:

    C674X_0: Error connecting to the target: Connect to PRSC failed.  I think in your .INI file, the TAP is open up?

    Please advice. Thanks so much!

    MIke

  • Hi Titusrathinaraj Stalin:

    I developed audio processing application on C6748 LCDK. the application works on C6748 LCDK for both  serial port flash and JTAG flash. we built new board Based on C6748 LCDK with secure chip (C6748E).

    First I used   'SecureHexAIS_OMAP-L138' convert .out file to .bin with .INI file you sent to me,  and then use 'GenericSecureUartHost' to flash the NAND ROM.  it seems working based the showing message:

    .....

    (AIS Parse): Processing command 21: 0x58535906.

    (AIS Parse): Performing Opcode Sync...

    (AIS Parse): Performing jump and close...

    (AIS Parse): Secure mode; sending signature.

    (AIS Parse): AIS complete. Jump to address 0xC0024C00.

    (AIS Parse): Waiting for DONE...

    (AIS Parse): Boot completed successfully

    However, I switch to NAND boot on boot switch, it does not work.

    In the .INI file, there is

    [EMIF3DDR]
    PLL1CFG0 = 0x18010001
    PLL1CFG1 = 0x00000002
    DDRPHYC1R = 0x000000C5
    SDCR = 0x00134832
    SDTIMR = 0x264A3209
    SDTIMR2 = 0x3C14C722
    SDRCR = 0x00000492
    CLK2XSRC = 0x00000000

    are these mDDR/DDR2 timeing parameter setting, is that right?

    [TAPSCONFIG]
    TAPSCFG = 0x0000FFFF

    is this unlock the JTAG through  .INI, right?

    Then I tried  JTAG with NANDWriter supplied from TI, it has error in CCS5 as follows:

    C674X_0: Error connecting to the target: Connect to PRSC failed.

    Is this my AIS file wrong or hardware wrong?

    I need your help ASAP. Thanks so much.

    Mike

     

  • Hi Mike,

    is this unlock the JTAG through  .INI, right?

    Yes.

    However, I switch to NAND boot on boot switch, it does not work.

    For secure boot,

    You have to flash the AIS converted binary with CEK key into NAND/NOR/SPI flash and then you have to read back the binary from NAND and encrypt the headers through binding process.

    http://processors.wiki.ti.com/index.php/Basic_Secure_Boot_for_OMAP-L138_C6748

    are these mDDR/DDR2 timeing parameter setting, is that right?

    I'm using this ini for my LCDK board which has DDR2.

    What is your memory ?

    You can change this parameter as per your DDR2/mDDR data sheet spec.

    Then I tried  JTAG with NANDWriter supplied from TI, it has error in CCS5 as follows:

    C674X_0: Error connecting to the target: Connect to PRSC failed.

    Is this my AIS file wrong or hardware wrong?

    I'm also surprising that it is not able to connect even though we opened the TAP of JTAG.

    Have you tried anytime to load any DSP app into secure processor through JTAG with converted AIS (ini) ?

    You can try to load LED or UART example program into secure DSP.

    I've loaded the DSP LED program into secure C6748 processor through "UART BOOT HOST" utility.

    What board are you using ?

    Is that custom board or LCDK board ?

  • Hi Titus:

    (1) I use the custom board that is the same as C6748 LCDK but with secure chip C6748 on it,  which has DDR2,  and NAND flash MT29F1G08ABCHC:C.

    (2) 

    'You have to flash the AIS converted binary with CEK key into NAND/NOR/SPI flash and then you have to read back the binary from NAND and encrypt the headers through binding process.'

    What is binding process, can you show an example.

    I think that  using 'SecureHexAIS_OMAP-L138' convert .out file to .bin with .INI file you sent to me,  and then use 'GenericSecureUartHost' to flash the NAND ROM, then switch to NAND boot, and power recycle. That should work.  but it is not for my case.

    Could I talk with you through phone, could you give me your phone number?

    Thanks so much!

    Mike

     

  • Hi Titus:

    I need your help to guide through 'bind the application image to device'. my appplication is pure non-DSP/BIOS
    application
    .

    First, I create secure AIS with SecureHexAIS_OMAP-L138.exe.  then I used GenericSecureUartHost.exe to boot that AIS file, and it seemed completed
    successfully. However, the application does not operate. When I put boot switch to 'NAND boot', there is nothing happening, look like no boot image in it.

    Your help are very appreciated.

    Mike

  • Hi Mike,

    Have you referred the secure wiki page completely?

    processors.wiki.ti.com/index.php/Basic_Secure_Boot_for_OMAP-L138_C6748#How_to_convert_application_image_file_into_secure_boot_image.3F

    Create Secure boot image use test application:
    ==============================================

    Use secure HexAIS image creation tool to convert test application to an encrypted image with unencrypted header.
    SecureHexAIS_OMAP-L138.exe -ini test.ini -otype binary -o test.ais test.out
    Use INI file from the C6748 EVM example and comment out the mDDR configuration. The INI file has a dummy CEK value defined, you can continue to use the same 128 bit key for your example.
    Now you have a CEK encrypted boot image with an unencrypted boot header that has the CEK exposed.
    Look at the binary file generated, the file should have a header that matched the following structure shown in Section 3.2.3.1 of the omapl138 secure user guide.

    Flash the Secure image to secure C6748 LCDK:
    ==============================================

    Build CCS project for NANDWriter provided under OMAPL138 Serial Flashing and boot utilities under the path OMAP-L138\CCS in the package. LCDK uses 16 bit NAND flash make the following change:
    Comment out the line  #define NANDWIDTH_8
    and Add the line #define NANDWIDTH_16
    Now use the GenericSecureUartHost.exe with unlockjtag.ais image to unlock the JTAGs on the secure part.  After connecting to the target laod and run the NANDWriter and flash the test.ais boot image to flash.

    For secure booting from NAND flash,

    You need to proceed the binding process which converts unencrypted secure header to secure encrypted headers for boot purpose.

    You can also simply boot the secure image through UART HOST utility.

  • Hi Titus:

    I very appreciate your help!!

    I have an encrypted image with unencrypted header,  boot the image using 'GenericSecureUartHost.exe', it works.

    I use NANDWriter to flash the image to  NAND ROM, then switch boot switch to 'NAND boot' , it works, too. 

    Now, the image has unencrypted secure header, would you please advise how  binding the application image to the device for secure booting from NAND flash?  I searched in TI E2E, and read the link you pointed to, I can not figure out how, what commands should embed into my application program?

    My project just needs  generic secured boot,   not require run-time secure.

    Thanks!

    Mike

     

  • Hi Mike,

    You can see the binding examples (app_spi_flash) in secure collateral's but it supports SPI flash.

    You need to add NAND flash support to read and write the AIS image from NAND.

    Just import the SPI binding examples and change it for NAND flash.

  • Hi  Titus:

    Thanks!  Where can I get app_spi_flash binding example? please point me the location or send me a copy.  And give me an instruction how to adapt to NAND flash.

    I look forward to getting your response.

    Mike

  • Hi Titus:

    I looked at TI E2E to search secure boot topic.  several posts changed to sideline talk for secure reason. I can not find 'security_collateral_update.zip'  and  sfh_sec_OMAP-L138.exe and  ''app_spi_flash" binding example.

    Please give advice and help!

    Mike

  • Hi Mike,

    Yes, you are right.

    I've given friend request to you, please accept.

    Then I will send you the security source code over private chat.

  • Hi Titus:

    I very appreciate your help!

    Regards,

    Mike

  • Hi Titus:

    I got your friend invitation, Thanks so much.  we are closing this thread.

    Mike

  • Hi Mike,

    Yes. We can discuss in private chat for security related questions and I'm from INDIA IST +5.30 so, my response may get delay.

  • Hi Mike,

    The following steps we follow to boot the board in secure state.

    1) First we need to write/create one DSP app, could be LED blink or what ever app.

    2) Need to converted to binary format through SECURE HEX AIS tool.

    Ex:

    SecureHexAIS_OMAP-L138.exe -ini Test_uart.ini -o type binary -o Test.bin Test.out

    Please note that "Test_uart.ini " should have mentioned "Exit type" as NONSECURE

    Ex:

    bootExitType = NONSECURE

    Test.bin -> It is the secure image with unencrypted header.

    3) Need to write converted binary to NAND flash through NAND writer tool.

    4) Need to port/change the secure SPI boot (binding code) code to support NAND flash.

    5) Need to convert the secure boot code to binary through SECURE HEX AIS tool.

    Ex:

    SecureHexAIS_OMAP-L138.exe -ini secureboot.ini  -otype  binary -o secureboot_nand.ais Secure_boot.out

    Please note that "secureboot.ini " should have mentioned "Exit type" as SECUREWITHSK

    Ex:

    bootExitType = SECUREWITHSK

    6) Need to run the "secureboot_nand.ais" through "GenericSecureUartHost" tool to encrypt the header of the Test binary which is written into NAND flash through the secure boot example code.

    7) Secure boot example code would read the binary (which is in unencrypted state) and encrypt it & write back to the NAND flash to boot the board in secure state after next reboot with NAND boot switch settings.

  • Hi Titus!

    Thanks very much for the help!  I am trying.

    Regards,

    Mike

     

  • Hey Mike,

    did you find the app_spi_flash binding example, could you send me a link?

    Thanks,

    Roee

  • Hi Titusrathinaraj Stalin,

    When do we use NONSECURE and when do we use SECUREWITHSK?
    The ini file says:
    ; NONSECURE = Device switches from secure type to non-secure type, jumping to loaded code
    ; (no secure kernel since no longer secure device).
    ; SECUREWITHSK = Device remains as secure type, secure kernel is loaded, allowing run-time
    ; security context switching.
    ; SECURENOSK = Device remains as secure type, secure kernel is NOT loaded, no run-time
    ; security context switching available.
    But I'm haven't fully understood.
    When I need to do KEY encription with Secure Kernal API, I need to set SECUREWITHSK.
    But when do I need to set NONSECURE? Can I just always set SECUREWITHSK?
    And when do we set SECURENOSK?

    Thank you.
    Frank
  • Please do not follow up the old question.
    I request you to create a new post or follow up with your post which I splitted from other post.
    e2e.ti.com/.../546674