[FAQ] J721S2XSOMXEVM: How to generate keyring data blob?

KEY RING TOOL
=============

OVERVIEW
--------
The Key Ring Tool helps generate secure key ring blobs. It creates a structured keyring with both asymmetric and symmetric keys that can be used for firmware authentication.

PREREQUISITES
------------
- Python 3
- OpenSSL command-line tools
- xxd utility (for binary to header conversion)

INSTALLATION
-----------
1. Extract the key_ring.zip file to your preferred directory
2. Ensure you have Python 3 installed on your system

USAGE
-----
Run the main script:

python3 main.py

Follow the interactive prompts:

- Specify the number of key blocks (1-6)
- For each key block:
- Choose key type (1 for symmetric, 0 for asymmetric)
- Assign a unique key ID (1-6)
- Configure if the key is used for firmware authentication (0/1)
- Configure if the key is used for debug authentication (0/1)
- Set additional parameters as prompted

The script will:

- Generate a JSON configuration file
- Create necessary key pairs using OpenSSL
- Convert the JSON configuration to a binary format
- Generate an X.509 certificate using the x509CertificateGen.sh script
- Create the final keyring_blob.bin and keyring_blob.h files

All output files will be placed in the build/ directory

OUTPUT FILES
-----------
The tool generates the following files in the build/ directory:

- keyring_data.bin: Binary representation of the key ring data
- keyring_blob.bin: Final key ring blob with X.509 certificate
- keyring_blob.h: C header file containing the key ring data
- private_key_*.pem: Private keys (keep these secure!)
- public_key_*.pem: Public keys

INTEGRATION WITH SBL
-------------------
To test the generated key ring with SBL (Secondary Boot Loader):

1. Apply the provided patch:

patch -p1 < 0001-ADD-test-case-for-keyring.patch

2. Include the generated keyring_blob.h in your SBL project

HOW IT WORKS
-----------
The tool uses a multi-step process:

1. gen_json.py creates a JSON configuration based on user input
2. Key pairs are generated using OpenSSL
3. json_to_c.py converts the JSON to C-compatible structures
4. x509CertificateGen.sh creates an X.509 certificate for the key ring
5. The final blob is formatted and output as both binary and C header files

IMPORTANT NOTES
--------------
- This is a reference tool and not intended for production use
- Generated keys should be properly secured
- For production systems, proper key management procedures should be implemented

TOOL:key_ring.zip

SBL Reference Patch:https://e2e.ti.com/cfs-file/__key/communityserver-discussions-components-files/791/0001_2D00_ADD_2D00_test_2D00_case_2D00_for_2D00_keyring.patch

Output Logs:

SBL Revision: 01.00.10.01 (Aug 28 2025 - 14:39:26)
TIFS  ver: 10.1.6--v10.01.06 (Fiery Fox)
Sciclient_importkey... PASSED

SIGN FIRMWARE WITH KEYRING IMPORTED KEYS
-----------

1. Apply the changes to x509CertificateGen.sh to add support for keyring extension. Refer below patch for the same.

File: https://e2e.ti.com/cfs-file/__key/communityserver-discussions-components-files/791/0002_2D00_Add_2D00_keyring_2D00_node_2D00_information_2D00_to_2D00_X.509_2D00_certificate.patch

2. Build unsigned application.

3. Sign the app image with keyid you want to authenticate the image with. Also, make sure you are using the corresponding private key to sign the application.

Example:
```bash
./x509CertificateGen.sh -b input.bin -o output.bin -c R5 -l 0x41C00100 -k private_key -A 1 [other options]

Where:

• -A 1: Specifies to use key ID 1 from the keyring for authentication
• -E <id>: Can be used to specify an encryption key ID (not yet supported)

The GUI TOOL build on top of python script attached in the above response can be used.

Tool:
 KeyringGenerator-v4.0-linux-x86_64.tar.gz

Steps:

1. untar the file 
2. Run ./KeyringGenerator
   
   

Read INSTALL.txt for more details included in the tar. For more details on the tool, click on "Help" tab after launching the tool.

Note - This is a reference tool and not intended for production use