• State TI Thinks Resolved
  • Locked Locked
  • Replies 5 replies
  • Answers 2 answers
  • Subscribers 31 subscribers
  • Views 685 views
  • Users 0 members are here
Support feedback
Options
Options
Related

This thread has been locked.

If you have a related question, please click the "Ask a related question" button in the top right corner. The newly created question will be automatically linked to this question.

Original question:

AM2432: OTP Keywriter: AM243x ALV Package

AM2432: HS Device: Requirements for running software

Robin Bross
Prodigy 233 points
Part Number: AM2432


Dear TI Experts,

I managed to create a HS Device using the OTP Keywriter.

The dummy keys were used during this process, so from my understanding I should be able to run a hs_fs image on my board without additional steps. 

I also tried to adapt the "deviceconfig.mak" script in the SDK by selecting "HS" device. This caused the build process to produce a tiimage marked with "hs" instead of "hs_fs". 
Should I use this file? 

Here is the parsed socid information that I receive from the ROM BL:

-----------------------
SoC ID Header Info:
-----------------------
NumBlocks : 2
-----------------------
SoC ID Public ROM Info:
-----------------------
SubBlockId : 1
SubBlockSize : 26
DeviceName : am64x
DeviceType : HSSE
DMSC ROM Version : [0, 2, 0, 0]
R5 ROM Version : [0, 2, 0, 0]
-----------------------
SoC ID Secure ROM Info:
-----------------------
Sec SubBlockId : 2
Sec SubBlockSize : 166
Sec Prime : 0
Sec Key Revision : 1
Sec Key Count : 2
Sec TI MPK Hash : b018658ad99dc903c8c9bfb27b12751099920a042ad1dfea7b7ba57369f15546de285edde6a7b39a8bdc40a27b237f8fb1e57f245e80b929c1e28b024aa2ecc6
Sec Cust MPK Hash : 1f6002b07cd9b0b7c47d9ca8d1aae57b8e8784a12f636b2b760d7d98a18f189760dfd0f23e2b0cb10ec7edc7c6edac3d9bdfefe0eddc3fff7fe9ad875195527d
Sec Unique ID : c4c73513e945cce9469cf3ef891b36852b3233b1574a6b30a71cf988efa2bb93

Thanks in advance for your support.

Best Regards
Robin

  • 0
    TI__Mastermind 26145 points

    Hi ,

    The hs_fs stands for High Security (Field Security) and hs stands for High Security (Security Enforced) or HS-SE. You should be using hs images instead of hs_fs images as the device being used is a HS-SE device.

    Hope that helps.

    Best Regards,
    Aakash

  • 0 in reply to Aakash Kedia
    Prodigy 233 points

    Hello Aakash,

    thank you for your response.
    I tried running the HS image flashwriter, but I was no successfull so far. 

    Are there additional steps needed than changing the device type inside the deviceconfig.mak file? 

    # Device type (HS/GP)
    DEVICE_TYPE?=HS

    Is there a way to verify if my image was signed with the ceritficates I expect?


    What is the difference between the hs_fs image and the hs image from a technical point of view?
    To my understanding the only difference is, that now the tiimage is verified against the custom key that was written by the OTP Keywriter. 

    Thanks and best regards

    Robin

  • 0 in reply to Robin Bross
    TI__Mastermind 26145 points

    Hi Robin,

    Robin Bross said:
    Are there additional steps needed than changing the device type inside the deviceconfig.mak file?

    This should be good enough.

    Robin Bross said:
    Is there a way to verify if my image was signed with the ceritficates I expect?

    There are two types of signing, SBL image signing and Application image signing.

    You can use something similar to verify the same - https://linuxctl.com/2017/02/x509-certificate-manual-signature-verification/

    Remember this is a self signed certificate.

    Robin Bross said:
    What is the difference between the hs_fs image and the hs image from a technical point of view?

    hs_fs image (for SBL) is a signed x509 image where key is Degenerate Key.
    hs image is a signed x509 image where key is MPK key.

    So your understanding for the same is correct. Are you able to run sbl null image ?

    Try loading the image which is working for me (signed via TI dummy keys)

    /cfs-file/__key/communityserver-discussions-components-files/908/sbl_5F00_null.debug.hs.tiimage

    You can load it via XMODEM through Tera Term/Linux Utility and see if this is working for you or not.

    Hope this helps.

    Best Regards,
    Aakash

  • 0 in reply to Aakash Kedia
    Prodigy 233 points

    Thanks for answering my questions.

    I tried to run you sbl null image, it seems not to work as I still receive the "C" from the ROM BL.
    I transferred it using the the python UART flashwriter script by selecting the null sbl as flashwriter. 
    Additionally I transferred it using using Tera Term with the same result.

    I'm quite sure I used the TI Dummy Keys when writing them.

    Do you have any additonal idea what I can try or where I might miss a step? 

    Thanks and best regards

    Robin

  • 0 in reply to Robin Bross
    TI__Mastermind 26145 points

    Hi Robin,

    I rechecked. The device is a Non-Prime device. This means that the sys-fw is signed by customer MPK as well as TI keys. The TI keys used for the 08.04 release was PG1. The support for PG2 keys will be part of 08.05 release which is scheduled this month.

    This is why it is working for a PG1 setup and not on your PG2 setup.

    Though I rechecked the Cust MPK hash matches so the keys are correctly programmed, but you cannot use the device without the updated sys-fw. Incase you are blocked on this, send out an email at a-kedia@ti.com

    Hope this helps.

    Best Regards,
    Aakash