• State Resolved
  • +1 person also asked this people also asked this
  • Locked Locked
  • Replies 6 replies
  • Answers 2 answers
  • Subscribers 31 subscribers
  • Views 348 views
  • Users 0 members are here
Support feedback
Options
Options
Similar topics

This thread has been locked.

If you have a related question, please click the "Ask a related question" button in the top right corner. The newly created question will be automatically linked to this question.

AM2432: OTP Keywriter in AM2432B ALV package

Teja Poorna
Prodigy 115 points
Part Number: AM2432
Other Parts Discussed in Thread: UNIFLASH

Hello TI,

We are using AM2432B chip for the project. To meet security, we decided to use the OTP keywriter.

I have converted the HS-FS device to the HSSE using the OTP Keywriter as shown below.

In order to test, I tried to flash the sbl_null image to the chip using the following procedure

- In devconfig.mak, we changed the following line

# Device type (HS/GP)
DEVICE_TYPE?=HS

and Now we were able to generate the sbl_null.debug.hs.tiimage for am243x-evm.

- we flashed the generated null bootloader image to the board, but the board still displays "CCC" and not booting up. 

Could you please let me know,

-> the correct procedure on how to generate a null bootloader with *.hs.tiimage?

-> How can we build a hs application to run on the board?

If you have an example project, that would be great for the test puprose.

Thanks & Regards

Teja

  • 0
    TI__Mastermind 25945 points

    Hi Teja,

    Teja Poorna said:
    - we flashed the generated null bootloader image to the board, but the board still displays "CCC" and not booting up. 

    How are you flashing the image ? If you are using uart_uniflash/dfu_uniflash then you need to create hs.tiimage for the respective bootloaders as well.

    Teja Poorna said:
    -> the correct procedure on how to generate a null bootloader with *.hs.tiimage?

    Did you use the "dummy keys" delivered as a part of OTP Key Writer package ? SDK contains the same "dummy keys" to demonstrate the authentication and encryption feature. If yes, then it should work for you too.

    Teja Poorna said:
    -> How can we build a hs application to run on the board?

    You can rebuild your application, as the device is set as "HS", it will generate hs.appimage as well which you can flash on the device.

    Best Regards,
    Aakash

  • 0 in reply to Aakash Kedia
    Prodigy 115 points

    Hi Aakash,

    Thanks for the reply. we created hs.tiimage of uart_uniflash and it is working.

    Now, we would like to use our own customer keys. For this case, I need change the keys in the following folder

    Firstly -- mcu_plus_sdk_am64x_08_04_00_17\source\security\tifs\sbl_keywriter\scripts\cert_gen\keys_devel\am64x\customkey.pem

    This will generate a "final_certificate.bin", then we use python command to generate the "keycert.h" and finally build the project to generate "tiboot3.bin" file to flash to the primary boot.

    Secondly, place custom key in folder "mcu_plus_sdk_am64x_08_04_00_17\tools\boot\signing\customkey.pem" and change the "devconfig.mak" file to point to the customkey.pem. But what is the replacement for the "custMek_am64x_am243x.txt" that is used in the devconfig.mak?

    Do we also need to enable the "Encryption option for application", as the default option from sdk is set to no as shown below

    # Device type (HS/GP)
    DEVICE_TYPE?=HS

    # Path to the signing tools, keys etc
    SIGNING_TOOL_PATH=$(MCU_PLUS_SDK_PATH)/tools/boot/signing

    # Path to the keys
    ROM_DEGENERATE_KEY:=$(SIGNING_TOOL_PATH)/rom_degenerateKey.pem
    ifeq ($(DEVICE),am263x)
        CUST_MPK=$(SIGNING_TOOL_PATH)/mcu_custMpk.pem
    else ifeq ($(DEVICE),am273x)
        CUST_MPK=$(SIGNING_TOOL_PATH)/mcu_custMpk.pem
    else ifeq ($(DEVICE),awr294x)
        CUST_MPK=$(SIGNING_TOOL_PATH)/mcu_custMpk.pem
    else
        CUST_MPK=$(SIGNING_TOOL_PATH)/custMpk_am64x_am243x.pem
        CUST_MEK=$(SIGNING_TOOL_PATH)/custMek_am64x_am243x.txt
    endif

    # Encryption option for application (yes/no)
    ENC_ENABLED?=no

    # Encryption option for SBL (yes/no)
    ENC_SBL_ENABLED?=yes

    # Debug Enable (yes/no)
    DBG_ENABLED?=no

    # Debug control with TIFS (yes/no)
    DEBUG_TIFS?=yes

    # Debug options for HS (DBG_PERM_DISABLE / DBG_SOC_DEFAULT / DBG_PUBLIC_ENABLE / DBG_FULL_ENABLE)
    # This option is valid only if DEBUG_TIFS is false
    DEBUG_OPTION?=DBG_SOC_DEFAULT

    # Generic macros to be used depending on the device type
    APP_SIGNING_KEY=
    APP_ENCRYPTION_KEY=

    ifeq ($(DEVICE_TYPE),HS)
        APP_SIGNING_KEY=$(CUST_MPK)
        APP_ENCRYPTION_KEY=$(CUST_MEK)
    else
        APP_SIGNING_KEY=$(ROM_DEGENERATE_KEY)
    endif

    Please let me know.

    Thanks & Regards

    Teja

  • 0 in reply to Teja Poorna
    TI__Mastermind 25945 points

    Hi Teja,

    Teja Poorna said:
    CUST_MPK=$(SIGNING_TOOL_PATH)/custMpk_am64x_am243x.pem

    This RSA private key needs to be updated with the key you have used in the otp keywriter to blow the eFuses.

    Teja Poorna said:
    CUST_MEK=$(SIGNING_TOOL_PATH)/custMek_am64x_am243x.txt

    This key needs to be the 256-bit AES key (MEK) that was programmed by you via OTP Key Writer.

    Teja Poorna said:
    Do we also need to enable the "Encryption option for application", as the default option from sdk is set to no as shown below

    It is possible but we have limitations with this approach - https://software-dl.ti.com/mcu-plus-sdk/esd/AM243X/latest/exports/docs/api_guide_am243x/SECURE_BOOT.html#autotoc_md428

    Hope it helps.

    Best Regards,
    Aakash

  • 0 in reply to Aakash Kedia
    Prodigy 115 points

    Hi Aakash,

    To my understanding, For secure boot process, we require both "SMPK(RSA signing key)" as well as "SMEK(encryption key)". is it right? or Can we ignore the SMEK key if the "encryption option is not enabled" and just use only the SMPK key for the secure boot process. is it possible?

    Thanks & Regards

    Teja

  • 0 in reply to Teja Poorna
    Prodigy 115 points

    Hi

    Can you please answer the above question, as we got stuck at this point?

    thanks & Regards

    Teja

  • +1 in reply to Teja Poorna
    TI__Mastermind 25945 points

    Hi ,

    Teja Poorna said:
    To my understanding, For secure boot process, we require both "SMPK(RSA signing key)" as well as "SMEK(encryption key)". is it right? or Can we ignore the SMEK key if the "encryption option is not enabled" and just use only the SMPK key for the secure boot process. is it possible?

    My suggestion..

    1. You should program both SMPK as well as SMEK. Reason being, there is no way to program SMEK once the device is converted to HS-SE device.
    2. Yes, Encryption is completely optional. Only SMPK is mandatory for secure boot process.

    Best Regards,
    Aakash