AM2634: HS-FS SBL Verification Clarification

Kier

Mastermind 9470 points

Part Number: AM2634

Hello,

With reference to this document: AM263x MCU+ SDK: Understanding the bootflow and bootloaders (ti.com)

There is this excerpt:

This .bin file is then signed using the Signing Scripts to create the final .tiimage bootable image.

The .tiimage file extension is kept to separate the SBL boot image from a normal application image
The rom_degenerateKey.pem is used for this.
This is a ROM bootloader requirement and is needed even on a non-secure device.

But then there is this table:

If the text says that the SBL shall always be signed regardless of device type, what is meant by Certificate Verification "Not Performed" for HS-FS in the above table?

In other words, if verification is not performed by HS-FS RBL why is it necessary to sign the SBL in this case please?

Thank you.

over 2 years ago

0 Anand Mahadevan SS over 1 year ago

TI__Expert 8165 points

Hi,

The ROM doesn't expect the SBL image to be in any particular format, it is just plain binary. So the x509 certificate which is produced after the signing is also used for metadata on the SBL image like the size of the image etc. Verification not performed just means that you don't need to sign the image with a dedicated key, and RSA degenerate key will work. There is also the optional image integrity check which computes the SHA of the image and compares it with the value in the certificate. Hope that answered your question.

Regards,
Anand Mahadevan SS

Arm-based microcontrollers

Arm-based microcontrollers forum

AM2634: HS-FS SBL Verification Clarification