AM2432: HS Device: Signing software with custom keys

Robin Bross

Part Number: AM2432

Dear TI Experts,

I am currently struggeling to sign a bootloader *.tiimage for HS Devices were a custom MPK Key was programmed using the OTP Keywriter.
Currently I am working with the keywriter out the SDK 08.04 package. If needed I can also update to the otp_keywriter version 09_00_00.

If I use the TI Custom Keys out the SDK I am able to run the bootloader on our device.

--> Which file out the keywriter generation process shall be used as a custom SMPK Key?

If I take the smpk.pem file that is generated by the script, it looks different than the custMpk_am64x_am243x.pem file:

e.g. the header of the file:

The generated SMPK File:

custMpk_am64x_am243x.pem

What are the dependencies regarding the Encryption?
If we don't want to encrypt our binaries, is it sufficient to use the

# Encryption option for SBL (yes/no)

ENC_SBL_ENABLED?=no

Option?

Thanks in Advance and best regards
Robin

over 1 year ago

0 Aakash Kedia over 1 year ago

TI__Mastermind 26145 points

Hi Robin Bross,

Firstly, this custMpk_am64x_am243x.pem key is a degenerate key and mostly required in case of HSFS device. I am not able to understand if your device is a HSFS device or a HSSE device ?

Robin Bross said:
Which file out the keywriter generation process shall be used as a custom SMPK Key?

As written in the documentation, the keys (as well as the cert for production) must come from a HSM server.

You can use these steps to create a 4096bits RSA keys.

https://techdocs.akamai.com/iot-token-access-control/docs/generate-rsa-keys

And yes encryption is completely optional feature. You can disable the feature in an HSSE device.

Best Regards,
Aakash

0 Robin Bross over 1 year ago in reply to Aakash Kedia

Prodigy 233 points

Hello Aakash,

we want to have a HS-SE Device for production.

The main issue I am struggling with is, that I am able to run software on a HS-SE Device which contains the example keys out the SDK (mcu_plus_sdk_am243x_09_00_00_35\tools\boot\signing\....).
I used these keys to test, if the keywriting process itself is working as expected.

When writing our own keys to a device via the OTP Keywriter, I am not able to run SW on the device. Is the format of the key relevant here?
The keys I used were generated via the gen_keywr_cert.sh script, using the -g option (as described in the manual).

Is there a possibility to verify the signature of the hs image?

For going to production, a secure storage for the keys is used.

Best Regards
Robin

0 Aakash Kedia over 1 year ago in reply to Robin Bross

TI__Mastermind 26145 points

Hi Robin Bross,

Can you use this script - https://e2e.ti.com/support/microcontrollers/arm-based-microcontrollers-group/arm-based-microcontrollers/f/arm-based-microcontrollers-forum/1170785/faq-mcu-plus-sdk-am243x-how-to-identify-if-the-device-is-gp-device-or-hs-device

This will provide you the Public Key Hash (SHA512) of the Active Key. You can verify if the Public Key Hash matches the key you have.

I hope this helps.

Best Regards,
Aakash

0 Robin Bross over 1 year ago in reply to Aakash Kedia

Prodigy 233 points

Hello Aakash,

thank you for the update.

We already verified the hash that we receive by the socid parser, with the hash of the public part of our SMPK:

Can we maybe have a call to check the details here?

Is the MPK Key relevant for the Sysfw and the board config?

Best Regards

Robin

0 Aakash Kedia over 1 year ago in reply to Robin Bross

TI__Mastermind 26145 points

Hi Robin Bross

Yes.

The SYSFW, Board Config, SBL all the verified against the SMPKH (in case of combined boot; once).

Best Regards,
Aakash

0 Robin Bross over 1 year ago in reply to Aakash Kedia

Prodigy 233 points

Hello Aakash,

I can summarize the steps we did:

1. Generate keys (using the provided shell script: gen_keywr_cert.sh, create the certificates and build the OTP Keywriter)
--> We used the default SMEK (keys_devel), for the SMPK we used a custom key generated by the shell script

2. Write the keys onto the PCB --> Success

3. Verify the hash between the SMPK hash between .csv table and the socid output --> Matching

4. Build software with the SMEK out of the SDK (Development Key) and the custom SMPK which was used to generate the certificates for the keywriter

--> The bootloader *hs.tiimage is not starting, same result if we disable the encryption of the SBL via the devconfig.mak file.

We have almost no possibility to debug here, besides providing the software via UART XMODEM Boot.

Do you have any idea how to proceed further?
Are there requirements in which format the keys must be present to sign the tiimage?

Thanks and best regards
Robin

+1 Aakash Kedia over 1 year ago in reply to Robin Bross

TI__Mastermind 26145 points

Hi Robin,

As per our debug, we found out that due to SoC CPSW Reset Workaround you are seeing an additional reset. This is why it makes you think that the image got rejected. In reality the image is accepted and the image asserted a reset. After the test, it was concluded for the same.

Best Regards,
Aakash

Arm-based microcontrollers

Arm-based microcontrollers forum

AM2432: HS Device: Signing software with custom keys