AM2634: OTP Keywriter Build Failing to Boot from QSPI with MCU+ SDK 09.01

Dominic Rath

Part Number: AM2634

Tool/software:

Dear TI Team,

we've encountered an issue while building the OTP Keywriter application using MCU+ SDK 09.01 on the AM263x device. The resulting build fails to boot from QSPI flash.

This problem appears to be specific to builds generated with SDK 09.01, and affects for example the NULL SBL, too. The pre-built NULL SBL boots just fine, but a NULL SBL built from the example sources fails to boot.

In contrast, we've observed that SBLs built with MCU+ SDK 09.02 can boot successfully from QSPI without any issues.

Comparing the `tiimage` files from both SDK versions, we found a difference in the embedded certificates:

* **SDK 09.01 Builds (Failing):** The certificate includes the X509v3 extension "Subject Key Identifier"

* **SDK 09.02 Builds (Working):** The certificate does not include this extension.

Interestingly, pre-built SBLs shipped with MCU+ SDK 09.01 do *not* contain this extension in their certificates. This issue only arises when building the OTP Keywriter or NULL SBL from scratch using SDK 09.01.

The latest OTP keywriter for the AM26x is for version 09.01, so based on other replies on E2E that is the MCU+ SDK version that should be used.

What is the recommended approach to successfully build and boot the OTP Keywriter application using MCU+ SDK 09.01? Is there a workaround or configuration change to address this certificate-related discrepancy?

Best Regards,

Dominic

5 months ago

0 Nilabh Anand 5 months ago

TI__Mastermind 34527 points

Hi Dominic,

Very interesting, I did not see this issue while using OTP Keywriter with SDK 9.1

Which OpenSSL version are you using?

0 Nilabh Anand 5 months ago

TI__Mastermind 34527 points

Dominic Rath said:
The latest OTP keywriter for the AM26x is for version 09.01, so based on other replies on E2E that is the MCU+ SDK version that should be used.

The latest OTP Keywriter version is 10.0. Do you see the same in your secure resource folder? And yes it should be used with MCU PLUS SDK 10.0 version.

0 Dominic Rath 5 months ago in reply to Nilabh Anand

Mastermind 6975 points

Hello Nialbh,

no, I don't see OTP keywriter version 10.0 for the AM26x.

There's version 1.0 which says it is for 08.03, and there's version SR_11_09_01_00_05. We're using SR1.1 hardware so that's the version we've been using.

It works, but only if we use MCU+ SDK 09.02 to generate the .tiimage. Everything we generate from MCU+ SDK 09.01, including just the null bootloader (but for that we have a newer SDK, so we don't care about this issue itself), wont boot from QSPI. We also tried booting those images from UART with the same issue.

If threre's a newer OTP keywriter to go with MCU+ SDK 10.00 that could be a way forward. Can you figure out why I don't see this under AM263x restricted security content?

Regards,

Dominic

0 Dominic Rath 5 months ago in reply to Dominic Rath

Mastermind 6975 points

Nilabh Anand said:
Which OpenSSL version are you using?

I'm using OpenSSL 3.1.4 24 Oct 2023 (Library: OpenSSL 3.1.4 24 Oct 2023).

My colleague who initially found this problem is using OpenSSL 3.2.2 4 Jun 2024 (Library: OpenSSL 3.2.2 4 Jun 2024).

Regards,

Dominic

0 Dominic Rath 5 months ago in reply to Dominic Rath

Mastermind 6975 points

This is how I build the NULL SBL with SDK 09.01 (easier to share than OTP):

Fullscreen

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
dra@TECHNOKRATUS MINGW64 /c/ti/mcu_plus_sdk_am263x_09_01_00_41
$ C:/ti/ccs1271/ccs/utils/bin/gmake -s -C examples/drivers/boot/sbl_null/am263x-cc/r5fss0-0_nortos/ti-arm-clang clean all
 Cleaning: am263x:r5fss0-0:nortos:ti-arm-clang sbl_null.release.out ...
Generating SysConfig files ...
Running script...
Validating...
info: /kernel/dpl/debug_log uartLog.baudRate: Actual Baudrate Possible: 115385 (0 % error)
Generating Code (example.syscfg)...
Writing C:\ti\mcu_plus_sdk_am263x_09_01_00_41\examples\drivers\boot\sbl_null\am263x-cc\r5fss0-0_nortos\ti-arm-clang\generated\ti_dpl_config.c...
Writing C:\ti\mcu_plus_sdk_am263x_09_01_00_41\examples\drivers\boot\sbl_null\am263x-cc\r5fss0-0_nortos\ti-arm-clang\generated\ti_dpl_config.h...
Writing C:\ti\mcu_plus_sdk_am263x_09_01_00_41\examples\drivers\boot\sbl_null\am263x-cc\r5fss0-0_nortos\ti-arm-clang\generated\ti_drivers_config.c...
Writing C:\ti\mcu_plus_sdk_am263x_09_01_00_41\examples\drivers\boot\sbl_null\am263x-cc\r5fss0-0_nortos\ti-arm-clang\generated\ti_drivers_config.h...
Writing C:\ti\mcu_plus_sdk_am263x_09_01_00_41\examples\drivers\boot\sbl_null\am263x-cc\r5fss0-0_nortos\ti-arm-clang\generated\ti_drivers_open_close.c...
Writing C:\ti\mcu_plus_sdk_am263x_09_01_00_41\examples\drivers\boot\sbl_null\am263x-cc\r5fss0-0_nortos\ti-arm-clang\generated\ti_drivers_open_close.h...
Writing C:\ti\mcu_plus_sdk_am263x_09_01_00_41\examples\drivers\boot\sbl_null\am263x-cc\r5fss0-0_nortos\ti-arm-clang\generated\ti_pinmux_config.c...
Writing C:\ti\mcu_plus_sdk_am263x_09_01_00_41\examples\drivers\boot\sbl_null\am263x-cc\r5fss0-0_nortos\ti-arm-clang\generated\ti_power_clock_config.c...
Writing C:\ti\mcu_plus_sdk_am263x_09_01_00_41\examples\drivers\boot\sbl_null\am263x-cc\r5fss0-0_nortos\ti-arm-clang\generated\ti_board_config.c...
Writing C:\ti\mcu_plus_sdk_am263x_09_01_00_41\examples\drivers\boot\sbl_null\am263x-cc\r5fss0-0_nortos\ti-arm-clang\generated\ti_board_config.h...
Writing C:\ti\mcu_plus_sdk_am263x_09_01_00_41\examples\drivers\boot\sbl_null\am263x-cc\r5fss0-0_nortos\ti-arm-clang\generated\ti_board_open_close.c...
Writing C:\ti\mcu_plus_sdk_am263x_09_01_00_41\examples\drivers\boot\sbl_null\am263x-cc\r5fss0-0_nortos\ti-arm-clang\generated\ti_board_open_close.h...
Writing C:\ti\mcu_plus_sdk_am263x_09_01_00_41\examples\drivers\boot\sbl_null\am263x-cc\r5fss0-0_nortos\ti-arm-clang\generated\ti_enet_config.c...
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

dra@TECHNOKRATUS MINGW64 /c/ti/mcu_plus_sdk_am263x_09_01_00_41
$ C:/ti/ccs1271/ccs/utils/bin/gmake -s -C examples/drivers/boot/sbl_null/am263x-cc/r5fss0-0_nortos/ti-arm-clang clean all
 Cleaning: am263x:r5fss0-0:nortos:ti-arm-clang sbl_null.release.out ...
Generating SysConfig files ...
Running script...
Validating...
info: /kernel/dpl/debug_log uartLog.baudRate: Actual Baudrate Possible: 115385 (0 % error)
Generating Code (example.syscfg)...
Writing C:\ti\mcu_plus_sdk_am263x_09_01_00_41\examples\drivers\boot\sbl_null\am263x-cc\r5fss0-0_nortos\ti-arm-clang\generated\ti_dpl_config.c...
Writing C:\ti\mcu_plus_sdk_am263x_09_01_00_41\examples\drivers\boot\sbl_null\am263x-cc\r5fss0-0_nortos\ti-arm-clang\generated\ti_dpl_config.h...
Writing C:\ti\mcu_plus_sdk_am263x_09_01_00_41\examples\drivers\boot\sbl_null\am263x-cc\r5fss0-0_nortos\ti-arm-clang\generated\ti_drivers_config.c...
Writing C:\ti\mcu_plus_sdk_am263x_09_01_00_41\examples\drivers\boot\sbl_null\am263x-cc\r5fss0-0_nortos\ti-arm-clang\generated\ti_drivers_config.h...
Writing C:\ti\mcu_plus_sdk_am263x_09_01_00_41\examples\drivers\boot\sbl_null\am263x-cc\r5fss0-0_nortos\ti-arm-clang\generated\ti_drivers_open_close.c...
Writing C:\ti\mcu_plus_sdk_am263x_09_01_00_41\examples\drivers\boot\sbl_null\am263x-cc\r5fss0-0_nortos\ti-arm-clang\generated\ti_drivers_open_close.h...
Writing C:\ti\mcu_plus_sdk_am263x_09_01_00_41\examples\drivers\boot\sbl_null\am263x-cc\r5fss0-0_nortos\ti-arm-clang\generated\ti_pinmux_config.c...
Writing C:\ti\mcu_plus_sdk_am263x_09_01_00_41\examples\drivers\boot\sbl_null\am263x-cc\r5fss0-0_nortos\ti-arm-clang\generated\ti_power_clock_config.c...
Writing C:\ti\mcu_plus_sdk_am263x_09_01_00_41\examples\drivers\boot\sbl_null\am263x-cc\r5fss0-0_nortos\ti-arm-clang\generated\ti_board_config.c...
Writing C:\ti\mcu_plus_sdk_am263x_09_01_00_41\examples\drivers\boot\sbl_null\am263x-cc\r5fss0-0_nortos\ti-arm-clang\generated\ti_board_config.h...
Writing C:\ti\mcu_plus_sdk_am263x_09_01_00_41\examples\drivers\boot\sbl_null\am263x-cc\r5fss0-0_nortos\ti-arm-clang\generated\ti_board_open_close.c...
Writing C:\ti\mcu_plus_sdk_am263x_09_01_00_41\examples\drivers\boot\sbl_null\am263x-cc\r5fss0-0_nortos\ti-arm-clang\generated\ti_board_open_close.h...
Writing C:\ti\mcu_plus_sdk_am263x_09_01_00_41\examples\drivers\boot\sbl_null\am263x-cc\r5fss0-0_nortos\ti-arm-clang\generated\ti_enet_config.c...
Writing C:\ti\mcu_plus_sdk_am263x_09_01_00_41\examples\drivers\boot\sbl_null\am263x-cc\r5fss0-0_nortos\ti-arm-clang\generated\ti_enet_config.h...
Writing C:\ti\mcu_plus_sdk_am263x_09_01_00_41\examples\drivers\boot\sbl_null\am263x-cc\r5fss0-0_nortos\ti-arm-clang\generated\ti_enet_open_close.c...
Writing C:\ti\mcu_plus_sdk_am263x_09_01_00_41\examples\drivers\boot\sbl_null\am263x-cc\r5fss0-0_nortos\ti-arm-clang\generated\ti_enet_open_close.h...
Writing C:\ti\mcu_plus_sdk_am263x_09_01_00_41\examples\drivers\boot\sbl_null\am263x-cc\r5fss0-0_nortos\ti-arm-clang\generated\ti_enet_soc.c...
Writing C:\ti\mcu_plus_sdk_am263x_09_01_00_41\examples\drivers\boot\sbl_null\am263x-cc\r5fss0-0_nortos\ti-arm-clang\generated\ti_enet_lwipif.c...
Writing C:\ti\mcu_plus_sdk_am263x_09_01_00_41\examples\drivers\boot\sbl_null\am263x-cc\r5fss0-0_nortos\ti-arm-clang\generated\ti_enet_lwipif.h...
Writing C:\ti\mcu_plus_sdk_am263x_09_01_00_41\examples\drivers\boot\sbl_null\am263x-cc\r5fss0-0_nortos\ti-arm-clang\generated\linker.cmd...
 Compiling: am263x:r5fss0-0:nortos:ti-arm-clang sbl_null.release.out: ../main.c
 Compiling: am263x:r5fss0-0:nortos:ti-arm-clang sbl_null.release.out: generated/ti_drivers_config.c
 Compiling: am263x:r5fss0-0:nortos:ti-arm-clang sbl_null.release.out: generated/ti_drivers_open_close.c
 Compiling: am263x:r5fss0-0:nortos:ti-arm-clang sbl_null.release.out: generated/ti_board_config.c
 Compiling: am263x:r5fss0-0:nortos:ti-arm-clang sbl_null.release.out: generated/ti_board_open_close.c
 Compiling: am263x:r5fss0-0:nortos:ti-arm-clang sbl_null.release.out: generated/ti_dpl_config.c
 Compiling: am263x:r5fss0-0:nortos:ti-arm-clang sbl_null.release.out: generated/ti_pinmux_config.c
 Compiling: am263x:r5fss0-0:nortos:ti-arm-clang sbl_null.release.out: generated/ti_power_clock_config.c
 .
 Linking: am263x:r5fss0-0:nortos:ti-arm-clang sbl_null.release.out ...
 Linking: am263x:r5fss0-0:nortos:ti-arm-clang sbl_null.release.out Done !!!
 .
 Boot image: am263x:r5fss0-0:nortos:ti-arm-clang C:/ti/mcu_plus_sdk_am263x_09_01_00_41/examples/drivers/boot/sbl_null/am263x-cc/r5fss0-0_nortos/ti-arm-clang/sbl_null.release.tiimage ...
 Boot image: am263x:r5fss0-0:nortos:ti-arm-clang C:/ti/mcu_plus_sdk_am263x_09_01_00_41/examples/drivers/boot/sbl_null/am263x-cc/r5fss0-0_nortos/ti-arm-clang/sbl_null.release.tiimage Done !!!

This is the resulting file that wont boot on our SR 1.1 AM263x control card:

sbl_null.release.zip

Regards,

Dominic

0 Nilabh Anand 5 months ago in reply to Dominic Rath

TI__Mastermind 34527 points

Hi Dominic, Few problems I see here:

Dominic Rath said:
I'm using OpenSSL 3.1.4 24 Oct 2023 (Library: OpenSSL 3.1.4 24 Oct 2023).

Open SSL version should be 1.1.1., as that is what we support currently for OTP-Keywriter. This is pending on us to upgrade OTP keywriter to support Openssl version 3

Dominic Rath said:
* **SDK 09.01 Builds (Failing):** The certificate includes the X509v3 extension "Subject Key Identifier"

* **SDK 09.02 Builds (Working):** The certificate does not include this extension.

And I am assuming this might be the reason for the difference as MCU PLUS SDK 9.1 support open ssl 1.1.1.

Whereas SDK 9.2 got upgraded to support open ssl v3

...

0 Dominic Rath 5 months ago in reply to Nilabh Anand

Mastermind 6975 points

Hello Nilabh,

OpenSSL 1.1.1 was discontinued, I'm not sure if we're able to switch back to an outdated version.

Do you know how we can get access to OTP keywriter version 10.00?

Regards,

Dominic

0 Nilabh Anand 5 months ago in reply to Dominic Rath

TI__Mastermind 34527 points

Dominic Rath said:
OpenSSL 1.1.1 was discontinued, I'm not sure if we're able to switch back to an outdated version.

I know dominic, apologies for this. I can share the open ssl 1.1.1 version if you want to test this

0 Nilabh Anand 5 months ago in reply to Nilabh Anand

TI__Mastermind 34527 points

WIP_AM263x_OTP_Keywriter_Steps.pdf

Also please refer to this on detailed steps for OTP Keywriter provisioning.Let me know if you have any other questions.

0 Dominic Rath 5 months ago in reply to Nilabh Anand

Mastermind 6975 points

Hello Nilabh,

initially you mentioned an OTP keywriter version 10.00. Should that already be available, or is it planned in a reasonable timeframe (e.g. next 1-2 months)? If a new keywriter became available I suppose that would be good enough.

Maintaining an OpenSSL 1.1.1 installation to generate the keywriter and a 3.x installation "for aynthing else" (e.g. application signing) is not a long-term option. We found a way to sign the OTP keywriter generated with 9.1 using scripts from 9.2. As a workaround that is good enough, now I'm looking for a clean solution going forward.

Regards,

Dominic

0 Nilabh Anand 5 months ago in reply to Dominic Rath

TI__Mastermind 34527 points

Hi Dominic,

We are planning to release a updated OTP Keywriter in next month with OpenSSL update.

+1 Nilabh Anand 5 months ago in reply to Dominic Rath

TI__Mastermind 34527 points

Dominic Rath said:
initially you mentioned an OTP keywriter version 10.00. Should that already be available, or is it planned in a reasonable timeframe (e.g. next 1-2

My bad this is a planned release. I will keep you posted on the update.

Arm-based microcontrollers

Arm-based microcontrollers forum

AM2634: OTP Keywriter Build Failing to Boot from QSPI with MCU+ SDK 09.01