• State Resolved
  • Locked Locked
  • Replies 13 replies
  • Answers 2 answers
  • Subscribers 32 subscribers
  • Views 599 views
  • Users 0 members are here
Support feedback
Options
Options
Related

This thread has been locked.

If you have a related question, please click the "Ask a related question" button in the top right corner. The newly created question will be automatically linked to this question.

LP-AM261: Secure Boot : Provision OTP Keys in production environment.

Nithin Kurian
Prodigy 130 points

Part Number: LP-AM261

Tool/software:

Hi

I am trying to add Secure Boot functionality to application running on LP-AM261.

I was able to execute Keywriter Trial Run mode.

Now we are thinking about options/methods to provision OTP Keys in production environment.

We know that by writing Keywriter firmware to OSPI we can do this.

Could you suggest methods by which we can write OTP keys without loading image to flash.

Thanks

Nithin

  • 0
    TI__Guru* 87701 points

    Hi Nithin,

    The below FAQ details about ways to do OTP KW. 

    (+) [FAQ] AM2634-Q1: Recommended flow for OTP Keywriter from TI for external VPP power supply. - Arm-based microcontrollers forum - Arm-based microcontrollers - TI E2E support forums

    Though it is focused on AM263 (which requires external Vpp) whereas AM261 has internal LDO integrated for VPP, the steps followed should be the same.

    Without using flash, the recommended way would be to use UART to load the Keywriter SBL via xModem.

    Thanks and Regards,

    Nikhil Dasan

  • 0 in reply to Nikhil Dasan
    Prodigy 130 points

    Is it possible load OTP writer to RAM?

    Is there a way to write OTP keys without creating a binary containing OTP keys?

  • 0 in reply to Nithin Kurian
    TI__Guru* 87701 points

    OTP KW provided is a SBL binary.

    Which means that the ROM loads this SBL, which internally loads the HSMRT for Keywriter and then runs the keywriter service so that the HSM core does the efuse. 

    With the above flow, The KW sbl binary can be put onto RAM using the UART boot mode and then the same is executed from there.

    Thanks and Regards,

    Nikhil Dasan

  • 0 in reply to Nikhil Dasan
    Prodigy 130 points

    Thank you for your response.

    I understood the UART boot mode behaviour.

    Nithin Kurian said:
    Is there a way to write OTP keys without creating a binary containing OTP keys?

    Is there any way to write the keys without creating binary?

    We are considering an option were different keys for each device. So it will be difficult to generate customized binaries (with different keys). Is there any tool or something to write the keys (majorly for production environment for large number devices).  

  • 0 in reply to Nithin Kurian
    TI__Guru* 87701 points

    Hi Nithin,

    Actuallly there is a way where you could receive the certificate using an external interface and share it to the HSM core. 

    However, this is not showcased in the OTP KW binary, but we have a reference for the same in our debug authentication example in the TIFS_SDK, 

    Here we receive the debug certificate in SBL over UART Xmodem and then provide the same to the HSM core as shown below

    Please refer to the example in C:\ti\tifs_am261x_10_02_00_00\examples\debug_authentication for the same. 

    TIFS SDK is obtained from ti.com/secureresources/AM261X-TIFS-SDK

    Thanks and Regards,

    Nikhil Dasan

  • 0 in reply to Nikhil Dasan
    Prodigy 130 points

    Hi Nikhil,

    Nikhil Dasan said:
    Here we receive the debug certificate in SBL over UART Xmodem and then provide the same to the HSM core as shown below

    I have tried this by modifying otp keywriter application (in DRYRUN_MODE) but i am getting this error:

    Starting KeyWriter Bootloader ...
    Device Type : HSFS
    SR version 1.0

    [HSM_CLIENT] New Client Registered with Client Id = 2
    [HSM CLIENT] OTP-KW 64bit version string = 0x0013306000a0001

    [HSM CLIENT] OTP-KW Information
    [Soc Type] = AM261X
    [Device Type] = HS-FS
    [HSM Type] = HSM_V1
    [Bin Type] = OTPKW
    [OTP-KW Version] = 10.0.1

    #
    # Validating certificate..
    #
    [HSM CLIENT] OTP-KW Error encountered in OTP Keywriter

    [HSM CLIENT] OTP-KW debugResponse = 0x00003011
    [HSM CLIENT] OTP-KW Error phase = 0x1
    [HSM CLIENT] OTP-KW Error module = 0x01
    [HSM CLIENT] OTP-KW Error stage = 0x03
    [HSM CLIENT] OTP-KW Error customer key extension = 0x0

    KPI_DATA: [BOOTLOADER_PROFILE] Boot Media : undefined
    KPI_DATA: [BOOTLOADER_PROFILE] Boot Image Size : 0 KB
    KPI_DATA: [BOOTLOADER_PROFILE] Cores present :
    KPI_DATA: [BOOTLOADER PROFILE] System_init : 346us
    KPI_DATA: [BOOTLOADER PROFILE] Drivers_open : 18us
    KPI_DATA: [BOOTLOADER PROFILE] LoadHsmKeyWriterRtFw : 16523us
    KPI_DATA: [BOOTLOADER PROFILE] LoadHsmCustomerKeyCertificate : 31089us
    KPI_DATA: [BOOTLOADER PROFILE] KeyWriter SBL End : 850713us
    KPI_DATA: [BOOTLOADER_PROFILE] SBL Total Time Taken : 898690us

    KeyWriter Bootloader Execution Complete...

    To isolate the issue i have tried copying the certificate from another array also (instead of receiving over XMODEM),

    but it also resulted in same error.

    My changes for copying from an array is given below

  • 0 in reply to Nithin Kurian
    TI__Guru* 87701 points

    Hi,

    Nithin Kurian said:

    [HSM CLIENT] OTP-KW Error encountered in OTP Keywriter

    [HSM CLIENT] OTP-KW debugResponse = 0x00003011
    [HSM CLIENT] OTP-KW Error phase = 0x1
    [HSM CLIENT] OTP-KW Error module = 0x01
    [HSM CLIENT] OTP-KW Error stage = 0x03

    The error says that the issue is in parsing the certificate from the cert address that is sent from R5

    Can you check what is the certHeader.certAddress in good case and bad case?

    The cert address must be >= 0x70027800 and < (0x70027800 + Max Cert size (0x40000))

    Is this the same certificate available in the SBL keywriter package?

    Thanks and Regards,

    Nikhil Dasan

  • 0 in reply to Nikhil Dasan
    Prodigy 130 points

    Hi Nikhil,

    Thank you for the response.

    Nikhil Dasan said:
    Is this the same certificate available in the SBL keywriter package?

    I have generated my own customer keys

    Then i have generated keywriter certificate with the keys

    i am using same certificate in both cases (Good and bad)

    Nikhil Dasan said:
    The cert address must be >= 0x70027800 and < (0x70027800 + Max Cert size (0x40000))

    certHeader.certAddress is within MSRAM_HSMRT.

    logs from bad case and good case is given below

    Good case

    [HSM CLIENT] MSRAM_HSMRT start 0x70027800
    [HSM CLIENT] certAddress start 0x70045428
    [HSM CLIENT] certAddress end 0x7004702d
    [HSM CLIENT] MSRAM_HSMRT end 0x70067800

    Bad case

    [HSM CLIENT] MSRAM_HSMRT start 0x70027800
    [HSM CLIENT] certAddress start 0x7004702d
    [HSM CLIENT] certAddress end 0x70048c32
    [HSM CLIENT] MSRAM_HSMRT end 0x70067800

    #
    # Validating certificate..
    #
    [HSM CLIENT] OTP-KW Error encountered in OTP Keywriter

    [HSM CLIENT] OTP-KW debugResponse = 0x00003011
    [HSM CLIENT] OTP-KW Error phase = 0x1
    [HSM CLIENT] OTP-KW Error module = 0x01
    [HSM CLIENT] OTP-KW Error stage = 0x03
    [HSM CLIENT] OTP-KW Error customer key extension = 0x0

    Thanks

    Nithin

  • 0 in reply to Nithin Kurian
    TI__Guru* 87701 points

    Hi Nithin,

    Sorry for the delay in response. I'm trying to reproduce the issue at my end. Meanwhile, can you please compare if the gCustKeyCert array in both good case and bad case are the same that is being pointed in the address certHeader.certAddress?

    Thanks and Regards,

    Nikhil Dasan

  • 0 in reply to Nikhil Dasan
    Prodigy 130 points

    Hi Nikhil,

    Yes, gCustKeyCert array is same in good and bad case

    Thanks

    Nithin

  • +1 in reply to Nithin Kurian
    TI__Guru* 87701 points

    Hi Nithin,

    Looks like the issue at your end would be missing of Cache invalidation and writeback.

    I tried getting the keywriter certificate at my end via UART and able to do the dry run mode expected. 

    I had faced the issue that you are currently facing, which got resolved by using CacheP_wbInv() after receiving the certificate from UART.

    Placing here my implementation for referance.

    /cfs-file/__key/communityserver-discussions-components-files/908/0272.main.c

    Also, the section would now be .data.custKeyCert in syscfg instead of ".rodata.custKeyCert", so it is no more a "const"

    Thanks and Regards,

    Nikhil Dasan

  • 0 in reply to Nikhil Dasan
    Prodigy 130 points

    Hi Nikhil,

    Thank you for the response.

    I will try out and get back to you.

    Thanks

    Nithin

  • 0 in reply to Nithin Kurian
    Prodigy 130 points

    Hi Nikhil,

    It is working for me

    Thank you for support

    Thanks

    Nithin