Tool/software:
Greetings,
we are currently implementing software update functionality for our project, and we were hoping to leverage bootloader authentication for verifying the received image outside of SBL.
Brief context: On AM243X-LP with AM243x MCU+ SDK 11.01.00 and SysCfg 1.22 we have an application running on R5F0-0 core that is hosting a REST API server (our own implementation) using lwIP stack on ICSS. We receive the image as TCP segments in one FreeRTOS task and using FreeRTOS queue send it to another task that is writing the image to flash memory. So far so good. We are currently GP but will eventually be targeting HS-SE. Our SBL is largely based on sbl_ospi_multi_partition example.
Once we receive the image but before we "commit" to the update, we were hoping we could use Bootloader_socAuthImage to verify the image x.509 certificate. By "committing" to update I mean somehow telling our custom SBL where the new image is (this mechanism is still in progress) and restarting the device. Our reasoning for this step is two-fold: a) image integrity - ensure the image arrived intact over the wire (some checksum mechanism would suffice here) and more importantly b) validate the certificate to ensure that when the device is restarted, the image won't be rejected by SBL and therefore "brick" the device or at least lead to some back-up boot mechanism immediately.
The code looks like this:
// Once I receive the first update chunk in my FreeRTOS task that stores the image in Flash memory,
// I can find out the x509 certificate length and store it
// Chunk data is: char chunkData[1460]
mFlashOffset = 0x200000u; // Hardcoded destination for now
mX509CertificateLength = Bootloader_getX509CertLen(reinterpret_cast<uint8_t*>(mpChunk->chunkData)); // 1654
if(mX509CertificateLength <= 0x100 || mX509CertificateLength > 0x800)
{
// Abort update. We use the same magic numbers as TI SDK
}
// ...
// Once we have received the entire image
Flash_enableDacMode(mFlashHandle); // SystemP_SUCCESS
uint32_t certificateLoadAddress = mFlashOffset + SOC_getFlashDataBaseAddr(); // 0x60200000
uint32_t imageLength = Bootloader_getMsgLen(mX509Certificate.data(), mX509CertificateLength); // 439520
uint32_t cacheAlignedLength = (mX509CertificateLength + imageLength + 128) & ~(127); // 441216
CacheP_wbInv(reinterpret_cast<void*>(certificateLoadAddress), cacheAlignedLength, CacheP_TYPE_ALL);
const int32_t cVerifyStatus = Bootloader_socAuthImage(certificateLoadAddress); // SystemP_FAILURE
CacheP_inv((void*)certificateLoadAddress, cacheAlignedLength, CacheP_TYPE_ALL);
Flash_disableDacMode(mFlashHandle); // SystemP_SUCCESS
If I step through Bootloader_socAuthImage up to after Sciclient_procBootAuthAndStart, I get:
retVal int 0 0x701A79CC (respParam).flags unsigned int 0 0x701A7998 (respParam).respPayloadSize unsigned int 20 0x701A79A0 (respParam).pRespPayload unsigned char * (see below) 0x701A799C pRespPayload as 8-bit Hex - TI style: 00 00 00 00 00 00 00 00 01 00 00 00 00 00 00 00 02 01 0A 70
sw.release.appimage.hs_fs was successfully signed and is successfully loaded by our SBL with enabled authentication (Disable Auth For Application Image unchecked in SysCfg). I have examined the sysfw log for more information based on the comment here downloads.ti.com/.../PROC_BOOT.html but there wasn't anything related.Thanks in advance,
Vaclav
