• State
  • Replies 3 replies
  • Subscribers 31 subscribers
  • Views 71 views
  • Users 0 members are here
Support feedback
Options
Options
Related

AM263P4: Keyring certificate generation / keyringCert.h import via Sysconfig tool

Alejandro Ruiz
Prodigy 20 points
Part Number: AM263P4
Other Parts Discussed in Thread: SYSCONFIG, UNIFLASH

Tool/software:

Development Environment Context:

Device: AM263P4

Tools used:

  • mcu_plus_sdk_am263px_10_02_00_15 (Built and signed using SMPK - active ROT key)
  • tifs_am263px_10_02_00_01 (Built and signed using SMPK - active ROT key)
  • ccs2011 (Code Composer Studio)
  • sysconfig_1.23.0

Cryptographic elements:

  1. SMPK - Active Root of trust key (private): RSA-4096, burnt into e-fuses.
  2. CustMPK - Customer generated RSA-4096 auxiliary private key

Documentation used during process:

  1. MCU SDK README documentation (10_02_00_15)
  2. TIFS MCU README documentation (10_02_00_01)

Problem description:

Hi all, I am attempting to test keyring certificate generation and keyring import by using the following:

  1. sbl_ospi.debug.hs.tiimage - OSPI SBL (examples/drivers/boot/sbl_ospi) built using makefile and signed using SMPK private key.
  2. hello_world.debug.appimage.hs - Hello World example application from SDK, built using makefile and signed using CustMPK private key.

After building/signing sbl_ospi and hello_world application using corresponding keys, I generated a keyringCert.h file and then imported it into the SBL_OSPI's example.syscfg using SysConfig tool. After flashing via UART and switching to OSPI BOOTMODE, I clicked on the PORz (SW10) button and the CCS Serial Console does not provide any output.

In the past I have been able to successfully boot from OSPI_SBL using Hello_World example and signing using SMPK key, so I am aware of the AM263PX's behavior upon successful boot. I am facing issues when attempting to use auxiliary keys and importing the keyring so that I may test SBL booting/authentication using auxiliary keys via keyring. I have not had a successful boot using keyring, and I believe importing the KeyringCert.h file into the example.syscfg is breaking/damaging my SBL (.tiimage). 

I am also unsure of which option I should select for my device:
 

Steps I have followed/executed:

1. Generate keyring certificate:

  1. Modified keys.json file like so (custKey.json):
  2. Executed the following script:
    1. python3 .\keyring_cert_gen.py --root_key aux_keys/dev_keys/SMPK_rsa4k_priv.pem --kd_salt kd_salt.txt --keys_info custKey.json

    3. The generated result is a header file named "KeyringCert.h". 

2. Import the keyringCert.h using SysConfig:

  1. Opened Sysconfig tool.
  2. Clicked on "Open an Existing Design" and selected: "C:\ti\mcu_plus_sdk_am263px_10_02_00_15\examples\drivers\boot\sbl_ospi\am263px-cc\r5fss0-0_nortos\example.syscfg"
  3. I scrolled down on the left-side nav bar to the "TI HSM SERVICES" section and clicked on the "Keyring Import" option.
  4. I clicked on "ADD" button to add "Keyring0". 
  5. I then clicked on the "LOAD KEYRING CERT" button and selected the previously generated "KeyringCert.h" file. 

3. Modify MCU_SDK's devconfig.mak:

  • APP_SIGNING_KEY_KEYRING_ID?=32
  • APP_ENCRYPTION_KEY_KEYRING_ID?=0

4. Build/sign OSPI_SBL:

  1. In a terminal window, I navigated to: "C:\ti\mcu_plus_sdk_am263px_10_02_00_15\examples\drivers\boot\sbl_ospi\am263px-cc\r5fss0-0_nortos\ti-arm-clang"
  2. I executed:
    1.  "gmake -s all PROFILE=debug DEVICE_TYPE=HS DEVICE=am263px"

Result: sbl_ospi.debug.hs.tiimage is generated.

5. Build/sign Hello_world example application:

  1. In a terminal window, I navigated to: "C:\ti\mcu_plus_sdk_am263px_10_02_00_15\examples\hello_world\am263px-cc\r5fss0-0_nortos\ti-arm-clang"
  2. I executed:
    1. "gmake -s all DEVICE=am263px DEVICE_TYPE=HS PROFILE=debug APP_SIGNING_KEY_KEYRING_ID=32 APP_SIGNING_KEY=C:/ti/mcu_plus_sdk_am263px_10_02_00_15/source/security/security_common/tools/keyring_cert/aux_keys/dev_keys/CustMPK_1_rsa4k_priv.pem"

Result: hello_world.debug.appimage.hs is generated.

6. Flash SBL+Application via UART:

  1. Modifed hello_world.cfg file like so:
    1. # First point to sbl_uart_uniflash binary, which function's as a server to flash one or more files
      --flash-writer=C:/ti/mcu_plus_sdk_am263px_10_02_00_15/tools/boot/sbl_prebuilt/am263px-cc/sbl_uart_uniflash.debug.hs.tiimage

      # Program the OSPI PHY tuning attack vector
      --operation=flash-phy-tuning-data

      # When sending bootloader make sure to flash at offset 0x0. ROM expects bootloader at offset 0x0
      --file="C:/ti/mcu_plus_sdk_am263px_10_02_00_15/examples/drivers/boot/sbl_ospi/am263px-cc/r5fss0-0_nortos/ti-arm-clang/sbl_ospi.debug.hs.tiimage" --operation=flash --flash-offset=0x0

      # When sending application image, make sure to flash at offset 0x81000 (default) or to whatever offset your bootloader is configured for
      --file="C:/ti/mcu_plus_sdk_am263px_10_02_00_15/examples/hello_world/am263px-cc/r5fss0-0_nortos/ti-arm-clang/hello_world.debug.appimage.hs" --operation=flash-sector-write --flash-offset=0x81000
  2. In a terminal window I flashed using the following command: "python C:/ti/mcu_plus_sdk_am263px_10_02_00_15/tools/boot/uart_uniflash.py --cfg=./hello_world.cfg -p COM5"

Result: SBL and application successfully flashed. 

7. Attempt OSPI BOOT:

  1. Disconnected cables from AM263PX board.
  2. Set BOOTMODE switches to OSPI BOOTMODE. 
  3. Reconnected Data and Power cables. 
  4. In CCS, opened a Serial Console. 
  5. Connected to AM263PX via UART: COM5.
  6. Clicked on PORz (SW10) button. 

Result: 

The AM263PX board doesn't output anything via Serial Console, and the LD19 LED lights up (during button press). 

Conclusion:

The AM263PX board fails to boot, and there is no output via UART in CCS's Serial Console. I believe the ROM is failing to authenticate the SBL and UART fails to initialize, which leads to a lack of print out information in the Serial Console. I have observed that after importing the KeyringCert.h file into the example.syscfg that SysConfig modifies some files and adds the keyring data where it needs to. But after attempting to boot the ospi sbl it fails and the example.syscfg file seems to become corrupted (or the sbl itself). I have had to replace the sbl_ospi folder with a backup copy from the mcu_sdk to get things working again. 

I would like to request assistance from any TI representatives or any other professionals who have faced/overcome issues with importing and using keyring functionality.  

I need assistance validating if I am following the correct steps and if I am using the correct tools, scripts, etc. I need to understand where it is that I am failing! 

Any assistance would be very appreciated, thank you!

  • 0
    TI__Guru* 85486 points

    Hi,

    Thank you for the detailed explanation.

    Just to clarify your understanding. The SBL would always be signed and encrypted using the Root of Trust keys (SMPK, SMEK on efuse) as the ROM always expects the Root of Trust keys. 

    Only the application image should be signed using the auxiliary keys from Keyring. 

    Can you confirm if you are ensuring this at your end?

    Thanks and Regards,

    Nikhil Dasan

  • 0 in reply to Nikhil Dasan
    Prodigy 20 points

    Hi Nikhil, thanks for taking the time to respond to my post. 

    I am building/signing the OSPI SBL with the SMPK and SMEK (ROT keys).

    I am building/signing the hello_world application using an auxiliary private key I generated (lets name it CustMPK_1). I referenced the public key in the custKey.json. The application is not encrypted.

    Nikhil Dasan said:

    Can you confirm if you are ensuring this at your end?

    I confirm that I am ensuring this on my end.

  • 0 in reply to Alejandro Ruiz
    TI__Guru* 85486 points

    Hi Alejandro,

    Could you follow the below steps.

    1. Can you get the below working setup first.

    Alejandro Ruiz said:
    In the past I have been able to successfully boot from OSPI_SBL using Hello_World example and signing using SMPK key, so I am aware of the AM263PX's behavior upon successful boot.

    2. Then import the keyring certificate (i.e. Step 2), 

    Alejandro Ruiz said:
    2. Import the keyringCert.h using SysConfig:

    Followed by step 3 

    Alejandro Ruiz said:
    3. Modify MCU_SDK's devconfig.mak:

    Now do not rebuild in the SBL as you have done in step 4, Can you use the same SBL (same as Step 1) and proceed with step 5

    Alejandro Ruiz said:

    5. Build/sign Hello_world example application:

    With this setup, can you confirm if you are able to boot?

    Thanks and Regards,

    Nikhil Dasan