• State
  • Locked Locked
  • Replies 7 replies
  • Subscribers 84 subscribers
  • Views 203 views
  • Users 0 members are here
Support feedback
Options
Options
Related

This thread has been locked.

If you have a related question, please click the "Ask a related question" button in the top right corner. The newly created question will be automatically linked to this question.

F29H850TU: F29 Certificate handling?

Lin Trevor
Prodigy 100 points
Part Number: F29H850TU


Hi TI Support,

I am currently developing a production programming tool for the F29 device, based on the document spradn0.pdf and the example project:

C:\ti\f29h85x-sdk_1_01_00_00\examples\driverlib\single_core\flash\uart_flash_kernel

However, in the customer’s image (they are using Mode 2), there is a large amount of data outside the range specified in the Certificate.

Also, C29x3 does not seem to have its own Certificate. The customer told us that C29x3 shares the same Certificate with C29x1.

Could you please advise how this situation should be handled?
What is the correct way to program and verify the image in this case?

Thank you for your support.

Best regards,

  • 0
    TI__Mastermind 25850 points

    Hi Lin,

    Lin Trevor said:
    there is a large amount of data outside the range specified in the Certificate.

    Do you know why the customer created a certificate with incorrect image size? They should provide the full range within the certificate. 

    Lin Trevor said:
    Also, C29x3 does not seem to have its own Certificate. The customer told us that C29x3 shares the same Certificate with C29x1.

    Customer will need to create a certificate for CPU3 as well. This will be especially important when customer starts adding security into their application and the image for CPU3 will need to be authenticated. 

    Best Regards,

    Marlyn

  • 0
    Prodigy 10 points

    Hello TI,

    Sorry, add a little clarification.
    In TI's F29 SDK multi-core demo project, it is shown that there is no certificate section in Link.cmd of CPU3, but there is a certificate section on CPU1.
    And during the compilation of the Demo project, CPU3 is first compiled before CPU1, and finally a certificate is generated in the compilation output file of CPU1.

    Is this understanding correct?

    ......

  • 0 in reply to ZW luan
    TI__Mastermind 25850 points

    Hi ZW,

    Yes for the multi-core projects in the F29x SDK, CPU3 project is first compiled then CPU1 and there is a combined cert.

    The post build steps can be modified as below for CPU1 and CPU3 respectively to have each of them generate their own bin files with cert (projectName_cert.bin).

    CPU1 Project

    Remove pre-build steps:

    ${COM_TI_MCU_SDK_INSTALL_DIR}/tools/misc/$(UPDATECPUBINSIZE) ../cpuAppSec3.c $(CPU3APP_CERT_REL_PATH) 3

    Update post-build steps:

    ${CG_TOOL_OBJCOPY} --remove-section=cert -O binary ${ProjName}.out ${ProjName}.bin
$(PYTHON) ${COM_TI_MCU_SDK_INSTALL_DIR}/tools/boot/signing/mcu_rom_image_gen.py --image-bin ${ProjName}.bin --core C29 --swrv 1 --loadaddr 0x10001000 --sign-key ${COM_TI_MCU_SDK_INSTALL_DIR}/tools/boot/signing/mcu_gpkey.pem --out-image ${ProjName}_cert.bin --device f29h85x --boot FLASH --img_integ no 
${CG_TOOL_OBJCOPY} --update-section cert=C29-cert-pad.bin ${ProjName}.out ${ProjName}_cert.out 
$(DELETE) -f ${ProjName}.out 
$(RENAME) ${ProjName}_cert.out ${ProjName}.out

    CPU3 Project

    Update post-build steps

    ${CG_TOOL_OBJCOPY} --remove-section=cert -O binary ${ProjName}.out ${ProjName}.bin
$(PYTHON) ${COM_TI_MCU_SDK_INSTALL_DIR}/tools/boot/signing/mcu_rom_image_gen.py --image-bin ${ProjName}.bin --core C29 --swrv 1 --loadaddr 0x10401000 --sign-key ${COM_TI_MCU_SDK_INSTALL_DIR}/tools/boot/signing/mcu_gpkey.pem --out-image  ${ProjName}_cert.bin --device f29h85x --boot FLASH --img_integ no --fw_type CPU3 
${CG_TOOL_OBJCOPY} --update-section cert=C29-cert-pad.bin ${ProjName}.out ${ProjName}_cert.out 
$(DELETE) -f ${ProjName}.out 
$(RENAME) ${ProjName}_cert.out ${ProjName}.out

    Lin Trevor said:
    I am currently developing a production programming tool for the F29 device

    For the programming tool you are developing, will it also support secure programming? The post build steps for the projects will also need to change based on if the device is in HS-FS or in HS-SE. For HS-SE, the cert needs to be signed with the correct customer root of trust key and image integrity needs to be turned on for both projects.

    Lin Trevor said:

    based on the document spradn0.pdf and the example project:

    C:\ti\f29h85x-sdk_1_01_00_00\examples\driverlib\single_core\flash\uart_flash_kernel

    We have a newer SDK version 1.02 where we have actually made significate changes to the UART SBL. Could you please use the SBL within this SDK. It will be easier to provide support for this updated version.

    Lin Trevor said:
    However, in the customer’s image (they are using Mode 2), there is a large amount of data outside the range specified in the Certificate.

    If the customer is using MODE2, I assume that you are using the RAM based UART SBL correct? Flash-based uart SBL will only support BANKMODE1/3.

    Best Regards,

    Marlyn

  • 0 in reply to Marlyn Rosales Castaneda20
    Prodigy 100 points

    Marlyn said:

    If the customer is using MODE2, I assume that you are using the RAM based UART SBL correct? Flash-based uart SBL will only support BANKMODE1/3.

    Yes, we are using the RAM-based UART SBL for Mode 2.

    We would like to clarify one point regarding the image content and certificate coverage.

    In the customer’s image, we have observed that there is a significant amount of data located outside the memory range defined in the Certificate.
    Could you please advise whether any data outside the certificate range needs to be handled in a specific way?

    This question arises because, based on the SDK examples we referenced, only the memory region defined in the Certificate is processed and validated.

    Your clarification would be greatly appreciated.

  • 0 in reply to Lin Trevor
    TI__Mastermind 25850 points

    Hi Lin,

    Lin Trevor said:
    Could you please advise whether any data outside the certificate range needs to be handled in a specific way?

    Is the question with regards to secure programming? I did not see a response from you on if you were developing a secure programming solution or just non-secure programming solution. The SBL uses the size provided in the cert to know how big the image is and program it accordingly. Does the cert have image integrity on? This will be the main factor that will cause an issue if the size in the certificate does not match the image size itself. For HS-SE, integrity check is required.

    Lin Trevor said:
    only the memory region defined in the Certificate is processed and validated.

    Could you please expand on what you mean by "processed and validated"? You mean when the integrity check is enabled?

    Best Regards,
    Marlyn

  • 0 in reply to Marlyn Rosales Castaneda20
    Prodigy 100 points

    Yes, I am currently using the same configuration as ZW Luan, and I suspect that Image Integrity is enabled in the certificate.

    In his project, the certificate only covers the memory range up to 0x26000, however, there is still a significant amount of data located beyond 0x10027000.

    I created and applied the certificate based on the example located at:
    C:\ti\f29h85x-sdk_1_01_00_00\examples\driverlib\single_core\flash\uart_flash_kernel

    However, this example only programs and authenticates the memory region covered by the Certificate, rather than the entire Flash memory.

    When I mentioned “handling and verification,” I was referring specifically to the Flash programming process and full image verification, not just the certificate authentication itself.

    Please let me know if my understanding is correct, or if there are any recommended examples or guidelines for performing full Flash image programming and validation when Image Integrity is enabled.

    Thank you for your support.

  • 0 in reply to Lin Trevor
    TI__Expert 3320 points

    Hello,

    Lin Trevor said:
    C:\ti\f29h85x-sdk_1_01_00_00\examples\driverlib\single_core\flash\uart_flash_kernel

    We no longer support this version of the example. Please use the updated version found in the 1.02.01.00 version of the F29 SDK.

    Lin Trevor said:
    there is still a significant amount of data located beyond 0x10027000.

    Is this code or raw data?

    If wanting to certify all of flash, you will need a certificate and image that cover all of flash.

    This can be accomplished by using the FILL command in your linker .cmd file, for example:

    .text         : {} > FLASH_RP0,     palign(8), FILL=0x1234
    This will fill memory holes with 0x1234, resulting in an image and certificate that encompass all of CPU1's flash. You can read more on this here: 8.5.11. Creating and Filling Holes — C29 Clang Compiler Tools User's Guide.
    To include your extraneous data in the image integrity, you will need to merge your data into the application image before the certificate is generated. This can be done by allocating a section for it in your application linker .cmd file and using the c29objcopy tool in your post build steps, for example:
    ${CG_TOOL_OBJCOPY} --update-section my_data_section=data.bin ${ProjName}.out ${ProjName}.out

    Best,

    Alex