• State Resolved
  • Locked Locked
  • Replies 1 reply
  • Subscribers 97 subscribers
  • Views 614 views
  • Users 0 members are here
Support feedback
Options
Options
Related

This thread has been locked.

If you have a related question, please click the "Ask a related question" button in the top right corner. The newly created question will be automatically linked to this question.

[FAQ] SYSFW keyring importing support on AM62x

Hong Guan64
Guru 70150 points
Part Number: AM625


Tool/software:

SYSFW/TIFS supports keyring import on AM62x HS-SE.
https://software-dl.ti.com/tisci/esd/latest/6_topic_user_guides/keyring.html
https://software-dl.ti.com/tisci/esd/latest/2_tisci_msgs/security/keyring.html

The FAQ lists how to add SYSFW/TIFS keyring import API in u-boot (R5-SPL), and verify the binary signed with the imported keyring on AM62x HS-SE with AM62x Linux SDK 11.1.5.3 (TIFS 11.1.2)
https://www.ti.com/tool/download/PROCESSOR-SDK-LINUX-AM62X/11.01.05.03

  • +1
    TI__Guru 70150 points

    1/. Generate and sign the keyring import certificate
    a. untar the package "keyring_gen_sign.tar.xz"
    b. read "README.md" on how to generate and sign the keyring import certificate
    c. sample cmds are listed below, which generate the keyring import certificate "keyring_init.h"
    - "python3 gen_keyring.py"
    - "python3 sign_keyring.py './keys/root/custMpk.pem' 6 0"

    2/. u-boot patches (keyring-patch.tar.xz)
    Apply the following u-boot patches
    - 0001-tisci-driver-for-sysfw-keyring-import-API.patch: tisci driver for sysfw keyring import API
    - 0001-calling-sysfw-keyring-import-API-in-r5-spl.patch: calling sysfw keyring import API in r5-spl
    - 0001-tisci-cmd-to-verify-bin-via-TISCI-API: test cmd to verify the test binary signed with the imported key

    3/. Sign test binary with the imported key
    run "./sign_bin.sh" from the above untared folder in step #1 above
    - sign the test binary with the imported key for positive test
    - sign the test binary with the un-imported key for negative test

    4/. Test log (am62_11.1.5.3_keyring.log)
    - SYSFW/TIFS keyring import API is called in u-boot (r5-spl)
    - u-boot test cmds to verify two test binary, where one (signed_1.bin) is signed with the imported key (positive test), and one (signed_7.bin) signed with the un-imported key (negative test)
    - sample u-boot test cmd from SD boot, where signed_1.bin & signed_7.bin are copied to SD boot partition

    load mmc 1 $loadaddr signed_1.bin; tisci_verify $loadaddr $filesize
load mmc 1 $loadaddr signed_7.bin; tisci_verify $loadaddr $filesize

    https://e2e.ti.com/cfs-file/__key/communityserver-discussions-components-files/791/7120.keyring_5F00_gen_5F00_sign.tar.xz

    https://e2e.ti.com/cfs-file/__key/communityserver-discussions-components-files/791/keyring_2D00_patch.tar.xz

    Fullscreen am62_11.1.5.3_keyring.log Download 
    U-Boot SPL 2025.01-g01d5162a1547 (Oct 30 2025 - 00:02:27 -0500)
SYSFW ABI: 4.0 (firmware rev 0x000b '11.1.2--v11.01.02 (Fancy Rat)')
k3_sysfw_keyring_import:
Changed A53 CPU frequency to 1250000000Hz (T grade) in DT
SPL initial stack usage: 13392 bytes
Trying to boot from MMC2
Authentication passed
Authentication passed
Authentication passed
Authentication passed
Authentication passed
Starting ATF on ARM64 core...

NOTICE:  BL31: v2.13.0(release):v2.13.0-240-gd90bb650fe-dirty
NOTICE:  BL31: Built : 21:37:18, Jun 23 2025
I/TC: 
I/TC: OP-TEE version: 4.6.0-dev (gcc version 11.3.1 20220712 (Arm GNU Toolchain 11.3.Rel1)) #1 Tue Oct 21 19:02:48 UTC 2025 aarch64
I/TC: WARNING: This OP-TEE configuration might be insecure!
I/TC: WARNING: Please check https://optee.readthedocs.io/en/latest/architecture/porting_guidelines.html
I/TC: Primary CPU initializing
I/TC: GIC redistributor base address not provided
I/TC: Assuming default GIC group status and modifier
I/TC: SYSFW ABI: 4.0 (firmware rev 0x000b '11.1.2--v11.01.02 (Fancy Rat)')
I/TC: Activated SA2UL device
I/TC: Enabled firewalls for SA2UL TRNG device
I/TC: SA2UL TRNG initialized
I/TC: SA2UL Drivers initialized
I/TC: Secure Board Configuration Software: Rev 1
I/TC: Secure Boot Keys: Count 2, Rev 1
I/TC: HUK Initialized
I/TC: Primary CPU switching to normal world boot

U-Boot SPL 2025.01-g01d5162a1547 (Oct 30 2025 - 00:03:01 -0500)
SYSFW ABI: 4.0 (firmware rev 0x000b '11.1.2--v11.01.02 (Fancy Rat)')
SPL initial stack usage: 2032 bytes
Trying to boot from MMC2
Authentication passed
Authentication passed


U-Boot 2025.01-g01d5162a1547 (Oct 30 2025 - 00:03:01 -0500)

SoC:   AM62X SR1.0 HS-SE
Model: Texas Instruments AM625 SK
DRAM:  2 GiB
Core:  83 devices, 32 uclasses, devicetree: separate
MMC:   mmc@fa10000: 0, mmc@fa00000: 1
Loading Environment from nowhere... OK
In:    serial
Out:   serial
Err:   serial
Net:   eth0: ethernet@8000000port@1

Hit any key to stop autoboot:  2  0 
=> ls mmc 1
  1113787   tispl.bin
   279289   tiboot3-am62x-gp-evm.bin
   281878   tiboot3-am62x-hs-evm.bin
   281878   tiboot3-am62x-hs-fs-evm-am62xx-evm-k3r5-2025.01+git-r0_tisdk_6.bin
   281878   tiboot3-am62x-hs-fs-evm.bin
   284386   tiboot3-capsule.bin
   284354   tiboot3.bin
    12285   ti_logo_414x97_32bpp.bmp.gz
  1389827   u-boot.img
      574   uEnv.txt
            .Trash-1000/
            am62_11.1.5.3_prebuilt/
    62110   k3-am625-sk.dtb_sign_enc.bin
     1739   signed_1.bin
     1739   signed_7.bin
            System Volume Information/

13 file(s), 3 dir(s)

=> load mmc 1 $loadaddr signed_1.bin; tisci_verify $loadaddr $filesize
1739 bytes read in 3 ms (565.4 KiB/s)
Authentication passed
=> load mmc 1 $loadaddr signed_7.bin; tisci_verify $loadaddr $filesize
1739 bytes read in 2 ms (848.6 KiB/s)
ti_sci system-controller@44043000: Message not acknowledged
Authentication failed!
### ERROR ### Please RESET the board ###