• State Resolved
  • Locked Locked
  • Replies 5 replies
  • Subscribers 98 subscribers
  • Views 337 views
  • Users 0 members are here
Support feedback
Options
Options
Related

This thread has been locked.

If you have a related question, please click the "Ask a related question" button in the top right corner. The newly created question will be automatically linked to this question.

DRA829 QNX what input does example app decrypt_app expect?

yongfeng liu
Prodigy 70 points
Other Parts Discussed in Thread: DRA829, TDA4VM

Hello TI experts,

As its name indicates, decrypt_app expects an encrypted binary file as input. I tried a few times, but it always fails including application crash.

My question is, does the original file needs to be encrypted ONLY with customer MEK ? And does it need to be signed with active customer MPK? By the way, we are testing this application on a HS device.

Do I need to follow the steps describe in this link: Signing an encrypted binary for secure boot ?

Thanks and regards

  • 0
    TI__Guru** 120721 points

    Hi,

    The decrypt_app will only work on an HS device, which you have indicated is being used in the testing.  If the test is being run on a GP device, a failure is expected.   Will work to get documentation updated to reflect this.

    Regarding image to be used, the last time I had used the app, it had been with atf_optee.appimage.signed.encrypted.   Which was built from the SDK. 

    Regards,

    kb

  • 0 in reply to KB
    Prodigy 70 points

    Hello KB,

    Sorry for replying late.

    I checked the source code of decrypt_app and found that the example app searches for TI x509 extension 1.3.6.1.4.1.294.1.1, which is used for TI boot info, and it uses TISCI_MSG_PROC_AUTH_BOOT message. But my use scenario is, QNX runs on 2 A72 cores, and after QNX starts up, when user downloads a file(signed and encrypted with Customer SMPK/SMEK) to the device, a receiver QNX application in the device authenticates the signature and decrypt the file, so it has nothing to do with booting a core. So I am not sure if TISCI_MSG_PROC_AUTH_BOOT can be used this way.

  • 0 in reply to yongfeng liu
    Prodigy 70 points

    My question is, is it possible to authenticate and decrypt a file without causing ANY processor/core to boot in QNX user space with TISCI_MSG_PROC_AUTH_BOOT message?

    If yes, what X509 extensions does this message expect? In chapter 4.5,"Boot Image Format" of J721E DRA829/TDA4VM TRM, it says, "Boot Info (OID 1.3.6.1.4.1.294.1.1) must be present on all boot images. It is from this extension that the image length is extracted.", so I guess OID 1.3.6.1.4.1.294.1.1 should be mandatory. Then comes the integrity information,  should I use OID 1.3.6.1.4.1.294.1.2(Image Integrity)  or OID 1.3.6.1.4.1.294.1.34(System Firmware Image Integrity) for integrity? For encryption, seems there is only one choice, 1.3.6.1.4.1.294.1.4(System Firmware Encryption) . Since I DO NOT want to boot any core, I just need to authenticate and decrypt it in place, how to achieve this? With OID 1.3.6.1.4.1.294.1.35(System Firmware Load Extension) by setting "authInPlace=2" ? But in Boot Info (OID 1.3.6.1.4.1.294.1.1), there is already a "loadaddr" field. 

    BR

  • 0 in reply to yongfeng liu
    TI__Guru** 120721 points

    Hi,

    Regarding "My question is, is it possible to authenticate and decrypt a file without causing ANY processor/core to boot in QNX user space with TISCI_MSG_PROC_AUTH_BOOT message?".    I assume you are looking at this as part of the boot flow.

    The MCU R5 will always be the primary boot core.  After performing whatever desired functionality, it must be left with SciServer running.   If the MCU R5 is running minimum content then handing off the rest of the boot flow to the A72, the MCU R5 would need to be left running the SciServer.   As long as the SciServer is running on the the MCU R5 the A72 will be able to make use of the TISCI_MSG_PROC_AUTH_BOOT to load/authenticate images for the other cores.

    For 2nd part of you question, will loop someone in.

    Regards,

    kb

  • 0 in reply to KB
    Prodigy 70 points

    Hello KB,

    I noticed that latest TISCI document has been updated, and "Generic Data" is covered now. I follow the steps and it works. Thank you very much!

    Yongfeng