• State Resolved
  • Locked Locked
  • Replies 2 replies
  • Subscribers 98 subscribers
  • Views 365 views
  • Users 0 members are here
Support feedback
Options
Options
Related

This thread has been locked.

If you have a related question, please click the "Ask a related question" button in the top right corner. The newly created question will be automatically linked to this question.

Original question:

SK-AM62: signing images (x509)

AM623: Secure key and x.509 sign image

Andy Yu
Prodigy 175 points
Part Number: AM623

Hi TI-expert,

According to "AM62X OTP Keywriter User Guide" , "3.2.2 Program everything at once", I used below command to generate key and x509.

./gen_keywr_cert.sh -g
./gen_keywr_cert.sh -t tifek/ti_fek_public.pem -a keys/aes256.key --msv 0xC0FFE
-b keys/bmpk.pem --bmek keys/bmek.key -s keys/smpk.pem --smek keys/smek.key --keycnt 2 --keyrev 1

Private keys "smek.key" and "bmek.key" store in USB-device for security purpose.

Public keys "smpk.pem" and "bmpk.pem" put in board-support/core-secdev-k3/keys. (rename smpk.pem as custMpk.pem)

x509-template put in board-support/core-secdev-k3/scripts/x509-template.txt

p.s. openssl version:OpenSSL 3.0.2 15 Mar 2022 (Library: OpenSSL 3.0.2 15 Mar 2022)

1.Is the above flow correct? Did I miss any part?

2.Where do I put aes256.key?

3.According to the document AM62X Secure SDK p19, Sign Kernel:

$TI_SECURE_DEV_PKG/scripts/secure-binary-image.sh Image Image.sec

But in Makefile, it use Image.gz :

${TI_SECURE_DEV_PKG}/scripts/secure-binary-image.sh arch/arm64/boot/Image.gz linux.bin.sec

And it show below error logs, should I use "Image" to replace "Image.gz"

cd /company/board-support/linux-5.10.168+gitAUTOINC+2c23e6c538-g2c23e6c538; \
	/company/board-support/core-secdev-k3/scripts/secure-binary-image.sh arch/arm64/boot/Image.gz linux.bin.sec
arch/arm64/boot/Image.gz: No such file or directory
80CBB1893F7F0000:error:80000002:system library:file_ctrl:No such file or directory:../crypto/bio/bss_file.c:297:calling fopen(arch/arm64/boot/Image.gz, r)
80CBB1893F7F0000:error:10080002:BIO routines:file_ctrl:system lib:../crypto/bio/bss_file.c:300:
cat: arch/arm64/boot/Image.gz: No such file or directory
Error checking x509 extension section v3_ca
803B69F93F7F0000:error:07800066:common libcrypto routines:hexstr2buf_sep:illegal hex digit:../crypto/o_str.c:160:
803B69F93F7F0000:error:068000B2:asn1 encoding routines:asn1_str2type:illegal hex:../crypto/asn1/asn1_gen.c:695:string=PUT_ENC_AES_KEY
803B69F93F7F0000:error:11000074:X509 V3 routines:v3_generic_extension:extension value error:../crypto/x509/v3_conf.c:256:value=SEQUENCE:enc_aes_key
cat: arch/arm64/boot/Image.gz: No such file or directory

4.When I build linux-fitImage, Makefile will use secure-binary-image.sh to encrypt all of the .dtb files, but it shows x.509 ca error as below.

How do I fix it?

cd /company/board-support/linux-5.10.168+gitAUTOINC+2c23e6c538-g2c23e6c538/arch/arm64/boot/dts; \
	for DTB in      ti/k3-am625-sk.dtb     ti/k3-am625-skeleton.dtb     ti/k3-am625-sk-lpmdemo.dtb     ti/k3-am625-sk-csi2-ov5640.dtbo     ti/k3-am625-sk-csi2-tevi-ov5640.dtbo     ti/k3-am625-sk-ecap-capture.dtbo     ti/k3-am625-sk-hdmi-audio.dtbo     ti/k3-am625-sk-mcan.dtbo     ti/k3-am625-sk-oldi-panel.dtbo  ; do \
		/company/board-support/core-secdev-k3/scripts/secure-binary-image.sh $DTB $DTB.sec; \
	done;
Error checking x509 extension section v3_ca
80CB861A027F0000:error:07800066:common libcrypto routines:hexstr2buf_sep:illegal hex digit:../crypto/o_str.c:160:
80CB861A027F0000:error:068000B2:asn1 encoding routines:asn1_str2type:illegal hex:../crypto/asn1/asn1_gen.c:695:string=PUT_ENC_AES_KEY
80CB861A027F0000:error:11000074:X509 V3 routines:v3_generic_extension:extension value error:../crypto/x509/v3_conf.c:256:value=SEQUENCE:enc_aes_key
Error checking x509 extension section v3_ca
80BB4B75757F0000:error:07800066:common libcrypto routines:hexstr2buf_sep:illegal hex digit:../crypto/o_str.c:160:
80BB4B75757F0000:error:068000B2:asn1 encoding routines:asn1_str2type:illegal hex:../crypto/asn1/asn1_gen.c:695:string=PUT_ENC_AES_KEY
80BB4B75757F0000:error:11000074:X509 V3 routines:v3_generic_extension:extension value error:../crypto/x509/v3_conf.c:256:value=SEQUENCE:enc_aes_key
Error checking x509 extension section v3_ca
80EB67A1B07F0000:error:07800066:common libcrypto routines:hexstr2buf_sep:illegal hex digit:../crypto/o_str.c:160:
80EB67A1B07F0000:error:068000B2:asn1 encoding routines:asn1_str2type:illegal hex:../crypto/asn1/asn1_gen.c:695:string=PUT_ENC_AES_KEY
80EB67A1B07F0000:error:11000074:X509 V3 routines:v3_generic_extension:extension value error:../crypto/x509/v3_conf.c:256:value=SEQUENCE:enc_aes_key
Error checking x509 extension section v3_ca
80BBA75F5C7F0000:error:07800066:common libcrypto routines:hexstr2buf_sep:illegal hex digit:../crypto/o_str.c:160:
80BBA75F5C7F0000:error:068000B2:asn1 encoding routines:asn1_str2type:illegal hex:../crypto/asn1/asn1_gen.c:695:string=PUT_ENC_AES_KEY
80BBA75F5C7F0000:error:11000074:X509 V3 routines:v3_generic_extension:extension value error:../crypto/x509/v3_conf.c:256:value=SEQUENCE:enc_aes_key
Error checking x509 extension section v3_ca
806BF7BDAA7F0000:error:07800066:common libcrypto routines:hexstr2buf_sep:illegal hex digit:../crypto/o_str.c:160:
806BF7BDAA7F0000:error:068000B2:asn1 encoding routines:asn1_str2type:illegal hex:../crypto/asn1/asn1_gen.c:695:string=PUT_ENC_AES_KEY
806BF7BDAA7F0000:error:11000074:X509 V3 routines:v3_generic_extension:extension value error:../crypto/x509/v3_conf.c:256:value=SEQUENCE:enc_aes_key
Error checking x509 extension section v3_ca
809BCD005A7F0000:error:07800066:common libcrypto routines:hexstr2buf_sep:illegal hex digit:../crypto/o_str.c:160:
809BCD005A7F0000:error:068000B2:asn1 encoding routines:asn1_str2type:illegal hex:../crypto/asn1/asn1_gen.c:695:string=PUT_ENC_AES_KEY
809BCD005A7F0000:error:11000074:X509 V3 routines:v3_generic_extension:extension value error:../crypto/x509/v3_conf.c:256:value=SEQUENCE:enc_aes_key
Error checking x509 extension section v3_ca
809BF852087F0000:error:07800066:common libcrypto routines:hexstr2buf_sep:illegal hex digit:../crypto/o_str.c:160:
809BF852087F0000:error:068000B2:asn1 encoding routines:asn1_str2type:illegal hex:../crypto/asn1/asn1_gen.c:695:string=PUT_ENC_AES_KEY
809BF852087F0000:error:11000074:X509 V3 routines:v3_generic_extension:extension value error:../crypto/x509/v3_conf.c:256:value=SEQUENCE:enc_aes_key
Error checking x509 extension section v3_ca
803B9674617F0000:error:07800066:common libcrypto routines:hexstr2buf_sep:illegal hex digit:../crypto/o_str.c:160:
803B9674617F0000:error:068000B2:asn1 encoding routines:asn1_str2type:illegal hex:../crypto/asn1/asn1_gen.c:695:string=PUT_ENC_AES_KEY
803B9674617F0000:error:11000074:X509 V3 routines:v3_generic_extension:extension value error:../crypto/x509/v3_conf.c:256:value=SEQUENCE:enc_aes_key
Error checking x509 extension section v3_ca
80EBBF720C7F0000:error:07800066:common libcrypto routines:hexstr2buf_sep:illegal hex digit:../crypto/o_str.c:160:
80EBBF720C7F0000:error:068000B2:asn1 encoding routines:asn1_str2type:illegal hex:../crypto/asn1/asn1_gen.c:695:string=PUT_ENC_AES_KEY
80EBBF720C7F0000:error:11000074:X509 V3 routines:v3_generic_extension:extension value error:../crypto/x509/v3_conf.c:256:value=SEQUENCE:enc_aes_key
cd /opt/ecs/board-support/linux-5.10.168+gitAUTOINC+2c23e6c538-g2c23e6c538; \
	/opt/ecs/board-support/core-secdev-k3/scripts/secure-binary-image.sh arch/arm64/boot/Image.gz linux.bin.sec
arch/arm64/boot/Image.gz: No such file or directory
80CBB1893F7F0000:error:80000002:system library:file_ctrl:No such file or directory:../crypto/bio/bss_file.c:297:calling fopen(arch/arm64/boot/Image.gz, r)
80CBB1893F7F0000:error:10080002:BIO routines:file_ctrl:system lib:../crypto/bio/bss_file.c:300:
cat: arch/arm64/boot/Image.gz: No such file or directory
Error checking x509 extension section v3_ca
803B69F93F7F0000:error:07800066:common libcrypto routines:hexstr2buf_sep:illegal hex digit:../crypto/o_str.c:160:
803B69F93F7F0000:error:068000B2:asn1 encoding routines:asn1_str2type:illegal hex:../crypto/asn1/asn1_gen.c:695:string=PUT_ENC_AES_KEY
803B69F93F7F0000:error:11000074:X509 V3 routines:v3_generic_extension:extension value error:../crypto/x509/v3_conf.c:256:value=SEQUENCE:enc_aes_key

Best regards,

Andy