• State Resolved
  • Locked Locked
  • Replies 8 replies
  • Subscribers 98 subscribers
  • Views 512 views
  • Users 0 members are here
Support feedback
Options
Options
Related

This thread has been locked.

If you have a related question, please click the "Ask a related question" button in the top right corner. The newly created question will be automatically linked to this question.

AM623: HS-SE device boot failed

Andy Yu
Prodigy 175 points

Part Number: AM623

Hi TI-expert,

I makd a HS-SE device by using dummy_key for test.

After device HS-SE(check by using parse_uart_boot_socid.py)

According to security document AM62x_Secure_SDK.

It seems that A53 SPL auth has somthing wrong.

I cehced p.17, and use tispl.bin_HS to boot device, but A53 SPL Authentication still failed.

Could you teach me that do I miss any part?

Best regards,

Andy

  • 0
    TI__Guru 74310 points

    Hello Andy,
    The log seems pointing to A53-SPL authentication failure.
    When building u-boot, did you set path
    $ export TI_SECURE_DEV_PKG=<path-to-board-support-directory>/core-secdev-k3
    software-dl.ti.com/.../UG-General-Info.html

    Best,
    -Hong

  • 0 in reply to Hong Guan64
    Prodigy 175 points

    Hi Hong,

    Yes, we set path as below:

            export TI_SECURE_DEV_PKG=/opt/ecs/board-support/core-secdev-k3

    Also, I copy the smpk.pem from keywriter to the core-secdev-k3/keys/custMpk.pem
    Best regards,Andy

  • 0 in reply to Andy Yu
    Prodigy 175 points

    Hi Hong,

    I use gen_keywr_cert.sh to generate Customer key and test gagin.

    But the ATF auth faild.
    Test flow:

    1. The key is generated by ./gen_keywr_cert.sh -g

    2. The keywriter : ./gen_keywr_cert.sh --msv 0xC0FFE -t tifek/ti_fek_public.pem -a keys/aes256.key -b keys/bmpk.pem --bmek keys/bmek.key -s keys/smpk.pem --smek keys/smek.key --keycnt 2 --keyrev 1

    3.copy smpk.pem to TI_SECURE_DEV_PKG/keys/custMpk.pem

    4.Before build U-Boot, Sign ATF (bl31.bin), TEE (bl32.bin), & DM-FW
        $TI_SECURE_DEV_PKG/scripts/secure-binary-image.sh /opt/ecs/board-support/prebuilt-images/bl31.bin /opt/ecs/board-support/prebuilt-images/bl31.bin.signed
        $TI_SECURE_DEV_PKG/scripts/secure-binary-image.sh /opt/ecs/board-support/prebuilt-images/bl32.bin /opt/ecs/board-support/prebuilt-images/bl32.bin.signed
        $TI_SECURE_DEV_PKG/scripts/secure-binary-image.sh /opt/ecs/board-support/prebuilt-images/ipc_echo_testb_mcu1_0_release_strip.xer5f /opt/ecs/board-support/prebuilt-images/ipc_echo_testb_mcu1_0_release_strip.xer5f.signed
    5.set path
    export ATF_FILE="$TISDK_PATH/board-support/prebuilt-images/bl31.bin.signed"
    export TEE_FILE="$TISDK_PATH/board-support/prebuilt-images/bl32.bin.signed“
    export DM_FILE="$TISDK_PATH/board-support/prebuilt-images/ ipc_echo_testb_mcu1_0_release_strip.xer5f
    ipc_echo_testb_mcu1_0_release_strip.xer5f.signed“

    Boot Log:
    U-Boot SPL 2021.01 (Aug 21 2023 - 07:28:12 +0000)
    SYSFW ABI: 3.1 (firmware rev 0x0008 '8.6.4--v08.06.04 (Chill Capybar')
    SPL initial stack usage: 13424 bytes
    Trying to boot from MMC2
    ti_sci system-controller@44043000: Message not acknowledgedAuthentication failed!
    ### ERROR ### Please RESET the board ###

    Best regards,

    Andy

  • 0 in reply to Andy Yu
    Prodigy 175 points

    Hi Hong,
    Is this problem caused by the fact that I used "--msv 0xCOFFE" and "-a keys/aes256.key", but didn't configure Incremental?

    Keywriter user guild document 6.2:software-dl.ti.com/.../AM62X_OTP_Keywriter_User_Guide_08_06_00.pdf
    Best regards,

    Andy

  • 0 in reply to Andy Yu
    TI__Guru 74310 points
    Andy Yu said:
    3.copy smpk.pem to TI_SECURE_DEV_PKG/keys/custMpk.pem

    The same TI testing key set (SMPK/SMEK) are included in both the OTP KW package and Linux SDK under "core-secdev-k3/keys/". It is not necessary to copy them over if the TI testing key set is used in your testing.

    Andy Yu said:
    4.Before build U-Boot, Sign ATF (bl31.bin), TEE (bl32.bin), & DM-FW

    bl31.bin, bl32.bin, ipc_echo_testb_mcu1_0_release_strip.xer5f under "board-support/prebuilt-images" are signed ones.

    Best,
    -Hong

  • 0 in reply to Hong Guan64
    Prodigy 175 points

    Hi Hong,

    I don't understand. I already use ./gen_keywr_cert.sh -g to generate random keys.

    And use these keys to make a new HS-SE board.

    In this case, do I need to change custMpk.pem?

    gen_keywr_cert.sh -g code use "rand 32":

    	-g|--gen)
	echo "# Generating random keys in keys/folder"
	mkdir -p keys
	openssl rand 32 > keys/aes256.key
	openssl genrsa -out keys/smpk.pem 4096
	openssl genrsa -out keys/bmpk.pem 4096
	openssl rand 32 > keys/smek.key
	openssl rand 32 > keys/bmek.key

    Best regards,

    Andy

  • 0 in reply to Andy Yu
    Prodigy 175 points

    Hi Hong,

    Because "-a keys/aes256.key" seems to be part of "Incremental Programming,"

    but I only need "smek, smpk, bmek, bmpk," so I want to create another HS-SE device.

    Could you please help me verify if the following process is feasible?

    1.Using keys in the keys/ folder (keys was generated by ./gen_keywr_cert.sh -g)

    2.Generate certificates:

    ./gen_keywr_cert.sh -t tifek/ti_fek_public.pem -b keys/bmpk.pem --bmek keys/bmek.key -s keys/smpk.pem --smek keys/smek.key --keycnt 2 --keyrev 1

    3.Build the keywriter.

    4.Copy smpk.epm to TI_SECURE_DEV_PKG/keys/custMpk.pem

    5.Download keywriter(tiboot3) to device

    6.Build HS-SE image and create SD card

    7.boot by SD card

    Best regards,

    Andy

  • +1 in reply to Andy Yu
    TI__Guru 74310 points
    Andy Yu said:
    Because "-a keys/aes256.key" seems to be part of "Incremental Programming,"

    From the block diagram in "3.1 Generating x509 certificate from customer HSM" in AM62x OTP KW user guide, The AES-256 key is used purely to encrypt user's key material in transit, but the AES-256 is never programmed to OTP efuse.

    Andy Yu said:

    I only need "smek, smpk, bmek, bmpk," so I want to create another HS-SE device.

    Could you please help me verify if the following process is feasible?

    If you generated the new key set with " ./gen_keywr_cert.sh -g" option, your listed steps looks good,
    where the newly generated key set needs to be copied to "TI_SECURE_DEV_PKG/keys/" folder as step #4.
    Note that all binaries built out of Linux SDK needs to re-signed with the new SMPK, especially the prebuilt/signed ones (i.e. ATF/OPTEE).

    Hong Guan64 said:
    bl31.bin, bl32.bin, ipc_echo_testb_mcu1_0_release_strip.xer5f under "board-support/prebuilt-images" are signed ones.

    refer to this e2e:
    https://e2e.ti.com/support/processors-group/processors/f/processors-forum/1246915/am625-tiboot3-bin-uart-xmodem-file-transfer/4729158#4729158

    Best,
    -Hong