AM623: HS-SE device boot failed

Hello Andy,
The log seems pointing to A53-SPL authentication failure.
When building u-boot, did you set path
$ export TI_SECURE_DEV_PKG=<path-to-board-support-directory>/core-secdev-k3
software-dl.ti.com/.../UG-General-Info.html

Best,
-Hong

Hi Hong,

Yes, we set path as below:

        export TI_SECURE_DEV_PKG=/opt/ecs/board-support/core-secdev-k3

Also, I copy the smpk.pem from keywriter to the core-secdev-k3/keys/custMpk.pem
Best regards,Andy

Hi Hong,

I use gen_keywr_cert.sh to generate Customer key and test gagin.

But the ATF auth faild.
Test flow:

1. The key is generated by ./gen_keywr_cert.sh -g

2. The keywriter : ./gen_keywr_cert.sh --msv 0xC0FFE -t tifek/ti_fek_public.pem -a keys/aes256.key -b keys/bmpk.pem --bmek keys/bmek.key -s keys/smpk.pem --smek keys/smek.key --keycnt 2 --keyrev 1

3.copy smpk.pem to TI_SECURE_DEV_PKG/keys/custMpk.pem

4.Before build U-Boot, Sign ATF (bl31.bin), TEE (bl32.bin), & DM-FW
    $TI_SECURE_DEV_PKG/scripts/secure-binary-image.sh /opt/ecs/board-support/prebuilt-images/bl31.bin /opt/ecs/board-support/prebuilt-images/bl31.bin.signed
    $TI_SECURE_DEV_PKG/scripts/secure-binary-image.sh /opt/ecs/board-support/prebuilt-images/bl32.bin /opt/ecs/board-support/prebuilt-images/bl32.bin.signed
    $TI_SECURE_DEV_PKG/scripts/secure-binary-image.sh /opt/ecs/board-support/prebuilt-images/ipc_echo_testb_mcu1_0_release_strip.xer5f /opt/ecs/board-support/prebuilt-images/ipc_echo_testb_mcu1_0_release_strip.xer5f.signed
5.set path
export ATF_FILE="$TISDK_PATH/board-support/prebuilt-images/bl31.bin.signed"
export TEE_FILE="$TISDK_PATH/board-support/prebuilt-images/bl32.bin.signed“
export DM_FILE="$TISDK_PATH/board-support/prebuilt-images/ ipc_echo_testb_mcu1_0_release_strip.xer5f
ipc_echo_testb_mcu1_0_release_strip.xer5f.signed“

Boot Log:
U-Boot SPL 2021.01 (Aug 21 2023 - 07:28:12 +0000)
SYSFW ABI: 3.1 (firmware rev 0x0008 '8.6.4--v08.06.04 (Chill Capybar')
SPL initial stack usage: 13424 bytes
Trying to boot from MMC2
ti_sci system-controller@44043000: Message not acknowledgedAuthentication failed!
### ERROR ### Please RESET the board ###

Best regards,

Andy

Hi Hong,
Is this problem caused by the fact that I used "--msv 0xCOFFE" and "-a keys/aes256.key", but didn't configure Incremental?

Keywriter user guild document 6.2:software-dl.ti.com/.../AM62X_OTP_Keywriter_User_Guide_08_06_00.pdf
Best regards,

Andy

Andy Yu said:

3.copy smpk.pem to TI_SECURE_DEV_PKG/keys/custMpk.pem

The same TI testing key set (SMPK/SMEK) are included in both the OTP KW package and Linux SDK under "core-secdev-k3/keys/". It is not necessary to copy them over if the TI testing key set is used in your testing.

Andy Yu said:

4.Before build U-Boot, Sign ATF (bl31.bin), TEE (bl32.bin), & DM-FW

bl31.bin, bl32.bin, ipc_echo_testb_mcu1_0_release_strip.xer5f under "board-support/prebuilt-images" are signed ones.

Best,
-Hong

Hi Hong,

I don't understand. I already use ./gen_keywr_cert.sh -g to generate random keys.

And use these keys to make a new HS-SE board.

In this case, do I need to change custMpk.pem?

gen_keywr_cert.sh -g code use "rand 32":

	-g|--gen)
	echo "# Generating random keys in keys/folder"
	mkdir -p keys
	openssl rand 32 > keys/aes256.key
	openssl genrsa -out keys/smpk.pem 4096
	openssl genrsa -out keys/bmpk.pem 4096
	openssl rand 32 > keys/smek.key
	openssl rand 32 > keys/bmek.key

Best regards,

Andy

Hi Hong,

Because "-a keys/aes256.key" seems to be part of "Incremental Programming,"

but I only need "smek, smpk, bmek, bmpk," so I want to create another HS-SE device.

Could you please help me verify if the following process is feasible?

1.Using keys in the keys/ folder (keys was generated by ./gen_keywr_cert.sh -g)

2.Generate certificates:

./gen_keywr_cert.sh -t tifek/ti_fek_public.pem -b keys/bmpk.pem --bmek keys/bmek.key -s keys/smpk.pem --smek keys/smek.key --keycnt 2 --keyrev 1

3.Build the keywriter.

4.Copy smpk.epm to TI_SECURE_DEV_PKG/keys/custMpk.pem

5.Download keywriter(tiboot3) to device

6.Build HS-SE image and create SD card

7.boot by SD card

Best regards,

Andy