Hi,
I am the customer the linked topic request originated from. I finally managed to solve the issue and though I would share my observations.
This is the command line I'm executing gen_keywr_cert with:
./gen_keywr_cert.sh -t tifek/am64x/ti_fek_public.pem -a am64-keys/aes256.key -s am64-keys/smpk.pem --smek am64-keys/smek.key -s-wp --smek-wp -b am64-keys/bmpk.pem --bmek am64-keys/bmek.key -b-wp --bmek-wp --keycnt 2 --keyrev 1
But the issue doesn't lie here. I analyzed the certificate template the keywriter copies and write (sed) keys into, and looking at config_template.txt one can see these 3 keys:
1.3.6.1.4.1.294.1.78 = ASN1:SEQUENCE:plain_swrev_sysfw 1.3.6.1.4.1.294.1.79 = ASN1:SEQUENCE:plain_swrev_sbl 1.3.6.1.4.1.294.1.80 = ASN1:SEQUENCE:plain_swrev_sec_brdcfg [...] [ plain_swrev_sysfw ] # Replace PUT-PLAIN-SWREV-SYSFW with actual SWREV SYSFW value val = FORMAT:HEX,OCT:PUT_PLAIN_SWREV_SYSFW action_flags = INTEGER:PUT_ACTFLAG_PLAIN_SWREV_SYSFW [ plain_swrev_sbl ] # Replace PUT-PLAIN-SWREV-SBL with actual SWREV SBL value val = FORMAT:HEX,OCT:PUT_PLAIN_SWREV_SBL action_flags = INTEGER:PUT_ACTFLAG_PLAIN_SWREV_SBL [ plain_swrev_sec_brdcfg ] # Replace PUT-PLAIN-SWREV-SEC-BRDCFG with actual SWREV SEC BRDCFG value val = FORMAT:HEX,OCT:PUT_PLAIN_SWREV_SEC_BRDCFG action_flags = INTEGER:PUT_ACTFLAG_PLAIN_SWREV_SEC_BRDCFG
Simply remove them and it will do the trick.
Why did I remove these keys specifically ? Well, the OTP Keywriter User Guide specifies that these keys shouldn't be programmed in the first place (page 6 in bold).
Also before removing them the generated primary_cert.bin generated was only slightly bigger than the 5.4 kB limit. Removing these 3 keys will make the certificate fall at 5.3 kB.
I did a lot of trial and error, and observed that the issue was coming from the 5.4 kB limit, there might be a deeper explanation to that, but again, these are my observations.
Regards
Pierre
