AM625: Secure Boot and Compiling

Veysel Oguz

Part Number: AM625

Hi Support Team,

I am using proc-sdk 09.00.00.03 version. I am following GP to HS-FS Migration Guide in Foundational Components, I dumped my device with your parse_uart_boot_socid.py script. Here is the output:
(I have "tispl.bin", "u-boot.img" and "tiboot3-am62x-hs-fs-evm.bin" u-boot images in SD cart boot partition)
-----------------------
SoC ID Header Info:
-----------------------
('NumBlocks :', 2)
-----------------------
SoC ID Public ROM Info:
-----------------------
('SubBlockId :', 1)
('SubBlockSize :', 26)
('DeviceName :', 'am62x')
('DeviceType :', 'HSFS')
('DMSC ROM Version :', [0, 1, 0, 1])
('R5 ROM Version :', [0, 1, 0, 1])
-----------------------
SoC ID Secure ROM Info:
-----------------------
('Sec SubBlockId :', 2)
('Sec SubBlockSize :', 166)
('Sec Prime :', 0)
('Sec Key Revision :', 0)
('Sec Key Count :', 0)
('Sec TI MPK Hash :', 'd68ecb2c055dff11ade95bd927e837d2a53bc23b0a2800cebce4f106bcf309df2213912d77a157a8b7c2df40672a06a918034aa4c7d603e462481475225d49b8')
('Sec Cust MPK Hash :', 'ad0bc40b000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000')
('Sec Unique ID :', '04c40db1a17011ffa2ae724066b3965b54c0e269e03d251c57b4e4e4e8728961')

You say "device do not force authentication for booting" for HS-FS device type but, I see "Authentication passed" logs when I try to boot up:

U-Boot SPL 2023.04-g24098ea90d (Jul 06 2023 - 12:59:40 +0000)
SYSFW ABI: 3.1 (firmware rev 0x0009 '9.0.5--v09.00.05 (Kool Koala)')
SPL initial stack usage: 13376 bytes
Trying to boot from MMC2
Authentication passed
Authentication passed
Authentication passed
Authentication passed
Authentication passed
Starting ATF on ARM64 core...

NOTICE: BL31: v2.8(release):v2.8-226-g2fcd408bb3-dirty
NOTICE: BL31: Built : 00:42:57, Jan 13 2023

U-Boot SPL 2023.04-g24098ea90d (Jul 06 2023 - 12:59:40 +0000)
SYSFW ABI: 3.1 (firmware rev 0x0009 '9.0.5--v09.00.05 (Kool Koala)')
SPL initial stack usage: 1856 bytes
Error (-2): cannot determine file size
Trying to boot from MMC2
Authentication passed
Authentication passed

In the same document, you say "On HS-FS device, unsigned images will boot but we will see a “Skipping authentication” warning in the console output". I do not see any log about it, altough I am using unsigned images. What is the reason of that? Does it mean that there is a key flashed in otp? If so, How does yocto build use this key because I do not export any TI_SECURE_DEV_PKG environment variable for yocto build?

Another issue is that how can I enable compiling of _HS images? I see that TI_SECURE_DEV_PKG is defined in Rules.make but, I still cannot see any_HS images at output.

over 1 year ago

0 Hong Guan64 over 1 year ago

TI__Guru 65445 points

Hello Veysel,
- BINMAN was introduced starting from SDK 9.0
There's an earlier e2e discussions on BINMAN in SDK for your reference.
e2e.ti.com/.../4798300

software-dl.ti.com/.../UG-General-Info.html
"Note
As of Processor SDK 9.0, compilation of bootloader images will no longer require different defconfigs for GP and HS devices.
The same build commands will generate images for GP, HS-SE and HS-FS devices."

Best,
-Hong

0 Veysel Oguz over 1 year ago in reply to Hong Guan64

Prodigy 200 points

Hi Hong,
Thank you for your support.

As far as I understand, If I compile u-boot with respect to the instructions here:

https://git.ti.com/gitweb?p=ti-u-boot/ti-u-boot.git;a=blob;f=doc/board/ti/am62x_sk.rst;h=e4d58b49589a11d9254ac0c83b2963be25c79a2d;hb=17fb265d515be927cf3e45b2e871134e78da66d6

I will be able to achieve _HS images using BINMAN flow. Am I right?

Another issue is that I still don't understand how to integrate signing and encryption part to yocto (bitbake) part. We were exporting TI_SECURE_DEV_PKG variable for yocto build on 437x series. It was using signing scripts from proc-sdk. I saw that k3-image-gen and core-secdevk3 is not avaible for SDK 9.0 version. So, can you explain how to integrate signing process to yocto on 62x series? Are there any documents about it?

0 Hong Guan64 over 1 year ago in reply to Veysel Oguz

TI__Guru 65445 points

Hello Veysel,

Veysel Oguz said:
As far as I understand, If I compile u-boot with respect to the instructions here:

https://git.ti.com/gitweb?p=ti-u-boot/ti-u-boot.git;a=blob;f=doc/board/ti/am62x_sk.rst;h=e4d58b49589a11d9254ac0c83b2963be25c79a2d;hb=17fb265d515be927cf3e45b2e871134e78da66d6

I will be able to achieve _HS images using BINMAN flow. Am I right?

Hong Guan64 said:
software-dl.ti.com/.../UG-General-Info.html
"Note
As of Processor SDK 9.0, compilation of bootloader images will no longer require different defconfigs for GP and HS devices.
The same build commands will generate images for GP, HS-SE and HS-FS devices."

Veysel Oguz said:
Another issue is that I still don't understand how to integrate signing and encryption part to yocto (bitbake) part. We were exporting TI_SECURE_DEV_PKG variable for yocto build on 437x series. It was using signing scripts from proc-sdk. I saw that k3-image-gen and core-secdevk3

On AM43xx, there're reference signing scripts under "SecDev/scripts/".

Starting from K3 SoC (i.e. AM62x), x.509-based PKI is adopted in ROM/TIFS so it is easier for user to adapt code signing to user’s own secure key server infrastructure.

For example, one reference code signing scripts is listed below from Linux SDK 8.6
git.ti.com/.../gen_x509_cert.sh
For example, “openssl req -new -x509 -key $KEY -nodes -outform DER -out $CERT -config $TEMP_X509 -$SHA”
git.ti.com/.../gen_x509_cert.sh

Starting from SDK 9.0, BINMAN was introduced for code signing, where "openssl" is still being used.
One good reference on code signing using BINMAN is noted in the referenced e2e in my last reply
git.ti.com/gitweb

Best,
-Hong

0 Veysel Oguz over 1 year ago in reply to Hong Guan64

Prodigy 200 points

Hello Hong,

Thank you for your quick support.

I am following AM62X_OTP_Keywriter_User_Guide_09_00_00. I am able to generate and keys using:

gen_keywr_cert.sh

I should place my generated custom keys in to ti-u-boot/ board/ti/keys to sign the sw with my custom keys. Am I right? If it is correct, how can I implement custom keys into yocto build?

Another issue is that I see in the same document that I have 3 options to provision the key (UART, OSPI and USB-DFU). Is it mandatory to use these 3 options or Can we do some modifications to provision key via SD-Card? Hence, I tried to run keywriter with UART, but I see this error:

[ERROR] Serial port [/dev/ttyUSB0] not found or not accessible !!!

I also checked my port name and I was sure that the port is not been used in other terminals. How can I fix it?

Lastly, we were talking about the signing process on u-boot but what about kernel? How does signing process work for kernel? and How to implement the signing process into yocto build?

+1 Hong Guan64 over 1 year ago in reply to Veysel Oguz

TI__Guru 65445 points

Hello Veysel,

Veysel Oguz said:
I should place my generated custom keys in to ti-u-boot/ board/ti/keys to sign the sw with my custom keys. Am I right? If it is correct, how can I implement custom keys into yocto build?

yes.

Veysel Oguz said:
Another issue is that I see in the same document that I have 3 options to provision the key (UART, OSPI and USB-DFU). Is it mandatory to use these 3 options or Can we do some modifications to provision key via SD-Card? Hence, I tried to run keywriter with UART, but I see this error:

[ERROR] Serial port [/dev/ttyUSB0] not found or not accessible !!!

I also checked my port name and I was sure that the port is not been used in other terminals. How can I fix it?

"tiboot3.bin" from OTP KW build can boot from any boot media supported by ROM and available on your board.

Veysel Oguz said:
Lastly, we were talking about the signing process on u-boot but what about kernel? How does signing process work for kernel? and How to implement the signing process into yocto build?

software-dl.ti.com/.../Foundational_Components_Kernel_Users_Guide.html

Best,
-Hong

Processors

Processors forum

AM625: Secure Boot and Compiling