AM625: How to sign fitImage for HS-SE on SDK9.0?

Zane Wei

Part Number: AM625
Other Parts Discussed in Thread: SK-AM62B

Hi Team,

I can use SDK9.0 sign tiboot3.bin, tispl.bin and u-boot.img by using top level makefile. But how to use top level makefile to sign fitImage, here is some error I encountered.

$make linux
...
# Build FitImage
cp /home/zane/AM62/ti-processor-sdk-linux-am62xx-evm-09.00.00.03/board-support/prebuilt-images/am62xx-evm/fitImage-its-am62xx-evm /home/zane/AM62/ti-processor-sdk-linux-am62xx-evm-09.00.00.03/board-support/ti-linux-kernel
mkimage -r -f /home/zane/AM62/ti-processor-sdk-linux-am62xx-evm-09.00.00.03/board-support/ti-linux-kernel/fitImage-its-am62xx-evm -k /home/zane/AM62/ti-processor-sdk-linux-am62xx-evm-09.00.00.03/board-support/ti-u-boot/board/ti/keys -K /home/zane/AM62/ti-processor-sdk-linux-am62xx-evm-09.00.00.03/board-support/u-boot-build/a53/arch/arm/dts/k3-am625-sk.dtb /home/zane/AM62/ti-processor-sdk-linux-am62xx-evm-09.00.00.03/board-support/built-images/fitImage
Can't set hash 'value' property for 'hash-1' node(FDT_ERR_NOSPACE)
Can't set hash value for 'hash-1' hash node in 'fdt-ti_k3-am625-sk-csi2-tevi-ov5640.dtbo' image node
Failure reading private key: error:1E08010C:DECODER routines::unsupported
Failed to sign 'signature-1' signature node in 'conf-ti_k3-am625-sk.dtb' conf node
mkimage Can't add hashes to FIT blob: -1
make: *** [makerules/Makefile_linux:13: linux] Error 255

I generated the Key using the following command.

./gen_keywr_cert.sh -g

And use the following command download key to efuse.

Step 1:

cd ~/ti/mcu_plus_sdk_am62x_09_00_00_19/source/security/sbl_keywriter/scripts/cert_gen/am62x

./gen_keywr_cert.sh -t tifek/ti_fek_public.pem -b keys/bmpk.pem -s keys/smpk.pem

cd ~/ti/mcu_plus_sdk_am62x_09_00_00_19/source/security/sbl_keywriter/scripts/x509cert

python3 ../../../../../tools/bin2c/bin2c.py final_certificate.bin keycert.h KEYCERT

cd ~/ti/mcu_plus_sdk_am62x_09_00_00_19/source/security/sbl_keywriter/am62x-sk/r5fss0-0_nortos/ti-arm-clang

make -sj PROFILE=debug

Step 2 & 3: Repeat the process of step 1 using the command below

./gen_keywr_cert.sh -t tifek/ti_fek_public.pem --smek keys/smek.key

./gen_keywr_cert.sh -t tifek/ti_fek_public.pem --bmek keys/bmek.key --keycnt 2 --keyrev 1

Before build u-boot, I copy smpk.pem to ti-u-boot/board/ti/keys, and renamed it to custMpk.pem

over 1 year ago

0 Hong Guan64 over 1 year ago

TI__Guru 68410 points

Hello Zane,
software-dl.ti.com/.../Foundational_Components_Kernel_Users_Guide.html
git.ti.com/gitweb
Best,
-Hong

0 Zane Wei over 1 year ago in reply to Hong Guan64

TI__Intellectual 1665 points

Hi, Hong

Thanks for your help, but I still cann't sign fitImage.

Can you tell me how to replace the files under board/ti/keys with my own key?

if I use my own file, it will failed: Failure reading private key: error:1E08010C:DECODER routines::unsupported.

Best Regards,

Zane

0 Hong Guan64 over 1 year ago in reply to Zane Wei

TI__Guru 68410 points

Hello Zane,
Have you tried signing with the default TI testing key included in SDK?
Best,
-Hong

0 Zane Wei over 1 year ago in reply to Hong Guan64

TI__Intellectual 1665 points

Hi, Hong

Yes, because I programmed my own key to SK-AM62B, the board was converted to the SE version.

If use the default key, the board has no output after powering on. Then I just replaced the custMpk.pem file and regenerated tiboot3.bin, tispl.bin and u-boot.img. After powering on again, the board could start u-boot.

However, errors similar to the following will appear:

## Loading kernel from FIT Image at 90000000 ...
Using 'conf-se_se-k3-am642-test-cpu.dtb' configuration
Verifying Hash Integrity ... fit_config_verify_required_keys: No signature nD
Bad Data Hash
ERROR: can't get kernel image!

Best Regards,

Zane

0 Hong Guan64 over 1 year ago in reply to Zane Wei

TI__Guru 68410 points

Hello Zane,
Let me clarify my last question.
1/. have you tried signing fitImage with the default TI testing key included in SDK?
2/. have you tried booting u-boot and the fitImage from last step on HS-SE (with TI testing key)?
Best,
-Hong

0 Zane Wei over 1 year ago in reply to Hong Guan64

TI__Intellectual 1665 points

Hi Hong,

For Q1: Yes, it work well.

For Q2: Yes, it can boot u-boot and fitImage.

My question is: Why do I need to update the key and rebuild u-boot, but I don’t need to use the new key to sign fitImage?

Best Regards,

Zane

+1 Hong Guan64 over 1 year ago in reply to Zane Wei

TI__Guru 68410 points

Hello Zane,
You may refer to the links in my previous reply on a complete steps:

Hong Guan64 said:
software-dl.ti.com/.../Foundational_Components_Kernel_Users_Guide.html
git.ti.com/gitweb

Best,
-Hong

Processors

Processors forum

AM625: How to sign fitImage for HS-SE on SDK9.0?