Part Number: PROCESSOR-SDK-AM69
Hi TI expert,
I use SK-AM69-EVM HS-FS and SDK v9 based the binman SPL/Uboot build process for image preparation.
The Note about 'Generating new set of keys' in https://software-dl.ti.com/jacinto7/esd/processor-sdk-linux-j784s4/09_00_01_03/exports/docs/linux/Foundational_Components_Kernel_Users_Guide.html is :
Note:
openssl genpkey -algorithm RSA -out keys/dev.key \ -pkeyopt rsa_keygen_bits:4096 -pkeyopt rsa_keygen_pubexp:65537 $ openssl req -batch -new -x509 -key keys/dev.key -out keys/dev.crt
I assume that dev.key should be moved and renamed to binman build process into board/ti/key/custMpk.pem? And where a dev.cert is realy used (looks like for Keywriter operation) (seems not for binman build)?
But based on the old paper https://www.ti.com/lit/an/sprad04/sprad04.pdf?ts=1701160982790&ref_url=https%253A%252F%252Fwww.ti.com%252Fproduct%252FTDA4VH-Q1
the gen_keywr_cert.sh -g should be use for new key generation, internally based also on openssl however in different manner. In this process, I guess,
that smpk.pem should be use as custMpk.pem ?
Seems like this second described process is better and should be use due to using many other keys like: aes256.key bmek.key bmpk.pem smek.key smpk.pem tifekpub.pem ?
Also seem like the dev.crt (from previous Note) do not contain the same information as x509cert/final_certificate.bin from gen_keywr_cert.sh -s keys/smpk.pem --smek keys/smek.key -t keys/tifekpub.pem -a keys/aes256.key
My question is how the new key generation process (described at the beginning in Note) is related to the transition HS_FS to HS-SE via Keywriter ?
Could you please provide actual set by step description for entire process for new keys usages for image signing, encryption and the transition to HS-SE for SK-AM69-EVM and SDKv9 SPL-Uboot ?
Bay the way do you have support for separate binman secure signing/encryption process from the make SDK uboot build process ?
Regards,
Dariusz Gasiorowski
