PROCESSOR-SDK-AM62X: how to make signed boot and fast boot time

Hi Naresh,

Thanks for your query.

Can you please help me with more details and background of your query?

Best Regards

Ashwani

Hu Ashwani,

Actually i am working on AM62X custom board, using AM6231 SOC.

I need detials how to make signed the images to boot (sigined boot ) and fastboot time. 

Thanks,

Naresh

Thanks Naresh Nakka  for update.

I am forwarding this thread to the boot expert.

Please expect some delay in response due to year end vacations.

Best Regards

Ashwani

Thanks Ashwani , 

BTW, i got this link from TI : https://software-dl.ti.com/mcu-plus-sdk/esd/AM62X/09_00_00_19/exports/docs/api_guide_am62x/TOOLS_BOOT.html (but i am not sure is this correct info regd. sgined boot )

there is not tool folder in sdk path , please help me how to make this .

i have gone through that link, but i could not understand  . 

Please help me once support is available.

Thanks,

Naresh

Hi Naresh,

Naresh Nakka said:

there is not tool folder in sdk path , please help me how to make this .

The signing folder is available at ${MCU_PLUS_SDK_PATH}/tools/boot/signing

~/ti/mcu_plus_sdk/am62x 09.00.00.19
❯ tree tools/boot/signing
tools/boot/signing
├── appimage_x509_cert_gen.py
├── custMek_am62x.txt
├── custMpk_am62x.pem
├── k3_dev_mpk.pem
├── mcu_custMpk.pem
├── mcu_gpkey.pem
├── mcu_rom_image_gen.py
├── rom_degenerateKey.pem
├── rom_image_gen.py
├── x509CertificateGen.ps1
├── x509CertificateGen.sh
├── x509template_boardcfg.txt
└── x509template.txt

0 directories, 13 files

If you are looking for how to sign images, I would recommend going through the makefile of any example which contains the steps to sign the images.

Regards,

Prashant

Hi Prashanth ,

But we are working on AM62X-linux sdk  (not MCU_PLUS_SDK ), where we compiled the linux-source code and genrate the images .

AM62X-Linux images can we sign with MCU_PLUS_SDK  ?

This link : https://software-dl.ti.com/mcu-plus-sdk/esd/AM62X/09_00_00_19/exports/docs/api_guide_am62x/TOOLS_BOOT.html -> 

which imges should i sign . actually on AM62x (bootloader images(tiboot3-am62x-gp-evm.bin , tispl.bin,u-boot.img) ,kernel Image ,dtb images .

please help me which images should i sign , bootloader images only?

Should i copy bootloader images to "${MCU_PLUS_SDK_PATH}/tools/boot/signing"  this path.  and sign the images ?

Actually i compiled the images for AM62X_LINUX_SDK for 09_00_00_03 version , now MCU SDK version showing 09_00_00_19 , for signing is it okay if different versions having ?

Could you please confirm ?

Thanks,

Naresh

Hi Naresh,

I would like to know why there is a need to manually carry out the signing steps?

Please note all the SDKs have the signing steps already integrated. Any build will generate the signed images. For example, when you do

make u-boot

It generates the signed the tiboot3.bin. Addtionally, each component in the tispl.bin & u-boot.img are also signed and packaged in one image. So, you should not require doing any manual steps for signing.

Regards,

Prashant

H Prashanth ,

Thanks for information.

I am taking Linux kernel from SDK  and compiling linux alonely (not having SDK other directories ) , in that case its compiling the Image but is that support signing . Or should i required to compile the linux kernel in SDK iteself  (i mean to support sigining linux kernel should require other sdk components )?

How to validate signed images ? 

Thanks,

Naresh

Hi Naresh,

Please see the following guide to sign Linux Kernel for custom build infrastructure

3.2.1. Users Guide — Processor SDK AM62x Documentation

Regards,

Prashant

Hi @Prashanth ,

I have taken linux kernel from SDK_09_00_00_03.

we generally use default configuration from <kernel source>/arch/arm64/configs , so i have taken defconfig (only defconfig present , i used this file)

compiled it using aarch64-none-linux-gnu- compiler (here mentioned aarch64-none-linux-gnu compiler : https://software-dl.ti.com/processor-sdk-linux/esd/AM62X/09_00_00_03/exports/docs/linux/Overview_Building_the_SDK.html ).

Prashant Shivhare said:

 I just found  form this page where mentioned default configuration as " ti_arm64_prune.config" , is this mandatory to use this file as default configuration ?

Is there any way to validate the signed images whther they signed or not ? using any keyword to find the signed images by openenng with hexa editor kind of identifiying the signed image ?

Thanks,

Naresh .

Hi Naresh,

I won't be able to help you with the latest queries. I have moved the thread to the PSDK expert for further support on this thread. You should get a response by EOD.

Regards,

Prashant

Hello,
As noted by Prashant, for Linux SDK 9.0
- "make u-boot" from SDK installation folder for building/signing u-boot
- signign kernel FIT image to support extended secure boot flow
software-dl.ti.com/.../Foundational_Components_Kernel_Users_Guide.html
Best,
-Hong

Hi Hong ,

Thanks for info.

How to validate the signed images , whther they are properly signed or not ?

Thanks,

NARESH

Hi Hong,

Prashant Shivhare said:

signing

As per Prashanth note , generated images are signed images (as all signed steps are integrated in build)

we flashed the images and got the bootup logs.

please find attachesd bootup logs

am62x_bootup_logs.txt

can we confirm with the bootup logs whether images are signed and authenticated successfully on board  ?

Kindly help on this .

Thanks,

Naresh

Hello,
The log shows the device on your board is GP, where secure boot is not supported.
software-dl.ti.com/.../Foundational_Components_Migration_Guide.html
Best,
-Hong

Hi Hong,

Thanks for your info.

Could you plese help us more data on secure boot varaint devices (HS-FS & HS-SE ).

Hong Guan64 said:

from this link , i understood that both secure varaints (HS-FS & HS-SE )needs to blow the fuses on device to make secure board. 

and also please help us steps to blow to fuses to make secure for both varaints .

Thanks,

Naresh.

We have AM62x security resource download portal, where security collaterals/links/tools (i.e. OTP keywriter)... are hosted
software-dl.ti.com/.../AM62x_HS_index_FDS.html
User may request access to AM62x security resource download portal
www.ti.com/.../swlicexportcontrol.tsp

Best,
-Hong

HI Hong, 

Thanks for above link ,

currently could not able to access portal .

I guess , the above portal has steps to blow fuse on both devices to make secure device.

Actually we are newbies to secure boot.

Thanks,

Naresh

Hong Guan64 said:

User may request access to AM62x security resource download portal
www.ti.com/.../swlicexportcontrol.tsp

You'll be able to get access to AM62x security resource download link once your request is approved,

Hi Hong ,

Thanks for information .

I requested the access for the portal .

Actualy we used GP variaint till now , where we validated all BSP interfaces on our GP varaint customized hardware .

How to boot secure device ?

- do we need to sign the bootloader images (tiboot3.bin ,tispl.bin and ti-uboot.img)  and kernel image and device tree binaries.

Suppopse , if i booted the secure device . if we want to test BSP interfaces (like wifi/bt,can ,gsm, r5-cortex validation ...etc) on  our customised HS-SE / HS-FS device , are theese interfaces directly works / or do we need signing ? should we sign the binaries , if yes , how to externally sign the images ?

let say example , if suppose whatever wifi we tested on GP , that directky should work on HS-SE/HS-FS device ?

Thanks,

Naresh.

Sure Hong , 

will check and get back to you .

Thanks,

Naresh

Hi Hong , 

I got access for secuirty portal .

I downloaded OTP Keywriter Package along wiith OTP KEYWRITTER DOC from secure portal.

=> I understood with secure documents as below ,

OTP keywriter tool is used to burns the keys into SOC to make HS-FS device into secure . 

Actually we used LINUX SDK as 09_00_00_03 . 

while making board to secure , we need to install MCU_PLUS_SDK  , so is this required to be same version 09_00_00_03 ?

After flashing the keys into SOC , device becomes secure from non-secure device .But in keywritter documment mentioned as "after flashing the keys  into SOC then HS-FS convert into HS-SE ? My query is HS-SE and HS-FS are both differnet secure devices . why then after burns the keys into SOC HS-FS device makes into secure , why its convert into HS-SE from HS-FS ?

Actually we have a customsied board with HS-FS device .

Please help us how to make HS-FS device into secue device ? 

Please find we refered the attached keywriter doc .

AM62X_OTP_Keywriter_User_Guide_09_00_00.pdf

Kindly help us ?

Thanks,

Naresh.

Naresh Nakka said:

while making board to secure , we need to install MCU_PLUS_SDK  , so is this required to be same version 09_00_00_03 ?

Yes.

Naresh Nakka said:

why then after burns the keys into SOC HS-FS device makes into secure , why its convert into HS-SE from HS-FS ?

The user's key are programmed with OTP keywriter on HS-FS to convert it to HS-SE. Root-of-Trust (RoT) secure boot is enabled only on HS-SE device once user's key are programmed.
Best,
-Hong

Hi Hong,

we are using HS-FS chip .

=> Little confusions here that HS-SE & HS-FS both are differnent secure chipsets right .

keys are programmed with HS-FS chip convert into HS-FS secure device . why its convert into HS-SE device once programed keys with HS-FS device . because both HS-FS &HS-SE indipendently secure chips . 

 I assumed below as

• after programming keys with HS-FS device convert into HS-FS secure device ?
• After programming keys with HS-SE device convert  into HS-SE secure device ?

=> we had alredy we worked with PROCESSOR-SDK-LINUX-AM62X Version (09_00_00_03) and most of the BSP work done on this version,  in order to make HS-FS chip into secure we need "MCU_PLUS_SDK " source . but i could not find the same MCU_PLUS_SDK ( 09_00_00_03 SDK ) Version of LINUX_SDK version .

PROCESSOR-SDK-LINUX-AM62X  -> 09_00_00_03

MCU-PLUS-SDK-AM62X  -> ?  unable to find same version . This version i found -> mcu_plus_sdk_am62x_09_00_00_19-linux-x64-installer.run 

Sorry for my dumb questions , as we are newbies to secure boot

please help me on this .

Thanks,

Naresh

Naresh Nakka said:

ure boot

Hi Hong,

we are using HS-FS chip .

=> Little confusions here that HS-SE & HS-FS both are differnent secure chipsets right .

keys are programmed with HS-FS chip convert into HS-FS secure device . why its convert into HS-SE device once programed keys with HS-FS device . because both HS-FS &HS-SE indipendently secure chips . 

 I assumed below as

• after programming keys with HS-FS device convert into HS-FS secure device ?
• After programming keys with HS-SE device convert  into HS-SE secure device ?

=> we had alredy we worked with PROCESSOR-SDK-LINUX-AM62X Version (09_00_00_03) and most of the BSP work done on this version,  in order to make HS-FS chip into secure we need "MCU_PLUS_SDK " source . but i could not find the same MCU_PLUS_SDK ( 09_00_00_03 SDK ) Version of LINUX_SDK version .

PROCESSOR-SDK-LINUX-AM62X  -> 09_00_00_03

MCU-PLUS-SDK-AM62X  -> ?  unable to find same version . This version i found -> mcu_plus_sdk_am62x_09_00_00_19-linux-x64-installer.run 

Sorry for dumb questions . As we are newbies to secure boot , we had couple of quiries . Please dont mind .

please help us on this .

Thanks,

Naresh

Naresh Nakka said:

 I assumed below as

• after programming keys with HS-FS device convert into HS-FS secure device ?
• After programming keys with HS-SE device convert  into HS-SE secure device ?

No. HS-FS (Field Securable) and HS-SE (Security Enforced) is the SoC state. HS-FS is the initial state, and HS-FS is converted to HS-SE only after user's key is programmed.

Naresh Nakka said:

MCU-PLUS-SDK-AM62X  -> ?  unable to find same version . This version i found -> mcu_plus_sdk_am62x_09_00_00_19-linux-x64-installer.run 

This version would work

https://www.ti.com/tool/download/MCU-PLUS-SDK-AM62X/09.00.00.19

Best,
-Hong

Hi Hong ,

Thannks for confirmation .

JFYI , LINUX SDK i am using => 09_00_00_03 Version 

          MCU_PLUS_SDK  using => 09_00_00_19 Version.

Below Pre-requisites i downloaded.

• Downloaded MCU_PLUS_SDK (mcu_plus_sdk_am62x_09_00_00_19-linux-x64-installer.run) , ccs (CCS12.3.0.00005_linux-x64.tar.gz) and sysconfig  (sysconfig-1.16.1_2960-setup.run) and  ti_cgt_armllvm_2.1.3.LTS_linux-x64_installer.bin from https://www.ti.com/tool/download/MCU-PLUS-SDK-AM62X/09.00.00.19
• installed ccs and sysconfig
• otp_keywriter_am62x-linux-installer.run  downloaded this file from Ti security portal.

Below steps I followed to generate the image:

• I run the mcu_plus_sdk_*.run  , installed at /home/<user>/ti   path
• created the security folder in source code of ~/ti/mcu_plus_sdk_*/source path
• I did run the "otp_keywriter_am62x-linux-installer.run"  and gave the installation has  " ~/ti/mcu_sdk_*/source/security"
• so , generated "tifs/sbl_keywriter" is generated under " ~/ti/mcu_sdk_*/source/security " so , as per otp instructions  i moved sbl_keywritter directory  to security directory and removed tifs folder . now path like -> ~/ti/mcu_sdk_*/source/security/sbl_keywritter instead of ~/ti/mcu_sdk_*/source/security/tifs/sbl_keywritter.
• moved to  this path <MCU_PLUS_SDK_INSTALL_DIR>/source/security/sbl_keywriter/scripts/cert_gen/am62x and issued below command

          ./gen_keywr_cert.sh --msv 0xC0FFE -t tifek/ti_fek_public.pem

         => This will generate a certificate with MSV data at "           <MCU_PLUS_SDK_INSTALL_DIR>/source/security/sbl_keywriter/scripts/x509cert/final_certificate.bin "

• Convert the certificate binary to .h format.
  • Go to the x509 script directory: <MCU_PLUS_SDK_INSTALL_DIR>/source/security/
    sbl_keywriter/scripts/x509cert

                       python3 ../../../../../tools/bin2c/bin2c.py final_certificate.bin keycert.h KEYCERT

• • This will generate a C header file called keycert.h
• Build
  • Go to the following directory: <MCU_PLUS_SDK_INSTALL_DIR>/source/security/
    sbl_keywriter/am62x-sk/r5fss0-0_nortos/ti-arm-clang
  • Clean the example: make -sj clean PROFILE=debug
  •  Then run: make -sj PROFILE=debug  => HERE I GOT ISSUES , please find the log

LOGS

naresh@naresh-ThinkPad-E15-Gen-2:~/ti/mcu_plus_sdk_am62x_09_00_00_19/source/security/sbl_keywriter/am62x-sk/r5fss0-0_nortos/ti-arm-clang$ make -sj PROFILE=debug
Generating SysConfig files ...
Running script...
Validating...
Generating Code (example.syscfg)...
Writing /home/naresh/ti/mcu_plus_sdk_am62x_09_00_00_19/source/security/sbl_keywriter/am62x-sk/r5fss0-0_nortos/ti-arm-clang/generated/ti_dpl_config.c...
Writing /home/naresh/ti/mcu_plus_sdk_am62x_09_00_00_19/source/security/sbl_keywriter/am62x-sk/r5fss0-0_nortos/ti-arm-clang/generated/ti_dpl_config.h...
Writing /home/naresh/ti/mcu_plus_sdk_am62x_09_00_00_19/source/security/sbl_keywriter/am62x-sk/r5fss0-0_nortos/ti-arm-clang/generated/ti_drivers_config.c...
Writing /home/naresh/ti/mcu_plus_sdk_am62x_09_00_00_19/source/security/sbl_keywriter/am62x-sk/r5fss0-0_nortos/ti-arm-clang/generated/ti_drivers_config.h...
Writing /home/naresh/ti/mcu_plus_sdk_am62x_09_00_00_19/source/security/sbl_keywriter/am62x-sk/r5fss0-0_nortos/ti-arm-clang/generated/ti_drivers_open_close.c...
Writing /home/naresh/ti/mcu_plus_sdk_am62x_09_00_00_19/source/security/sbl_keywriter/am62x-sk/r5fss0-0_nortos/ti-arm-clang/generated/ti_drivers_open_close.h...
Writing /home/naresh/ti/mcu_plus_sdk_am62x_09_00_00_19/source/security/sbl_keywriter/am62x-sk/r5fss0-0_nortos/ti-arm-clang/generated/ti_pinmux_config.c...
Writing /home/naresh/ti/mcu_plus_sdk_am62x_09_00_00_19/source/security/sbl_keywriter/am62x-sk/r5fss0-0_nortos/ti-arm-clang/generated/ti_power_clock_config.c...
Writing /home/naresh/ti/mcu_plus_sdk_am62x_09_00_00_19/source/security/sbl_keywriter/am62x-sk/r5fss0-0_nortos/ti-arm-clang/generated/ti_board_config.c...
Writing /home/naresh/ti/mcu_plus_sdk_am62x_09_00_00_19/source/security/sbl_keywriter/am62x-sk/r5fss0-0_nortos/ti-arm-clang/generated/ti_board_config.h...
Writing /home/naresh/ti/mcu_plus_sdk_am62x_09_00_00_19/source/security/sbl_keywriter/am62x-sk/r5fss0-0_nortos/ti-arm-clang/generated/ti_board_open_close.c...
Writing /home/naresh/ti/mcu_plus_sdk_am62x_09_00_00_19/source/security/sbl_keywriter/am62x-sk/r5fss0-0_nortos/ti-arm-clang/generated/ti_board_open_close.h...
Compiling: am62x:r5fss0-0:nortos:ti-arm-clang sbl_keywriter.debug.out: ../main.c
Compiling: am62x:r5fss0-0:nortos:ti-arm-clang sbl_keywriter.debug.out: ../keywriter_utils.c
Compiling: am62x:r5fss0-0:nortos:ti-arm-clang sbl_keywriter.debug.out: ../board.c
Compiling: am62x:r5fss0-0:nortos:ti-arm-clang sbl_keywriter.debug.out: generated/ti_drivers_config.c
Compiling: am62x:r5fss0-0:nortos:ti-arm-clang sbl_keywriter.debug.out: generated/ti_drivers_open_close.c
Compiling: am62x:r5fss0-0:nortos:ti-arm-clang sbl_keywriter.debug.out: generated/ti_board_config.c
Compiling: am62x:r5fss0-0:nortos:ti-arm-clang sbl_keywriter.debug.out: generated/ti_board_open_close.c
Compiling: am62x:r5fss0-0:nortos:ti-arm-clang sbl_keywriter.debug.out: generated/ti_dpl_config.c
Compiling: am62x:r5fss0-0:nortos:ti-arm-clang sbl_keywriter.debug.out: generated/ti_pinmux_config.c
Compiling: am62x:r5fss0-0:nortos:ti-arm-clang sbl_keywriter.debug.out: generated/ti_power_clock_config.c
.
Linking: am62x:r5fss0-0:nortos:ti-arm-clang sbl_keywriter.debug.out ...
Linking: am62x:r5fss0-0:nortos:ti-arm-clang sbl_keywriter.debug.out Done !!!
.
Boot image: am62x:r5fss0-0:nortos:ti-arm-clang /home/naresh/ti/mcu_plus_sdk_am62x_09_00_00_19/source/security/sbl_keywriter/am62x-sk/r5fss0-0_nortos/ti-arm-clang/sbl_keywriter.debug.tiimage ...
Traceback (most recent call last):
File "/home/naresh/ti/mcu_plus_sdk_am62x_09_00_00_19/tools/boot/signing/rom_image_gen.py", line 339, in <module>
cert_str = get_cert(args)
File "/home/naresh/ti/mcu_plus_sdk_am62x_09_00_00_19/tools/boot/signing/rom_image_gen.py", line 234, in get_cert
full_image_size = os.path.getsize(args.sbl_bin) + os.path.getsize(args.sysfw_bin) + os.path.getsize(args.boardcfg_blob)
File "/usr/lib/python3.8/genericpath.py", line 50, in getsize
return os.stat(filename).st_size
FileNotFoundError: [Errno 2] No such file or directory: '/home/naresh/ti/mcu_plus_sdk_am62x_09_00_00_19/source/security/tifs/sbl_keywriter/keywr_bin/am62x/sysfw_keywr.bin'
naresh@naresh-ThinkPad-E15-Gen-2:~/ti/mcu_plus_sdk_am62x_09_00_00_19/source/security/sbl_keywriter/am62x-sk/r5fss0-0_nortos/ti-arm-clang$ vim /home/naresh/ti/mcu_plus_sdk_am62x_09_00_00_19/tools/boot/sig

Please find otp key writter document

5824.AM62X_OTP_Keywriter_User_Guide_09_00_00.pdf

Please help me on this .

Thanks,

Naresh

Sure Hong,

Please find new Ti support ticket for supporting HS-FS device into secure 

https://e2e.ti.com/support/processors-group/processors/f/processors-forum/1339680/processor-sdk-am62x-am6231-hs-fs-varinant-otp-keywritter-support-for-convert-hs-fs-device-into-secure-device

Thanks,

Naresh