PROCESSOR-SDK-AM64X: How to sign files using customer key in SDK9.0？

Hello Stephen,
There's a major change on code signing from SDK8.x to SDK9.x, where BINMAN was introduced in SDK9.x, and
"k3-image-gen" and "core-secdev-k3" folders in SDK8.x are not needed for SDK9.x.
Some e2e discussions on code signing with customer keys in SDK9.x for your reference:
e2e.ti.com/.../am625-compiling-with-custom-keys-in-yocto-build
e2e.ti.com/.../am625-secure-boot-and-compiling
e2e.ti.com/.../processor-sdk-am64x-a53-u-boot-img-sign
Best,
-Hong

Hi Hong,

The first two links show page not found, and the third link did not solve my problem.

I found that binman does not use custMPK to encrypt files, and how Linux Image and DTB are encrypted?

Regards,Stephen

Hello Stephen,
1/. The first two e2e are from the special security e2e forum for security focused topic discussions. I just sent an invitation for you to join security e2e forum.
2/. custMPK is used for binary integrity verification based on PKI, and supported in Linux SDK. The binary encryption option is not supported currently in Linux SDK.
Best,
-Hong

Hi Hong,

Thanks for the invitation. I have some questions, could you please help confirm

Our current usage: We have a core board with AM62X HS-FS Soc, but we have not yet written SMPK to the otp. We use tiboot3-am62x-hs-fs-evm.bin, u-boot.img, tispl.bin can start the system, and 6 "Authentication passed" will be printed when starting. The Image and dtb we use are not encrypted.

1. As you explained, SMPK verification will be skipped in fs-hs, and verified in hs-se. After I replace custMpk.pem in the uboot code, has the generated "u-boot.img, tispl.bin, tiboot3.bin" been encrypted by custMpk.pem? If I burn SMPK into OTP, can I use these three files to start it directly?

2. When replacing u-boot/board/ti/keys, I directly replaced custMpk.pem with smpk.pem. custMpk.key and custMpk.pem are the same. custMpk.crt is converted through the following command. Is this replacement method correct?
openssl req -batch -new -x509 -key custMpk.key -out custMpk.crt

3. "The GP to HS-FS Migration Guide" introduces that it is recommended to use fitimage in HS-SE. We have made some modifications to fitImage-its. Please help confirm whether this modification is correct? (linux dtb was modified to k3-am625-customer.dtb)

/dts-v1/;

/ {
        description = "Kernel fitImage for Arago/6.1.33+gitAUTOINC+40c32565ca/am62xx-evm";
        #address-cells = <1>;

        images {
                kernel-1 {
                        description = "Linux kernel";
                        data = /incbin/("/home/user/am62x/ti-linux-kernel/out/arch/arm64/boot/Image");
                        type = "kernel";
                        arch = "arm64";
                        os = "linux";
                        compression = "gzip";
                        load = <0x81000000>;
                        entry = <0x81000000>;
                        hash-1 {
                                algo = "sha512";
                        };
                };
                fdt-ti_k3-am625-customer.dtb {
                        description = "Flattened Device Tree blob";
                        data = /incbin/("/home/user/am62x/ti-linux-kernel/out/arch/arm64/boot/dts/ti/k3-am625-customer.dtb");
                        type = "flat_dt";
                        arch = "arm64";
                        compression = "none";
                        load = <0x83000000>;
                        hash-1 {
                                algo = "sha512";
                        };
                };
        };

        configurations {
                default = "conf-ti_k3-am625-customer.dtb";
                conf-ti_k3-am625-customer.dtb {
                        description = "1 Linux kernel, FDT blob";
                        kernel = "kernel-1";
                        fdt = "fdt-ti_k3-am625-customer.dtb";



                        hash-1 {
                                algo = "sha512";
                        };
                        signature-1 {
                                algo = "sha512,rsa4096";
                                key-name-hint = "custMpk";
                                padding = "pkcs-1.5";
                                sign-images = "kernel", "fdt";
                        };
                };

        };
};

mkimage -r -f fitImage.its -k $UBOOT_PATH/board/ti/keys -K $UBOOT_PATH/out/a53/dts/dt.dtb fitImage

4. Why does mkimage need to specify the uboot's dt.dtb ? "-K => write public keys to this .dtb file"  Does use this parameter to write custMpk.pem into uboot's device tree? Didn't the previously compiled u-boot.img contain custMpk.pem?

5. Does it mean that there will no longer be a separate script for file encryption in Linux SDK?

Hong Guan64 said:

The binary encryption option is not supported currently in Linux SDK.

Regards,Stephen

Hi Hong,

Hong Guan64 said:

- SMEK: for optional binary blob encryption/decryption for confidentiality (this option is not currently supported in Linux SDK)

What does this mean? Do I still need to write the SMEK into the otp?
I planned to use the following command to create a certificate. Is it okay to use it this way?
./gen_keywr_cert.sh -t tifek/ti_fek_public.pem --msv 0xC0FFE -s keys_devel/smpk.pem --smek keys_devel/smek.key --keycnt 1 --keyrev 1

Also, could you confirm the first question above? Are the "tiboot3-am62x-hs-fs-evm.bin, u-boot.img, tispl.bin" generated by uboot encrypted by custMpk.pem?

Regards,Stephen