SK-AM62A-LP: what different between the ti-fs-firmware-<xxx>.bin variant

Meng Li

Part Number: SK-AM62A-LP

Hi TI experts,

I am working on TI secure boot feature on ti-am62ax board.

I found there is a package named ti-sci-fw, after building this package in yocto project, there is below firmware binary in ti-sci-fw\08.06.04-r4.0\image\lib\firmware\ti-sysfw

ti-fs-firmware-am62ax-hs-cert.bin
ti-fs-firmware-am62ax-hs-enc.bin
ti-fs-firmware-am62ax-hs-fs-cert.bin
ti-fs-firmware-am62ax-hs-fs-enc.bin

when I burn the TI dumy key into eFuse, I download the otp_keywriter_am62ax-linux-installer.run addon, and install it to at location <MCU_PLUS_SDK_INSTALL_DIR>/source/security.

In the DIR <MCU_PLUS_SDK_INSTALL_DIR>/source/security/sbl_keywriter/scripts/cert_gen/am62ax/keys_devel/, there are below 4 key files

bmek.key bmpk.pem smek.key smpk.pem

About the different between these ti-fs-firmware-<xxx>.bin variant files, my understand as below.

ti-fs-firmware-am62ax-hs-fs-cert.bin: it is only signed by TI MPK, and the pub key hash of TI MPK has been burned into eFuse in TI factory, is it right?

ti-fs-firmware-am62ax-hs-fs-enc.bin: it is only encrypted by TI MEK that as been burned into eFuse in TI factory, is it right?

ti-fs-firmware-am62ax-hs-cert.bin: it is not only signed by TI MPK, but also signed by TI dummy key smpk.pem, is it right?

Another question about ti-fs-firmware-am62ax-hs-cert.bin, is it also signed by TI dummy key bmpk.pem? whether I also need to burn the pub key hash of TI dummy key bmpk.pem into eFuse?

ti-fs-firmware-am62ax-hs-enc.bin: it is not only encrypted by TI MEK, but also encrypted by TI dummy key smek.key, is it right

Another question about ti-fs-firmware-am62ax-hs-enc.bin, is it also encrypted by TI dummy key bmek.key? whether I also need to burn the TI dummy key bmpk.key into eFuse?

Another question about how to use the real customer key, not TI dummy key? If I put the real customer key into <MCU_PLUS_SDK_INSTALL_DIR>/source/security/sbl_keywriter/scripts/cert_gen/am62ax/keys_devel/, and then burn them into eFuse, how do I sign the ti-fs-firmware? should I sign the ti-fs-firmware-am62ax-hs-fs-cert.bin with the real customer key(smpk.pem) to get the ti-fs-firmware-am62ax-hs-cert.bin? or there is other solution to implement my guile doc to explain my question?

The similar question about how to encrypt the ti-fs-firmware with real customer key?

thanks,

Limeng

over 1 year ago

0 Meng Li over 1 year ago

Prodigy 70 points

Understanding the different between the ti-fs-firmware-<xxx>.bin variant is very important to create customer own production

+1 Hong Guan64 over 1 year ago in reply to Meng Li

TI__Guru 68270 points

Hello Limeng,

Meng Li said:
ti-fs-firmware-am62ax-hs-cert.bin
ti-fs-firmware-am62ax-hs-enc.bin
ti-fs-firmware-am62ax-hs-fs-cert.bin
ti-fs-firmware-am62ax-hs-fs-enc.bin

These're TIFS binary for HS-SE and HS-FS, where
- xxxx-cert.bin: x.509 certificate signed with TI MPK
- xxxx-enc.bin: binary encrypted with TI MEK

When building Linux SDK binary, these're dual-signed with the TI testing key (SMPK).
Best,
-Hong

0 Meng Li over 1 year ago in reply to Hong Guan64

Prodigy 70 points

Hi Hong,

Thanks for helping confirming my questoion

yes! I found out the signature configuration in arch/arm/dts/k3-am62a-sk-binman.dtsi.

if the ti-fs-firmware-am62ax-hs-cert.bin and ti-fs-firmware-am62ax-hs-fs-cert.bin are only singed by TI MPK, why they are not the same?

if the ti-fs-firmware-am62ax-hs-enc.bin and ti-fs-firmware-am62ax-hs-fs-enc.bin are encyrpted by TI MEK, why they are not the same?

thanks,

Limeng

+1 Hong Guan64 over 1 year ago in reply to Meng Li

TI__Guru 68270 points

Hi Limeng,
The unsigned TIFS binary for HS-FS and HS-SE are different.
Best,
-Hong

Processors

Processors forum

SK-AM62A-LP: what different between the ti-fs-firmware-<xxx>.bin variant