• State Resolved
  • Locked Locked
  • Replies 5 replies
  • Answers 2 answers
  • Subscribers 98 subscribers
  • Views 542 views
  • Users 0 members are here
Support feedback
Options
Options
Related

This thread has been locked.

If you have a related question, please click the "Ask a related question" button in the top right corner. The newly created question will be automatically linked to this question.

J784S4XEVM: secure boot question about TDA4VH platform(J784S4XEVM)

Meng Li
Prodigy 70 points
Part Number: J784S4XEVM

Hi  TI experts,

I am working on TI secure boot feature on TI-TDA4VH board.

I refer to https://software-dl.ti.com/jacinto7/esd/processor-sdk-rtos-jacinto7/08_01_00_11/exports/docs/pdk_jacinto_08_01_00_33/docs/userguide/jacinto/modules/keywriter.html

, and have 2 questions about how to change the HS-FS type into HS-SE type.

1. In the link guide, 4.14.5.1. Generating x509 certificate from customer HSM, I found the a random 256-bit number  AES encryption key is signed by SMPK and the X509 config is also sigend by SMPK.

    But I don't find out where is the SMPK-PUB key saved? Because when running the keywriter app on board, the SMPK-PUB key will be used to verify the signatures, so I think it should be saved in a certain place.

    Could you please help to explain where the SMPK-PUB key is saved?

2. In the link guide 4.14.5.4. Running on SoC, using a boot mode of choice, it says to select a boot mode. Can I use the SD boot mode directly?  Or must I use the USB-DFU or UART boot mode?

    Or is there any doc to show the detailed steps about how to run the keywriter to burn the eFuse on TI-TDA4VH board?

Thanks,

Limeng

  • 0
    TI__Guru 56415 points

    HI Limeng

    Meng Li said:

    1. In the link guide, 4.14.5.1. Generating x509 certificate from customer HSM, I found the a random 256-bit number  AES encryption key is signed by SMPK and the X509 config is also sigend by SMPK.

        But I don't find out where is the SMPK-PUB key saved? Because when running the keywriter app on board, the SMPK-PUB key will be used to verify the signatures, so I think it should be saved in a certain place.

        Could you please help to explain where the SMPK-PUB key is saved?

    The SMPK public key will be present in the certificate itself.

    Meng Li said:

    2. In the link guide 4.14.5.4. Running on SoC, using a boot mode of choice, it says to select a boot mode. Can I use the SD boot mode directly?  Or must I use the USB-DFU or UART boot mode?

    Yes you can use UART/SD/EMMC/DFU boot mode to run the keywriter image.

    Meng Li said:

        Or is there any doc to show the detailed steps about how to run the keywriter to burn the eFuse on TI-TDA4VH board?

    You just need to build the keywriter image and then just like any other SBL image you can copy it to boot media to run this.

    In the PDK we have a test application which will generate different keywriter test images to burn the different values on the efuses like MSV,SW,SMPK....

    Sript path: <PDK>/packages/ti/boot/keywriter/scripts/generate_test_binaries.sh

    or you can also use a make command to build all the test images : make keywriter_cfg_test_gen BOARD=j784s4_evm CORE=mcu1_0

    This will generate the images under folder:<PDK>/packages/ti/boot/keywriter/binary/j721s2/test_image

    NOTE: You need to have a keywriter Package which contain's the keywriter tifs and the TI-FEK Public key to run the keywriter image.

    For detail explanation on the Keywriter please go through the app note:https://www.ti.com/lit/an/sprad04/sprad04.pdf?ts=1710220582340&ref_url=https%253A%252F%252Fwww.google.com%252F

    Regards
    Diwakar

  • +1 in reply to Diwakar Dhyani
    Prodigy 70 points

    Hi Diwakar

    thanks for explaining my questions.

    I check the final_certificate.bin file, the SMPK public key is included in it indeed.

    And then I have a look the scripts gen_keywr_cert.sh and gen_keywr_cert_helpers.sh, but I don't find out the code that puts the SMPK public key into final_certificate.bin. Could you tell me which part of code that implements the function.

    thanks,

    Limeng

  • +1 in reply to Meng Li
    TI__Guru 56415 points

    HI Limeng

    Meng Li said:
    Could you tell me which part of code that implements the function.

    When you sign the certificate with the openssl command it will attache the public key in the certificate.

    Regards
    Diwakar

  • 0 in reply to Diwakar Dhyani
    Prodigy 70 points

    Hi Diwakar,

    Thanks for telling me the detailed information.

    So far, I get the key-writer addon OTP_KEYWRITER_ADD_ON_j784s4_08_06_00_14-linux-installer.run, and I don't newer one from TI official website. But I can get the latest rtos sdk ti-processor-sdk-linux-adas-j784s4-evm-09_01_00_06-Linux-x86-Install.bin and linux sdk ti-processor-sdk-linux-adas-j784s4-evm-09_01_00_06-Linux-x86-Install.bin.

    So, my question is that could I use the keywriter 08_06_00_1 to work with the version 09_01_00_06 of rtos sdk?

    And I think the version of linux sdk is not important, I can use any version of linux sdk, is it right?

    Thanks,

    Limeng

  • 0 in reply to Meng Li
    TI__Guru 56415 points

    Hi Limeng

    Meng Li said:

    So, my question is that could I use the keywriter 08_06_00_1 to work with the version 09_01_00_06 of rtos sdk?

    If you see the compatibility column in my secure software  you can see that the OPT keywriter package is valid for 8.5 SDK +later.

    So it will work with 9.1 PSDK as well.

    Meng Li said:

    And I think the version of linux sdk is not important, I can use any version of linux sdk, is it right?

    For keywriter process the linux SDK is not important. We build the keywriter images with the help of PSDK.

    Regards
    Diwakar