PROCESSOR-SDK-AM62X: [AM6231][HS-FS Varinant] [OTP keywritter] Support for Convert HS-FS device into secure device

Hi Hong ,

THis is path issue . I corrected in Makefile.

so , build is compiled successfully . Please find the Logs .

~/ti/mcu_plus_sdk_am62x_09_00_00_19/source/security/sbl_keywriter/am62x-sk/r5fss0-0_nortos/ti-arm-clang$ make -sj PROFILE=debug
Generating SysConfig files ...
Running script...
Validating...
Generating Code (example.syscfg)...
Writing /home/naresh/ti/mcu_plus_sdk_am62x_09_00_00_19/source/security/sbl_keywriter/am62x-sk/r5fss0-0_nortos/ti-arm-clang/generated/ti_dpl_config.c...
Writing /home/naresh/ti/mcu_plus_sdk_am62x_09_00_00_19/source/security/sbl_keywriter/am62x-sk/r5fss0-0_nortos/ti-arm-clang/generated/ti_dpl_config.h...
Writing /home/naresh/ti/mcu_plus_sdk_am62x_09_00_00_19/source/security/sbl_keywriter/am62x-sk/r5fss0-0_nortos/ti-arm-clang/generated/ti_drivers_config.c...
Writing /home/naresh/ti/mcu_plus_sdk_am62x_09_00_00_19/source/security/sbl_keywriter/am62x-sk/r5fss0-0_nortos/ti-arm-clang/generated/ti_drivers_config.h...
Writing /home/naresh/ti/mcu_plus_sdk_am62x_09_00_00_19/source/security/sbl_keywriter/am62x-sk/r5fss0-0_nortos/ti-arm-clang/generated/ti_drivers_open_close.c...
Writing /home/naresh/ti/mcu_plus_sdk_am62x_09_00_00_19/source/security/sbl_keywriter/am62x-sk/r5fss0-0_nortos/ti-arm-clang/generated/ti_drivers_open_close.h...
Writing /home/naresh/ti/mcu_plus_sdk_am62x_09_00_00_19/source/security/sbl_keywriter/am62x-sk/r5fss0-0_nortos/ti-arm-clang/generated/ti_pinmux_config.c...
Writing /home/naresh/ti/mcu_plus_sdk_am62x_09_00_00_19/source/security/sbl_keywriter/am62x-sk/r5fss0-0_nortos/ti-arm-clang/generated/ti_power_clock_config.c...
Writing /home/naresh/ti/mcu_plus_sdk_am62x_09_00_00_19/source/security/sbl_keywriter/am62x-sk/r5fss0-0_nortos/ti-arm-clang/generated/ti_board_config.c...
Writing /home/naresh/ti/mcu_plus_sdk_am62x_09_00_00_19/source/security/sbl_keywriter/am62x-sk/r5fss0-0_nortos/ti-arm-clang/generated/ti_board_config.h...
Writing /home/naresh/ti/mcu_plus_sdk_am62x_09_00_00_19/source/security/sbl_keywriter/am62x-sk/r5fss0-0_nortos/ti-arm-clang/generated/ti_board_open_close.c...
Writing /home/naresh/ti/mcu_plus_sdk_am62x_09_00_00_19/source/security/sbl_keywriter/am62x-sk/r5fss0-0_nortos/ti-arm-clang/generated/ti_board_open_close.h...
Compiling: am62x:r5fss0-0:nortos:ti-arm-clang sbl_keywriter.debug.out: ../main.c
Compiling: am62x:r5fss0-0:nortos:ti-arm-clang sbl_keywriter.debug.out: ../keywriter_utils.c
Compiling: am62x:r5fss0-0:nortos:ti-arm-clang sbl_keywriter.debug.out: ../board.c
Compiling: am62x:r5fss0-0:nortos:ti-arm-clang sbl_keywriter.debug.out: generated/ti_drivers_config.c
Compiling: am62x:r5fss0-0:nortos:ti-arm-clang sbl_keywriter.debug.out: generated/ti_drivers_open_close.c
Compiling: am62x:r5fss0-0:nortos:ti-arm-clang sbl_keywriter.debug.out: generated/ti_board_config.c
Compiling: am62x:r5fss0-0:nortos:ti-arm-clang sbl_keywriter.debug.out: generated/ti_board_open_close.c
Compiling: am62x:r5fss0-0:nortos:ti-arm-clang sbl_keywriter.debug.out: generated/ti_dpl_config.c
Compiling: am62x:r5fss0-0:nortos:ti-arm-clang sbl_keywriter.debug.out: generated/ti_pinmux_config.c
Compiling: am62x:r5fss0-0:nortos:ti-arm-clang sbl_keywriter.debug.out: generated/ti_power_clock_config.c
.
Linking: am62x:r5fss0-0:nortos:ti-arm-clang sbl_keywriter.debug.out ...
Linking: am62x:r5fss0-0:nortos:ti-arm-clang sbl_keywriter.debug.out Done !!!
.
Boot image: am62x:r5fss0-0:nortos:ti-arm-clang /home/naresh/ti/mcu_plus_sdk_am62x_09_00_00_19/source/security/sbl_keywriter/am62x-sk/r5fss0-0_nortos/ti-arm-clang/sbl_keywriter.debug.tiimage ...
Boot image: am62x:r5fss0-0:nortos:ti-arm-clang /home/naresh/ti/mcu_plus_sdk_am62x_09_00_00_19/source/security/sbl_keywriter/am62x-sk/r5fss0-0_nortos/ti-arm-clang/sbl_keywriter.debug.tiimage Done !!!

~/ti/mcu_plus_sdk_am62x_09_00_00_19/source/security/sbl_keywriter/am62x-sk/r5fss0-0_nortos/ti-arm-clang$ ls -l tiboot3.bin
-rw-rw-r-- 1 naresh naresh 278555 Mar 21 09:45 tiboot3.bin

whatever i followed , above steps are fine right ?

Kindly confirm Hong. 

Thanks,

Naresh

HI Hong ,

JFYI , We replaced GP SOC to HS-FS soc.

 I just loaded just dfu-usb bootloader images ( tiboot3-am62x-hs-fs-evm.bin , tispl.bin , u-boot.img )and emmc uboot images (tiboot3-am62x-hs-fs-evm.bin , tispl.bin , u-boot.img )

I didnt flash this below image yet .

~/ti/mcu_plus_sdk_am62x_09_00_00_19/source/security/sbl_keywriter/am62x-sk/r5fss0-0_nortos/ti-arm-clang$ ls -l tiboot3.bin
-rw-rw-r-- 1 naresh naresh 278555 Mar 21 09:45 tiboot3.bin

Even i got below logs showing that Authentication passed . 

U-Boot SPL 2023.04-00001-gf5b119738d-dirty (Mar 21 2024 - 10:23:43 +0530)
SYSFW ABI: 3.1 (firmware rev 0x0009 '9.0.5--v09.00.05 (Kool Koala)')
SPL initial stack usage: 13376 bytes
Trying to boot from MMC1
Authentication passed
Authentication passed
Authentication passed
Authentication passed
Authentication passed
Starting ATF on ARM64 core...

NOTICE: BL31: v2.8(release):v2.8-226-g2fcd408bb3-dirty
NOTICE: BL31: Built : 00:42:57, Jan 13 2023

U-Boot SPL 2023.04-00001-gf5b119738d-dirty (Mar 21 2024 - 10:24:47 +0530)
SYSFW ABI: 3.1 (firmware rev 0x0009 '9.0.5--v09.00.05 (Kool Koala)')
SPL initial stack usage: 1856 bytes
MMC: no card present
** Bad device specification mmc 1 **
Couldn't find partition mmc 1:1
Error: could not access storage.
Trying to boot from MMC1
Authentication passed
Authentication passed

U-Boot 2023.04-00001-gf5b119738d-dirty (Mar 21 2024 - 10:24:47 +0530)

SoC: AM62X SR1.0 HS-FS
Model: Texas Instruments AM625 SK
EEPROM not available at 80, trying to read at 81
Reading on-board EEPROM at 0x51 failed -121
DRAM: 2 GiB
Core: 71 devices, 31 uclasses, devicetree: separate
MMC: mmc@fa10000: 0, mmc@fa00000: 1
Loading Environment from nowhere... OK
In: serial
Out: serial
Err: serial
EEPROM not available at 80, trying to read at 81
Reading on-board EEPROM at 0x51 failed -121
Net: eth0: ethernet@8000000port@1
Hit any key to stop autoboot: 0
switch to partitions #0, OK
mmc0(part 0) is current device
SD/MMC found on device 0
Failed to load 'boot.scr'
Can't set block device
## Error: "main_cpsw0_qsgmii_phyinit" not defined
21340672 bytes read in 330 ms (61.7 MiB/s)
45425 bytes read in 15 ms (2.9 MiB/s)
Working FDT set to 88000000
## Flattened Device Tree blob at 88000000
Booting using the fdt blob at 0x88000000
Working FDT set to 88000000
ERROR: reserving fdt memory region failed (addr=ff700000 size=8ca000 flags=4)
Loading Device Tree to 000000008fef1000, end 000000008fffffff ... OK
Working FDT set to 8fef1000

Starting kernel ...

[ 0.000000] Booting Linux on physical CPU 0x0000000000 [0x410fd034]
[ 0.000000] Linux version 6.1.33 (naresh@naresh-ThinkPad-E15-Gen-2) (aarch64-none-linux-gnu-gcc (Arm GNU T4
[ 0.000000] Machine model: Texas Instruments AM625 SK TESSS
[ 0.000000] earlycon: ns16550a0 at MMIO32 0x0000000002800000 (options '')
[ 0.000000] printk: bootconsole [ns16550a0] enabled
[ 0.000000] efi: UEFI not found.
[ 0.000000] Reserved memory: created CMA memory pool at 0x00000000f7600000, size 128 MiB
[ 0.000000] OF: reserved mem: initialized node linux,cma, compatible id shared-dma-pool
[ 0.000000] Reserved memory: created DMA memory pool at 0x000000009c800000, size 3 MiB
[ 0.000000] OF: reserved mem: initialized node ipc-memories@9c800000, compatible id shared-dma-pool
[ 0.000000] Reserved memory: created DMA memory pool at 0x000000009cb00000, size 1 MiB
[ 0.000000] OF: reserved mem: initialized node m4f-dma-memory@9cb00000, compatible id shared-dma-pool
[ 0.000000] Reserved memory: created DMA memory pool at 0x000000009cc00000, size 14 MiB
[ 0.000000] OF: reserved mem: initialized node m4f-memory@9cc00000, compatible id shared-dma-pool
[ 0.000000] Reserved memory: created DMA memory pool at 0x000000009da00000, size 1 MiB
[ 0.000000] OF: reserved mem: initialized node r5f-dma-memory@9da00000, compatible id shared-dma-pool
[ 0.000000] Reserved memory: created DMA memory pool at 0x000000009db00000, size 12 MiB
[ 0.000000] OF: reserved mem: initialized node r5f-memory@9db00000, compatible id shared-dma-pool
[ 0.000000] Zone ranges:
[ 0.000000] DMA [mem 0x0000000080000000-0x00000000ffffffff]
[ 0.000000] DMA32 empty
[ 0.000000] Normal empty
[ 0.000000] Movable zone start for each node
[ 0.000000] Early memory n

..........................................

and device is booted .

Please let me know  after flashed the "tiboot3.bin " (which is compiled for convert HS-FS device into secure ) , what observations we will notice ?

Note :

SoC: AM62X SR1.0 HS-FS
Model: Texas Instruments AM625 SK
EEPROM not available at 80, trying to read at 81
Reading on-board EEPROM at 0x51 failed -121

Trying to boot from MMC1
Authentication passed
Authentication passed
Authentication passed
Authentication passed
Authentication passed
Starting ATF on ARM64 core...

=> Above logs for authentication of ATF,TEE,DM-FW,A53-SPL,A53-SPL-DTB

Trying to boot from MMC1
Authentication passed
Authentication passed

=> Above logs for A53 uboot and A53 uboot dtb authentication .

Please confirm below points:

• with above logs , we can confirm that flashed images are signed images , those are authenticated successfully right ?
• HS-FS device still not yet made secure right ? if it secure then we can observe in logs as SoC: AM62X SR1.0 HS-SE ,using this name only can we say that HS-FS device is secured and converted into HS-SE .

Thank you.

Thanks,

Naresh.

Hi Naresh,

I will be assisting you on this thread.

Naresh Nakka said:

HS-FS device still not yet made secure right ? if it secure then we can observe in logs as SoC: AM62X SR1.0 HS-SE ,using this name only can we say that HS-FS device is secured and converted into HS-SE .

This is correct. Once the device is converted into HSSE, the A53 U-Boot logs will display the device type as HS-SE.

Naresh Nakka said:

./gen_keywr_cert.sh --msv 0xC0FFE -t tifek/ti_fek_public.pem

The keywriter certificate generated with this command will not convert the device into HS-SE. You need to program the SMPK/SMEK, BMPK/BMEK, KEYCNT, KEYREV fields.

Please refer to the section 3.2.2 Program Everything in One Shot in the OTP Keywriter User Guide,

You can also refer to the following Academy guide

https://dev.ti.com/tirex/explore/node?node=A__AagJ-8QGXM582KzTgxFZbA__AM62-ACADEMY__uiYMDcq__LATEST

Regards,

Prashant

Hi Prashanth , 

Thanks for confirmation .

Please find below commands.

• ./gen_keywr_cert.sh -t tifek/ti_fek_public.pem --msv 0xC0FFE -b keys_devel/bmpk.pem --bmek keys_devel/bmek.key -s keys_devel/smpk.pem --smek keys_devel/smek.key --keycnt 2 --keyrev 1
•  python3 ../../../../../tools/bin2c/bin2c.py final_certificate.bin keycert.h KEYCERT
•   make -sj clean PROFILE=debug
• make -sj PROFILE=debug  

So , with above commands , the generated keywritter binary (tiboot3.bin )will convert the HS-FS devce into secure after flashing right ?

Please find below steps and along with logs : 

~/ti/mcu_plus_sdk_am62x_09_00_00_19/source/security/sbl_keywriter/scripts/cert_gen/am62x$ ./gen_keywr_cert.sh -t tifek/ti_fek_public.pem --msv 0xC0FFE -b keys_devel/bmpk.pem --bmek keys_devel/bmek.key -s keys_devel/smpk.pem --smek keys_devel/smek.key --keycnt 2 --keyrev 1
# Using MSV[19:0]: 0x000C0FFE
# Using Key Count: 0x00000003
# Using Key Rev: 0x00000001
Generating Dual signed certificate!!
GEN: AES256 key generated, since not provided
# encrypt aes256 key with tifek public part
# encrypt SMPK-priv signed aes256 key(hash) with tifek public part
# encrypt smpk-pub hash using aes256 key
writing RSA key
# encrypt smek (sym key) using aes256 key
# encrypt BMPK-priv signed aes256 key(hash) with tifek public part
# encrypt bmpk-pub hash using aes256 key
writing RSA key
# encrypt bmek (sym key) using aes256 key
1668 secondary_cert.bin
5383 primary_cert.bin
7051 ../../x509cert/final_certificate.bin
# SHA512 Hashes of keys are stored in verify_hash.csv for reference..

~/ti/mcu_plus_sdk_am62x_09_00_00_19/source/security/sbl_keywriter/scripts/cert_gen/am62x$ cd ../../x509cert/
~/ti/mcu_plus_sdk_am62x_09_00_00_19/source/security/sbl_keywriter/scripts/x509cert$ python3 ../../../../../tools/bin2c/bin2c.py final_certificate.bin keycert.h KEYCERT

~/ti/mcu_plus_sdk_am62x_09_00_00_19/source/security/sbl_keywriter/scripts/x509cert$
naresh@naresh-ThinkPad-E15-Gen-2:~/ti/mcu_plus_sdk_am62x_09_00_00_19/source/security/sbl_keywriter/scripts/x509cert$ ls
final_certificate.bin keycert.h

~/ti/mcu_plus_sdk_am62x_09_00_00_19/source/security/sbl_keywriter/scripts/x509cert$ cd ../../am62x-sk/r5fss0-0_nortos/ti-arm-clang/

~/ti/mcu_plus_sdk_am62x_09_00_00_19/source/security/sbl_keywriter/am62x-sk/r5fss0-0_nortos/ti-arm-clang$ make -sj clean PROFILE=debug
Cleaning: am62x:r5fss0-0:nortos:ti-arm-clang sbl_keywriter.debug.out ...

~/ti/mcu_plus_sdk_am62x_09_00_00_19/source/security/sbl_keywriter/am62x-sk/r5fss0-0_nortos/ti-arm-clang$ make -sj PROFILE=debug

Generating SysConfig files ...
Running script...
Validating...
Generating Code (example.syscfg)...
Writing /home/naresh/ti/mcu_plus_sdk_am62x_09_00_00_19/source/security/sbl_keywriter/am62x-sk/r5fss0-0_nortos/ti-arm-clang/generated/ti_dpl_config.c...
Writing /home/naresh/ti/mcu_plus_sdk_am62x_09_00_00_19/source/security/sbl_keywriter/am62x-sk/r5fss0-0_nortos/ti-arm-clang/generated/ti_dpl_config.h...
Writing /home/naresh/ti/mcu_plus_sdk_am62x_09_00_00_19/source/security/sbl_keywriter/am62x-sk/r5fss0-0_nortos/ti-arm-clang/generated/ti_drivers_config.c...
Writing /home/naresh/ti/mcu_plus_sdk_am62x_09_00_00_19/source/security/sbl_keywriter/am62x-sk/r5fss0-0_nortos/ti-arm-clang/generated/ti_drivers_config.h...
Writing /home/naresh/ti/mcu_plus_sdk_am62x_09_00_00_19/source/security/sbl_keywriter/am62x-sk/r5fss0-0_nortos/ti-arm-clang/generated/ti_drivers_open_close.c...
Writing /home/naresh/ti/mcu_plus_sdk_am62x_09_00_00_19/source/security/sbl_keywriter/am62x-sk/r5fss0-0_nortos/ti-arm-clang/generated/ti_drivers_open_close.h...
Writing /home/naresh/ti/mcu_plus_sdk_am62x_09_00_00_19/source/security/sbl_keywriter/am62x-sk/r5fss0-0_nortos/ti-arm-clang/generated/ti_pinmux_config.c...
Writing /home/naresh/ti/mcu_plus_sdk_am62x_09_00_00_19/source/security/sbl_keywriter/am62x-sk/r5fss0-0_nortos/ti-arm-clang/generated/ti_power_clock_config.c...
Writing /home/naresh/ti/mcu_plus_sdk_am62x_09_00_00_19/source/security/sbl_keywriter/am62x-sk/r5fss0-0_nortos/ti-arm-clang/generated/ti_board_config.c...
Writing /home/naresh/ti/mcu_plus_sdk_am62x_09_00_00_19/source/security/sbl_keywriter/am62x-sk/r5fss0-0_nortos/ti-arm-clang/generated/ti_board_config.h...
Writing /home/naresh/ti/mcu_plus_sdk_am62x_09_00_00_19/source/security/sbl_keywriter/am62x-sk/r5fss0-0_nortos/ti-arm-clang/generated/ti_board_open_close.c...
Writing /home/naresh/ti/mcu_plus_sdk_am62x_09_00_00_19/source/security/sbl_keywriter/am62x-sk/r5fss0-0_nortos/ti-arm-clang/generated/ti_board_open_close.h...
Compiling: am62x:r5fss0-0:nortos:ti-arm-clang sbl_keywriter.debug.out: ../main.c
Compiling: am62x:r5fss0-0:nortos:ti-arm-clang sbl_keywriter.debug.out: ../keywriter_utils.c
Compiling: am62x:r5fss0-0:nortos:ti-arm-clang sbl_keywriter.debug.out: ../board.c
Compiling: am62x:r5fss0-0:nortos:ti-arm-clang sbl_keywriter.debug.out: generated/ti_drivers_config.c
Compiling: am62x:r5fss0-0:nortos:ti-arm-clang sbl_keywriter.debug.out: generated/ti_drivers_open_close.c
Compiling: am62x:r5fss0-0:nortos:ti-arm-clang sbl_keywriter.debug.out: generated/ti_board_config.c
Compiling: am62x:r5fss0-0:nortos:ti-arm-clang sbl_keywriter.debug.out: generated/ti_board_open_close.c
Compiling: am62x:r5fss0-0:nortos:ti-arm-clang sbl_keywriter.debug.out: generated/ti_dpl_config.c
Compiling: am62x:r5fss0-0:nortos:ti-arm-clang sbl_keywriter.debug.out: generated/ti_pinmux_config.c
Compiling: am62x:r5fss0-0:nortos:ti-arm-clang sbl_keywriter.debug.out: generated/ti_power_clock_config.c
.
Linking: am62x:r5fss0-0:nortos:ti-arm-clang sbl_keywriter.debug.out ...
Linking: am62x:r5fss0-0:nortos:ti-arm-clang sbl_keywriter.debug.out Done !!!
.
Boot image: am62x:r5fss0-0:nortos:ti-arm-clang /home/naresh/ti/mcu_plus_sdk_am62x_09_00_00_19/source/security/sbl_keywriter/am62x-sk/r5fss0-0_nortos/ti-arm-clang/sbl_keywriter.debug.tiimage ...
Boot image: am62x:r5fss0-0:nortos:ti-arm-clang /home/naresh/ti/mcu_plus_sdk_am62x_09_00_00_19/source/security/sbl_keywriter/am62x-sk/r5fss0-0_nortos/ti-arm-clang/sbl_keywriter.debug.tiimage Done !!!
.
~/ti/mcu_plus_sdk_am62x_09_00_00_19/source/security/sbl_keywriter/am62x-sk/r5fss0-0_nortos/ti-arm-clang$ ls -l tiboot3.bin
-rw-rw-r-- 1 naresh naresh 281627 Mar 21 12:39 tiboot3.bin

Kindly confirm  , Thank you ....

Regards,

Naresh.

Hi Naresh,

Yes, the tiboot3.bin generated with those commands will convert the device into HSSE.

Please note the keys programmed will be TI dummy keys. This is great for testing as it will require no changes in SDK like changing the keys and all. However, in production, you would want to program your own custom keys.

Regards,

Prashant

Hi Prashanth ,

Thanks for your Quick response...!

JFYI , for booting /flasing perpose we are using DFU-USB method in my am6231 custom devcie.

I have little Quries on secure boot ,Kindly help me on below points . 

Query 1 : How to boot/flash Generated key writter binary (tiboot3.bin) in order to convert from  "HS-FS to HS-SE "?  do i have to flash this key writter binary into eMMC from uboot / do i need to just load this binary (not from u-boot) ?  

Beacuse HS-FS device is  alredy flashed the bootloader images ( tiboot3-am62x-hs-fs.bin,tispl.bin, u-boot.img ) and kernel images into eMMC . so when i switched on the board then it boots till uboot if we not stop then it boots till kernel. so my question is in uboot , should i flash this keywritter binary into eMMC to convert HS-FS device into HS-SE ?

Query 2 : This key writter binary (tiboot3.bin) Generated with some X keys  as above. After flashed/loaded the key writtery binary, device converted into HS-SE .in order to boot the device I have to siginig the images with same x-keys ,so with those signed images device should boot.

Please help with the steps how to signed the images (bootloader images &kernel ,dtb ) with the same x keys which we used for key writter binary ?

If we not sign the images with same x keys which we used for keywritter binary , then Device wont boot right ?

SO, kindly help me how to sign the uboot images and kernel ,dtb,FIT images with same keys which we used for keywritter binary ?

Sorry if my Quries are dumb ...

Thanking you in advance.

Regards,

Naresh

Hi Naresh,

Naresh Nakka said:

Query 1 : How to boot/flash Generated key writter binary (tiboot3.bin) in order to convert from  "HS-FS to HS-SE "?

The Keywriter tiboot3.bin can be booted over any ROM supported boot media.

Please following the below guide for USB DFU

https://dev.ti.com/tirex/explore/node?node=A__AfTbl6-QQ9.goHdZtWK8.w__AM62-ACADEMY__uiYMDcq__LATEST

Naresh Nakka said:

Please help with the steps how to signed the images (bootloader images &kernel ,dtb ) with the same x keys which we used for key writter binary ?

All the SDKs already uses TI dummy keys for signing images for HSSE board. Since you are programming TI dummy keys here, so you don't need to perform any extra steps. You can build the SDK as usual. You only need to make sure you are using the HSSE tiboot3.bin from the SDK.

https://e2e.ti.com/e2eprivate/processors-security/processsors_security_support/f/processsors-security-support---forum/1327000/processor-sdk-am62x-am6254-signature-verification-failure

Regards,

Prashant

Hi Prashanth ,

Thanks for Quick response.

I understood that keywirtter binary needs to load/boot as like we load dfu-usb images to board .(should not flash keywritter binary to eMMC).

Could you please help me how to check Ti dummy keys which helps to signing the images by default? 

i am interested in to check in which files and where we have to set the keys to sign the images from respected source codes (uboot source code and kernel source code). Could you help me to check ?

As per your comments , linux source code/ uboot source by default they generating signed images (uboot signed images and kernel signed images) using Ti dummy keys . But i just want to test with unsigned images to flash on board in order to validate the whther device will boot or not ? how to compile and generate the unsigned images ?

And also i want to check negative test case is , i just want to sign the images with wrong key / other key instead of TI dummy keys, wants to validate the booting whether they are boot the device or not ?

Please help me on above points .

Thanking you.

Regards,

Naresh

Hi Naresh,

In the OTP Keywriter, the TI dummy keys are present as shown

~/ti/otp_keywriter/am62x/09_00_00/sbl_keywriter/scripts/cert_gen/am62x/keys_devel
❯ ls -l
total 16
-rw-rw-r-- 1 p-shivhare p-shivhare   32 Jul 28  2023 bmek.key
-rw-rw-r-- 1 p-shivhare p-shivhare 3243 Jul 28  2023 bmpk.pem
-rw-rw-r-- 1 p-shivhare p-shivhare   32 Jul 28  2023 smek.key
-rw-rw-r-- 1 p-shivhare p-shivhare 3243 Jul 28  2023 smpk.pem

~/ti/otp_keywriter/am62x/09_00_00/sbl_keywriter/scripts/cert_gen/am62x/keys_devel
❯ md5sum smpk.pem
bd90ee9fe69667315eeee32bc7a01b39  smpk.pem

In the PSDK v9.1, the `smpk.pem` is present as `custMpk.pem`

~/ti/psdk/am62x/09.01.00.08/board-support/ti-u-boot-2023.04+gitAUTOINC+b0d717b732-gb0d717b732/board/ti/keys
❯ ls -l custMpk.pem
-rw-r--r-- 1 p-shivhare p-shivhare 3243 Dec 14 14:48 custMpk.pem

~/ti/psdk/am62x/09.01.00.08/board-support/ti-u-boot-2023.04+gitAUTOINC+b0d717b732-gb0d717b732/board/ti/keys
❯ md5sum custMpk.pem
bd90ee9fe69667315eeee32bc7a01b39  custMpk.pem

This `custMpk.pem` is used for signing all the images in the SDK. In case you are using custom keys, you are supposed to replace this key.

e2e.ti.com/.../am625-what-is-the-function-of-custmpk-crt-file-how-to-generate-this-file-using-customer-own-key

e2e.ti.com/.../processor-sdk-am64x-how-to-sign-files-using-customer-key-in-sdk9-0

Regards,

Prashant

Hi Prashanth , 

Thank you for your comments .

I could not able open theese below links .

e2e.ti.com/.../am625-compiling-with-custom-keys-in-yocto-build
e2e.ti.com/.../am625-secure-boot-and-compiling

Naresh Nakka said:

unsigned

Could you please help me how to compile and generate the unsigned images ? . needs to test unsigned images on HS-SE secure devce 

Thanks,

Naresh

Hi Naresh,

Naresh Nakka said:

I could not able open theese below links .

Those links are from the Private Security Support forum. I will talk to Hong who can give you access to this forum.

Naresh Nakka said:

Could you please help me how to compile and generate the unsigned images ? . needs to test unsigned images on HS-SE secure devce

You can replace the `custMpk.pem` with any random key.

For example, you can create the random keys with `gen_keywr_cert.sh` in the OTP Keywriter and use that to sign the images. If your device is HSSE then the images signed with these random keys will fail to boot.

~/ti/otp_keywriter/am62x/09_00_00/sbl_keywriter/scripts/cert_gen/am62x
❯ ./gen_keywr_cert.sh -g
# Generating random keys in keys/folder
Generating RSA private key, 4096 bit long modulus (2 primes)
.............................++++
............................................................................................++++
e is 65537 (0x010001)
Generating RSA private key, 4096 bit long modulus (2 primes)
..............................++++
.........................................................................................................................................................................................................................................++++
e is 65537 (0x010001)

~/ti/otp_keywriter/am62x/09_00_00/sbl_keywriter/scripts/cert_gen/am62x
❯ ls -l keys/smpk.pem
-rw------- 1 p-shivhare p-shivhare 3243 Mar 22 15:47 keys/smpk.pem

Regards,

Prashant

Hi Prashanth , 

Thank you so much for answers .

I have learnt many things from you about secure boot.

I will follow below steps to sign the u-boot build using custom keys for HS-SE device :

• Generated the random key using below 

~/ti/mcu_plus_sdk_am62x_09_00_00_19/source/security/sbl_keywriter/scripts/cert_gen/am62x$ ./gen_keywr_cert.sh -g
# Generating random keys in keys/folder
Generating RSA private key, 4096 bit long modulus (2 primes)
............................................................................................................++++
................................++++
e is 65537 (0x010001)
Generating RSA private key, 4096 bit long modulus (2 primes)
.........................................................................................++++
...........................................................................++++
e is 65537 (0x010001)

•   Copy the custom generated  key "smpk.pem" to  uboot build (path : "ti-u-boot/board/ti/keys") and renamed the "smpk.pem " as "custMpk.pem" and started the uboot build using below command .
  1. make ARCH=arm CROSS_COMPILE=arm-none-linux-gnueabihf- am62x_evm_r5_defconfig
  2. make ARCH=arm CROSS_COMPILE=arm-none-linux-gnueabihf- -j32
  3. make -j 12 ARCH=arm CROSS_COMPILE=arm-none-linux-gnueabihf- BINMAN_INDIRS=../../prebuilt-images/am62xx-evm
  4. make ARCH=arm CROSS_COMPILE=aarch64-none-linux-gnu- am62x_evm_a53_defconfig
  5.  make -j 12 ARCH=arm CROSS_COMPILE=aarch64-none-linux-gnu- BINMAN_INDIRS=../prebuilt-images/am62xx-evm BL31=../../prebuilt-images/am62xx-evm/bl31.bin TEE=../../prebuilt-images/am62xx-evm/bl32.bin

• Then u-boot images would be signed with custom keys .

Query 1 : please confirm whether mentioned steps are valid for signing the uboot build using custom keys ?

QUERY 2 : How to sign the kernel/dtb/fit image from kernel build using custom keys  ?

                        As like u-boot build , place custom key  at "board/ti/keys " and in kernel where we can see the keys . and how to compile it .

                       and how to generate the FIT image ?

Note:  i am building / compiling UBOOT/LINUX source stand alone , not building in SDK .

Please confirm my quiries , Thank you.

Thanks,

Naresh.

Hi Prashanth, 

Any update on above Queires ?

Thanks,

Naresh

Hi Naresh,

Query 1 => If you have been using those steps to build U-Boot till now then the same steps will work for signing with the custom keys.

Query 2 => May I know how have you been generating fitimage till now?

Regards,

Prashant

Hi Prashanth ,

Query 1 is clear now .

Regd Query2 :

Actually till now we used GP chip , for that we didnt require  kernel FIT image .so we didnt generate the FIT image from standalone KERNEL source code.

Now we replaced the HS-FS chip , converting HS-FS to HS-SE secure device .

so, For HS-SE requires kernel FIT image AFAIK. so could you please help me how to generate the kernel FIT image ?

And also , please help me where the keys aviable in kernel source code ?

Thanks,

Naresh.

Hi Naresh,

Please refer to the following guide for fitimage generation

software-dl.ti.com/.../Foundational_Components_Kernel_Users_Guide.html#creating-the-kernel-fitimage-for-high-security-device-gp-devices

The keys used in fitimage generation are the ones used in U-Boot build.

Regards,

Prashant

Hi Prashanth . 

Thanks for detialed explanation about compiling and generating uboot and linux builds with custom key .

Actually we are about to load the keywritter binary into eFUses .

But SOC VPP should be 1.8V while blowing the eFUSES right ?

Note : see ! we are using only DFU-USB method for flashing / booting .

Query1 : till u-boot prompt ,DFU-USB/DFU-USB port can be accessed to flash keywritter binary But my concern is how can we enable the SOC vpp with 1.8v at the same time ? 

Here is the problem , programing/loading/boot the keywritter binary into eFUse using DFU-tool activity can be done before uboot only  (because DFU-USB/dfu-util tool support till uboot , in kernel we cant access DFU-util tool .  

Query2 : if suppose if we booted the device with HS-FS images till kernel ,where we can enable the soc vpp with 1.8V using GPIOs but where DFU-USB port i cant access to load keywritter binary .

Can we do enable the SOC VPP pin 1.8v from hardware side ? But in datasheet mentioned as we cant enable the SOC VPP with 1.8v before booting .

Thanks,

Naresh

Hi Naresh,

The OTP Keywriter image is booted independent of anything. If you are using USB DFU, you only need to put the board in DFU boot mode and simply send the keywriter `tiboot3.bin` using dfu-util.

Step 4: Boot and Run the Keywriter (ti.com)

The VPP is also enabled in the OTP Keywriter source code itself via the keywriter_setVpp function defined in <opt_keywr_path>/sbl_keywriter/am62x-sk/r5fss0-0_nortos/board.c

In case you are using custom board then you would need to modify this function definition to enable VPP.

Regards,

Prashant

Hi Prashanth, 

for AM62X-EVM , vpp pin controlled through IO expander which i2c interface .

so , in board.c file , using i2c functions enabled SOC VPP pin with 1.8v .

But on my custom board , we directly given VPP_LDO_EN to SOC , we are not using IO expander. 

Do u think , am i able to controll /enable the VPP with 1.8v using below GPIO functions ?

Pease find attached board.c file where gpio functions are added to enable soc vpp ?

/*
 * Copyright (C) 2023 Texas Instruments Incorporated
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
 * are met:
 *
 *   Redistributions of source code must retain the above copyright
 *   notice, this list of conditions and the following disclaimer.
 *
 *   Redistributions in binary form must reproduce the above copyright
 *   notice, this list of conditions and the following disclaimer in the
 *   documentation and/or other materials provided with the
 *   distribution.
 *
 *   Neither the name of Texas Instruments Incorporated nor the names of
 *   its contributors may be used to endorse or promote products derived
 *   from this software without specific prior written permission.
 *
 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
 * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
 * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
 * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
 * OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
 * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
 * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 */

#include <board/ioexp/ioexp_tca6424.h>
#include <kernel/dpl/CacheP.h>

//TESSOLVE START
//#include <stdio.h>
//#include <board/ioexp/gpiod.h>
//TESSOLVE END

CacheP_Config gCacheConfig = {};

/* VPP LDO ENABLE on AM62X SK */
#define EFUSE_VPP_PIN (4U)

/* Test LED on AM62X SK */
#define EFUSE_VPP_PIN_LED (23U)

//TESSOLVE START
#define GPIO_CHIP_NAME "gpiochip1" // GPIO chip name
#define SOC_GPIO_PIN_NUMBER 51     // VPP_LDO_EN pin for eFuse
//TESSOLVE END

void keywriter_setVpp()
{
	int32_t status;
#if 0	
	//TESSOLVE START
	
	struct gpiod_chip *chip;
   	struct gpiod_line *line;
   	int ret;

	// Open the GPIO chip
    	chip = gpiod_chip_open_by_name(GPIO_CHIP_NAME);
    	if (!chip) {
        	perror("Error opening GPIO chip");
        	return 1;
    	}

    	// Get the GPIO line
    	line = gpiod_chip_get_line(chip, SOC_GPIO_PIN_NUMBER);
    	if (!line) {
        	perror("Error getting GPIO line");
        	gpiod_chip_close(chip);
        	return 1;
    	}

    	// Request the GPIO line
    	ret = gpiod_line_request_output(line, "vpp-gpio", 0);
    	if (ret < 0) {
        	perror("Error requesting GPIO line");
        	gpiod_chip_close(chip);
        	return 1;
    	}

    	// Enable the GPIO pin
    	ret = gpiod_line_set_value(line, 1);
    	if (ret < 0) {
        	perror("Error enabling GPIO pin");
        	gpiod_chip_close(chip);
        	return 1;
    	}

    	// Close the GPIO chip
    	gpiod_chip_close(chip);

    	return 0;
#endif
	//TESSOLVE END

	TCA6424_Params TCA6424_IOexp_params =
	{
		.i2cInstance = 0,
		.i2cAddress = 0x22
	};

	TCA6424_Config TCA6424_IOexp_config;

    status = TCA6424_open(&TCA6424_IOexp_config, &TCA6424_IOexp_params);

	/* set VPP core */
    if (status == SystemP_SUCCESS)
	{
		status = TCA6424_config(&TCA6424_IOexp_config, EFUSE_VPP_PIN, TCA6424_MODE_OUTPUT);
	}

    if (status == SystemP_SUCCESS)
	{
    	status = TCA6424_setOutput(&TCA6424_IOexp_config, EFUSE_VPP_PIN, TCA6424_OUT_STATE_HIGH);
	}

	/* make onboard RED LED on indicating VPP is set. */
    if (status == SystemP_SUCCESS)
	{
		status = TCA6424_config(&TCA6424_IOexp_config, EFUSE_VPP_PIN_LED, TCA6424_MODE_OUTPUT);
	}

    if (status == SystemP_SUCCESS)
	{
    	status = TCA6424_setOutput(&TCA6424_IOexp_config, EFUSE_VPP_PIN_LED, TCA6424_OUT_STATE_HIGH);
	}

    TCA6424_close(&TCA6424_IOexp_config);

	DebugP_assertNoLog(status==SystemP_SUCCESS);

}

Is there any alternative way to enable SOC VPP pin instead of using keywritter binary ? should i do with external jumper ? or

is it possible to enable VPP pin through any hardware changes , please suggest ?

Thanks,

Naresh

Hi Naresh,

How you enable VPP is completely dependent on the board. As stated in the User Guide, any method can be employed to enable VPP. It is completely upto the board designers.

In case you are enabling VPP externally, the keywriter_setVpp needs to be commented out in the source code.

Regards,

Prashant

Hi Prashanth , 

Thank you for the response.

currently we are using the GPIO Y23/VOUT0_DATA5 pin from the SOC to enable VPP_LDO , I would like to understand if I can control this GPIO in tiboot3.bin secure sbl_keywriter ?

if yes, kindly help me with referece code. 

regards

Naresh 

Hi Prashanth ,

Below changes were done as per my board in keywriter_setVpp function defined in <opt_keywr_path>/sbl_keywriter/am62x-sk/r5fss0-0_nortos/board.c

commented existing code in "keywriter_setVpp function "  and added below code for enabling VPP.

#include <board/ioexp/ioexp_tca6424.h>
#include <kernel/dpl/CacheP.h>
#include <board/led/led_gpio.h>
#include <kernel/dpl/AddrTranslateP.h>
#include <drivers/hw_include/am62x/cslr_soc_baseaddress.h>
#include <kernel/dpl/ClockP.h>
#include <drivers/pinmux/am62x/pinmux.h>
#include "security/sbl_keywriter/am62x-sk/r5fss0-0_nortos/ti-arm-clang/generated/ti_drivers_config.h"

uint32_t gpioBaseAddr, pinNum;
//uint32_t delaySec = 10000;

gpioBaseAddr = (uint32_t) AddrTranslateP_getLocalAddr(CONFIG_GPIO0_BASE_ADDR);
pinNum = CONFIG_GPIO0_PIN;
DebugP_log("GPIO BASE ADDRESS =%x\n", gpioBaseAddr);
DebugP_log("GPIO PIN =%d\n", pinNum);

//GPIO_setDirMode(object->gpioBaseAddr, object->gpioPinNum, GPIO_DIRECTION_OUTPUT);
//GPIO_pinWriteHigh(object->gpioBaseAddr, object->gpioPinNum);

GPIO_setDirMode(gpioBaseAddr, pinNum, GPIO_DIRECTION_OUTPUT);
GPIO_pinWriteHigh(gpioBaseAddr, pinNum);

• With sysconfig tool , i exported the GPIO0_51 pin 
  • ~/ti/mcu_plus_sdk_am62x_09_00_00_19$ make -s -C examples/empty/am62x-sk/system_nortos/ syscfg-gui (OR)
  • ~/ti/mcu_plus_sdk_am62x_09_00_00_19/source/security/sbl_keywriter/am62x-sk/r5fss0-0_nortos/ti-arm-clang$ make -s syscfg-gui
  • after running this command it opens sysconfig GUI where u can select GPIO0_51 pin
  •  

• and compiled the the keywritter source code and generated the keywritter binary(tiboot3.bin)  for fuse blowing.

I am able to made secure the device But kernel Image and dtb is not booting .

Please help me on this.

Please find logs:

U-Boot 2023.04-00001-gf5b119738d-dirty (Mar 22 2024 - 19:14:21 +0530)

SoC: AM62X SR1.0 HS-SE
Model: Texas Instruments AM625 SK
EEPROM not available at 80, trying to read at 81
Reading on-board EEPROM at 0x51 failed -121
DRAM: 2 GiB
Core: 71 devices, 31 uclasses, devicetree: separate
MMC: mmc@fa10000: 0, mmc@fa00000: 1
Loading Environment from nowhere... OK
In: serial
Out: serial
Err: serial
EEPROM not available at 80, trying to read at 81
Reading on-board EEPROM at 0x51 failed -121
Net: eth0: ethernet@8000000port@1
Hit any key to stop autoboot: 0
=> setenv dfu_alt_info ${dfu_alt_info_emmc}
=> dfu 0 mmc 0
generic_phy_get_bulk : no phys property
#############################################################################################�
U-Boot SPL 2023.04-00001-gf5b119738d-dirty (Mar 21 2024 - 10:23:43 +0530)
SYSFW ABI: 3.1 (firmware rev 0x0009 '9.0.5--v09.00.05 (Kool Koala)')
SPL initial stack usage: 13376 bytes
Trying to boot from MMC1
Authentication passed
Authentication passed
Authentication passed
Authentication passed
Authentication passed
Starting ATF on ARM64 core...

NOTICE: BL31: v2.8(release):v2.8-226-g2fcd408bb3-dirty
NOTICE: BL31: Built : 00:42:57, Jan 13 2023

U-Boot SPL 2023.04-00001-gf5b119738d-dirty (Mar 22 2024 - 19:14:21 +0530)
SYSFW ABI: 3.1 (firmware rev 0x0009 '9.0.5--v09.00.05 (Kool Koala)')
SPL initial stack usage: 1856 bytes
MMC: no card present
** Bad device specification mmc 1 **
Couldn't find partition mmc 1:1
Error: could not access storage.
Trying to boot from MMC1
Authentication passed
Authentication passed

U-Boot 2023.04-00001-gf5b119738d-dirty (Mar 22 2024 - 19:14:21 +0530)

SoC: AM62X SR1.0 HS-SE
Model: Texas Instruments AM625 SK
EEPROM not available at 80, trying to read at 81
Reading on-board EEPROM at 0x51 failed -121
DRAM: 2 GiB
Core: 71 devices, 31 uclasses, devicetree: separate
MMC: mmc@fa10000: 0, mmc@fa00000: 1
Loading Environment from nowhere... OK
In: serial
Out: serial
Err: serial
EEPROM not available at 80, trying to read at 81
Reading on-board EEPROM at 0x51 failed -121
Net: eth0: ethernet@8000000port@1
Hit any key to stop autoboot: 0
=> setenv dfu_alt_info ${dfu_alt_info_emmc}
=> dfu 0 mmc 0
generic_phy_get_bulk : no phys property
#############################################################################################K
Ctrl+C to exit ...
=> boot
switch to partitions #0, OK
mmc0(part 0) is current device
SD/MMC found on device 0
Failed to load 'boot.scr'
Can't set block device
## Error: "main_cpsw0_qsgmii_phyinit" not defined
37950546 bytes read in 574 ms (63.1 MiB/s)
name_fit_config=conf-ti_k3-am625-sk.dtb
## Loading kernel from FIT Image at 90000000 ...
Using 'conf-ti_k3-am625-sk.dtb' configuration
Verifying Hash Integrity ... fit_config_verify_required_keys: No signature node found: FDTD
Bad Data Hash
ERROR: can't get kernel image!
switch to partitions #0, OK
mmc0(part 0) is current device
Scanning mmc 0:1...
MMC: no card present
No EFI system partition
No EFI system partition

Thanks,

Naresh.