- Ask a related questionWhat is a related question?A related question is a question created from another question. When the related question is created, it will be automatically linked to the original question.
Original question:
Hello,
I use the AM62X EVM and want to enable HS-SE with custom keys.
I was able to build the tiboot3.bin from the SDK and using the TI development keys. I have NOT run it on the board, so no eFuses are burnt yet.
Moving forward with custom keys, this are my steps:
# 1 Generate a new set of keys:
./gen_keywr_cert.sh -g
# 2 In the keys folder I get:
aes256.key bmek.key bmpk.pem smek.key smpk.pem
# 3 Make the One Shot certificate, specifying SMPK as the certificate for secure boot
./gen_keywr_cert.sh -t tifek/ti_fek_public.pem -a keys/aes256.key --msv 0xC0FFE --bmpk keys/bmpk.pem -b-wp --bmek keys/bmek.key --bmek-wp --smpk keys/smpk.pem --smek keys/smek.key --keycnt 2 --keyrev 1
# Output:
1668 secondary_cert.bin
5380 primary_cert.bin
7048 ../../x509cert/final_certificate.bin
# 4 Convert the bin, produce the keycert.h:
python3 ~/ti/mcu_plus_sdk_am62x_09_01_00_39/tools/bin2c/bin2c.py final_certificate.bin keycert.h KEYCERT
# 5 Build the tiboot3.bin
ti-arm-clang$ make -sj clean PROFILE=debug
ti-arm-clang$ make -sj PROFILE=debug
# Output:
ti-arm-clang/sbl_keywriter.debug.tiimage Done !!!
ti-arm-clang$ md5sum tiboot3.bin
db3eca1de8d2e0ccb811016691a265c8 tiboot3.bin
# 6 Install the custom signing key in the u-boot source tree, replacing the TI development key:
copy keys/smpk.pem to board/ti/keys/custMpk.pem
# 7 Rebuild u-boot, now signed with the new custom key.
# 8 The tiboot3.bin is loaded by dfu boot, it is executed and burning the eFuses.
# 9 After a board reset the CPU state is now HS-SE and only my new signed u-boot will execute.
Is this procedure complete and valid?
Additional questions:
Q1. Two sets of keys are loaded, my keyrev specifies 1 (SMPK). When is the BMPK used then?
Q2. Should I leave board/ti/keys/custMpk.crt and board/ti/keys/custMpk.key untouched?
Thanks and regards,
Lars
