PROCESSOR-SDK-AM64X: Questions about custMpk signing to u-boot

Prodigy 130 points

Part Number: PROCESSOR-SDK-AM64X
Other Parts Discussed in Thread: TMDS64EVM

Hi support,

I rewrote [u-boot-dir]/board/ti/keys/custMpk.pem with the openssl command. After that, I bitbake with yocto.

Please tell me about the following questions.

1. Are tiboot3.bin, tispl.bin and u-boot.img signed with custMpk.pem?

2. Should I only rewrite [u-boot-dir]/board/ti/keys/*.pem? Do I not need to rewrite *.crt and *.key?

3.I rewrote custMpk.pem, but the verification is successful. Isn't the verification successful unless it is the TI default custMpk.pem?

The environment is as follows:

TMDS64EVM and PSDK version 9.0.0.3.

I have referred to the following thread but I cannot access it.

https://e2e.ti.com/e2eprivate/processors-security/processsors_security_support/f/processsors-security-support---forum/1287831/am625-compiling-with-custom-keys-in-yocto-build

e2e.ti.com/.../am625-secure-boot-and-compiling

Regards,

over 1 year ago

0 Prashant Shivhare over 1 year ago

TI__Guru 69061 points

Hi TO,

TO said:
1. Are tiboot3.bin, tispl.bin and u-boot.img signed with custMpk.pem?

Yes, this is correct.

TO said:
2. Should I only rewrite [u-boot-dir]/board/ti/keys/*.pem? Do I not need to rewrite *.crt and *.key?

Please refer: https://e2e.ti.com/support/processors-group/processors/f/processors-forum/1294191/am625-what-is-the-function-of-custmpk-crt-file-how-to-generate-this-file-using-customer-own-key

TO said:
3.I rewrote custMpk.pem, but the verification is successful. Isn't the verification successful unless it is the TI default custMpk.pem?

On HSSE devices, the authentication is only successful if the images are signed with the keys programmed in the e-fuses.

Regards,

Prashant

0 TO over 1 year ago in reply to Prashant Shivhare

Prodigy 130 points

Hi Prashant,

Thank you for your support.

>> Please refer: https://e2e.ti.com/support/processors-group/processors/f/processors-forum/1294191/am625-what-is-the-function-of-custmpk-crt-file-how-to-generate-this-file-using-customer-own-key

I checked the URL.
Does that mean I need to rewrite the .crt and .pem files?

>>On HSSE devices, the authentication is only successful if the images are signed with the keys programmed in the e-fuses.

What about HS-FS devices?
Will validation succeed for binaries signed with the new CustMpk?

I would like to use the following site as a reference, so please give me permission to access it.

https://e2e.ti.com/e2eprivate/processors-security/processsors_security_support/f/processsors-security-support---forum/1287831/am625-compiling-with-custom-keys-in-yocto-build

e2e.ti.com/.../am625-secure-boot-and-compiling

Regards,

0 Prashant Shivhare over 1 year ago in reply to TO

TI__Guru 69061 points

Hi TO,

TO said:
Does that mean I need to rewrite the .crt and .pem files?

Yes, this is correct.

TO said:
Will validation succeed for binaries signed with the new CustMpk?

For HSFS devices, the authentication process is shortened to only doing the integrity checks so the images signed with any key will pass the authentication. Please note the HSFS devices, by design, are not meant for secure booting so this is not a problem. The HSSE devices must be used for full secure boot.

TO said:
I would like to use the following site as a reference, so please give me permission to access it.

I have requested the access for you. You should get an invite to join the forum by EOD.

Regards,

Prashant

0 Prashant Shivhare over 1 year ago in reply to Prashant Shivhare

TI__Guru 69061 points

Hi TO,

Those two other E2Es have been made public so you should be able to access now

(+) AM625: Compiling with Custom Keys in Yocto Build - Processors forum - Processors - TI E2E support forums

(+) AM625: Secure Boot and Compiling - Processors forum - Processors - TI E2E support forums

Regards,

Prashant

0 TO over 1 year ago in reply to Prashant Shivhare

Prodigy 130 points

Hi Prashant,

Thank you for your support.

I was able to access the URL. thank you.

Regard,