• State Resolved
  • Locked Locked
  • Replies 24 replies
  • Answers 2 answers
  • Subscribers 100 subscribers
  • Views 686 views
  • Users 0 members are here
Support feedback
Options
Options
Similar topics

This thread has been locked.

If you have a related question, please click the "Ask a related question" button in the top right corner. The newly created question will be automatically linked to this question.

AM6442: AM64 HS board keywriter and boot with TI dummy key.

Zekun Bai
Expert 3010 points
Part Number: AM6442

Hi, 

Customer are developing AM64 HS board. SDK 9.0.

Do we have any guide can tell customer to how to convert HS-FS to HS-SE with TI-DUMMY key?

Also there are two questions:

1. 

If we convert HS-FS to HS-SE with TI Dummy key, can we use these steps to compile tiboot3.bin tispl.bin uboot.img to boot on HS-SE?

https://software-dl.ti.com/processor-sdk-linux/esd/AM64X/09_00_00_03/exports/docs/linux/Foundational_Components/U-Boot/UG-General-Info.html

2. If we convert HS-FS to HS-SE with customer key, how customer compile boot image? Our user guide did not tell clearly about this part.

3. There is no k3-image-gen  and gen_x509_combined_cert.sh in SDK 9.0, but 8.6 do have. 

Regards

Zekun

  • 0
    TI__Guru 57401 points

    Hi Zekun,

    Zekun Bai said:
    Do we have any guide can tell customer to how to convert HS-FS to HS-SE with TI-DUMMY key?

    Please refer:

    https://dev.ti.com/tirex/explore/node?node=A__AS3CgfCcjaCa43aL5d-QJQ__AM64-ACADEMY__WI1KRXP__LATEST

    Zekun Bai said:
    If we convert HS-FS to HS-SE with TI Dummy key, can we use these steps to compile tiboot3.bin tispl.bin uboot.img to boot on HS-SE?

    If TI dummy keys are used then no extra steps are needed as the SDK already contains and uses the same TI dummy keys for signing images for HSSE devices.

    Zekun Bai said:
    2. If we convert HS-FS to HS-SE with customer key, how customer compile boot image? Our user guide did not tell clearly about this part.

    The only change customer would need to do is integrate their custom keys in the SDK.

    • The keys are present at: <UBOOT_DIR>/board/ti/keys
    • Replace the custMpk.pem and custMpk.key with your keys.
    • Generate the custMpk.crt with the following command: openssl req -batch -new -x509 -key keys/dev.pem -out keys/dev.crt
    Zekun Bai said:
    3. There is no k3-image-gen  and gen_x509_combined_cert.sh in SDK 9.0, but 8.6 do have. 

    This has been deprecated from SDK v9.0. We now use Binman for signing images.

    Gitweb @ Texas Instruments - Open Source Git Repositories - git.TI.com/gitweb - ti-u-boot/ti-u-boot.git/commit

    Regards,

    Prashant

  • 0
    Prodigy 210 points

    hi, Prashant

      I built the otp writer image (tiboot3.bin) ,booted and ran it on AM6442 evm, it ran well, but the soc still HS-SF.

      Refered to :  https://dev.ti.com/tirex/explore/node?node=A__AS3CgfCcjaCa43aL5d-QJQ__AM64-ACADEMY__WI1KRXP__LATEST

      the only difference was the command to generated X509 certification .

      the first time  I used    -->    ./gen_keywr_cert.sh -t tifek/ti_fek_public.pem -s keys_devel/smpk.pem --smek keys_devel/smek.key

      All went well, but soc was still HS-FS(checked by   parse_uart_boot_socid.py)

      the second time, I added keycnt and keyrev parameter and built a new tiboot3.bin, that command was  -->

       ./gen_keywr_cert.sh -t tifek/ti_fek_public.pem -s keys_devel/smpk.pem --smek keys_devel/smek.key --keycnt 1 --keyrev 1

      unfortunately, updated OTP failed, logs from DMSC were

    Error: override not specified

    debug_response:  0x40000000

    Error in programming SMPKH part 1

    debug_response:  0x40010000

      (1) I want to build an image with TI dummy key, what exactly command I should use.

      (2) what is meaning of incremental programme, how and when to set keycnt and keyrev. ?

       In my opinion,  I can update smpk&smek first with the first tiboot3.bin, individually update bmpk&bmek with the second tiboot3.bin, from now on, the soc is still HS-SF.   

        At last I update keycnt&keyrev with the third tiboot3.bin.  Now the soc become HS-SE.  Am I right?

  • 0 in reply to ronny.cheng
    TI__Expert 3010 points

    Hi, Ronny

    Just one comment, now it is HS-SE, could you boot with images signed with TI Dummy key?

    Regards

    Zekun

  • 0 in reply to Prashant Shivhare
    Prodigy 210 points

    the third question is how I can rescue the EVM board that updated OTP failed.

  • 0 in reply to ronny.cheng
    TI__Expert 3010 points

    >>At last I update keycnt&keyrev with the third tiboot3.bin.  Now the soc become HS-SE.  Am I right?

    What 's the command to get the third tiboot3.bin?

  • 0 in reply to Zekun Bai
    Prodigy 210 points

    hi, Zekun

      I tried the board with the images built with ti-process-sdk09.00.00.03/board-support/prebuilt-images/

      manually build refer to   https://software-dl.ti.com/processor-sdk-linux/esd/AM64X/09_00_00_03/exports/docs/linux/Foundational_Components/U-Boot/UG-General-Info.html

     the logs were 

    U-Boot SPL 2023.04 (May 22 2024 - 15:21:42 +0800)

    [17:53:44.890]收←◆k3_system_controller sysctrler: k3_sysctrler_start: Boot Notification response failed. ret = -110 Firmware init failed on rproc (-110)

    resetting ...

    [17:53:52.986]收←◆ti_sci system-controller@44043000: ti_sci_get_response: Message receive failed. ret = -110

    [17:54:01.001]收←◆ti_sci system-controller@44043000: ti_sci_get_response: Message receive failed. ret = -110

    [17:54:09.017]收←◆ti_sci system-controller@44043000: ti_sci_get_response: Message receive failed. ret = -110

    no sysreset

    ### ERROR ### Please RESET the board ###

  • 0 in reply to Zekun Bai
    Prodigy 210 points

    hi,Zekun

       "What 's the command to get the third tiboot3.bin?"  --- This is my question and thinking about incremental programme,  it is not the real action I did.

  • 0 in reply to ronny.cheng
    TI__Guru 57401 points

    Hello,

    Let's start with identifying the device type. Please follow the below FAQ to check the device type

    [FAQ] [AM6XX]: How to check if device type is HS-SE, HS-FS or GP? - Processors forum - Processors - TI E2E support forums

    Regards,

    Prashant

  • 0 in reply to Prashant Shivhare
    Prodigy 210 points

    hi, Prashant

    02000000011a0000616d3634780000000000000048534653000002000000020002a6000000000000b018658ad99dc903c8c9bfb27b12751099920a042ad1dfea7b7ba57369f15546de285edde6a7b39a8bdc40a27b237f8fb1e57f245e80b929c1e28b024aa2ecc6ad0bc40b000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000361b7731678ef320b2c81e7fa70b33a8e9c251ddd7395dca8ca4585a31025ac3CC

  • 0 in reply to ronny.cheng
    TI__Guru 57401 points

    Okay, so the SoC is still HSFS.

    Can you the ./gen_keywr_cert.sh command as it is from the Academy guide to generate the certificate for TI dummy keys and try running it the generated tiboot3.bin?

    Please share the error logs if you see any.

  • 0 in reply to Prashant Shivhare
    Prodigy 210 points

    ok, please check the command to generate certificate is 

    ./gen_keywr_cert.sh -t tifek/ti_fek_public.pem --msv 0xC0FFE -b-def --bmek-def -s-def --smek-def --keycnt 2 --keyrev 1

    is that so? 

  • 0 in reply to ronny.cheng
    TI__Guru 57401 points
    ronny.cheng said:
    ./gen_keywr_cert.sh -t tifek/ti_fek_public.pem --msv 0xC0FFE -b-def --bmek-def -s-def --smek-def --keycnt 2 --keyrev 1

    Yes, this is the one.

  • 0 in reply to Prashant Shivhare
    Prodigy 210 points

    hi, Prashant

    I have completed. 

  • 0 in reply to ronny.cheng
    TI__Guru 57401 points

    This looks okay. Now, please run the generated tiboot3.bin.

  • 0 in reply to Prashant Shivhare
    Prodigy 210 points

    There are some mistake.  This board had been generated ever as I said above.

    R?x409031
    0x800023
    #
    # Decrypting extensions..
    #
    MPK Options: 0x0
    MEK Options: 0x0
    MPK Opt P1: 0x0
    MPK Opt P2: 0x0
    MEK Opt : 0x0
    * SMPKH Part 1 BCH code: e050cadb

    * SMPKH Part 2 BCH code: c099dd36

    * SMPK Hash (part-1,2):

    1f6002b07cd9b0b7c47d9ca8d1aae57b8e8784a12f636b2b760d7d98a18f189700

    60dfd0f23e2b0cb10ec7edc7c6edac3d9bdfefe0eddc3fff7fe9ad875195527d00

    * SMEK BCH code: a0c6de4e

    * SMEK Hash: 92785809a3dfefea57f6bbed642d730ba5d05e601222a72e815bf01ceb3a50f96ab85d282425f684436fabd4c7da624b791da411615035314103cc64e611f532

    * BMPKH Part 1 BCH code: c00807d5

    * BMPKH Part 2 BCH code: 60311e36

    * BMPK Hash (part-1,2):

    07b5fd6f33cdba0c745bcc07e50805639713ec517614eac89754da1138d24dac00

    5f1600a593b7100f0e1ca3c3a49e59b3622ab0651e08c0ffd2c88b04465cf7c900

    * BMEK BCH code: a0da286f

    * BMEK Hash: f5fbda1d62b46374de68e763ecd5a72227e7be73ca0d54a6d986ceb784b1bb0d06b6d95a8b399d421e41b7d3e7076220cd3992df255be068bd8924e86ae3a02d

    EXT OTP extension programming disabled
    * BCH code & MSV: fe0fac8b

    * KEY CNT: 03030000

    * KEY REV: 01010000

    SWREV extension programming disabled

    FW CFG REV extension programming disabled

    * KEYWR VERSION: 0x20000

    #
    # Programming Keys..
    #

    * MSV:
    [u32] bch + msv: 0x0
    Programmed 2/2 rows successfully
    [u32] bch + msv: 0x8BAC0FFE

    * SWREV:
    [u32] SWREV-SBL: 0x1
    [u32] SWREV-SYSFW : 0x1
    SWREV extension programming disabled
    [u32] SWREV-SBL: 0x1
    [u32] SWREV-SYSFW : 0x1

    * FW CFG REV:
    [u32] SWREV-FW-CFG-REV: 0x1
    SWREV SEC BCFG extension programming disabled
    [u32] SWREV-FW-CFG-REV: 0x1

    * EXT OTP:
    EXT OTP extension programming disabled

    * BMPKH, BMEK:
    Programmed 11/11 rows successfully
    Programmed 2/2 rows successfully
    Programmed 11/11 rows successfully
    Programmed 2/2 rows successfully
    Programmed 11/11 rows successfully
    Programmed 2/2 rows successfully

    * SMPKH, SMEK:
    Error: override not specified
    debug_response: 0x40000000
    Error in programming SMPKH part 1
    debug_response: 0x40010000

  • 0 in reply to ronny.cheng
    TI__Guru 57401 points

    These logs suggests the MSV, SMPK/SMEK, & BMPK/BMEK have been programmed successfully.

    You can now use the following command to generate a new certificate that programs KEYCNT and KEYREV effectively converting the device to HSSE.

    ./gen_keywr_cert.sh -t tifek/ti_fek_public.pem --keycnt 2 --keyrev 1

  • 0 in reply to Prashant Shivhare
    Prodigy 210 points

    It seems well. I will check the status of SOC

    Starting Keywriting
    Enabled VPP
    keys Certificate found: 0x70042b00
    Keywriter Debug Response:0x0
    Success Programming Keys

    0x800023
    #
    # Decrypting extensions..
    #
    MPK Options: 0x0
    MEK Options: 0x0
    MPK Opt P1: 0x0
    MPK Opt P2: 0x0
    MEK Opt : 0x0
    SMPKH extension programming disabled
    SMEK extension programming disabled
    EXT OTP extension programming disabled
    MSV extension programming disabled

    * KEY CNT: 03030000

    * KEY REV: 01010000

    SWREV extension programming disabled

    FW CFG REV extension programming disabled

    * KEYWR VERSION: 0x20000

    #
    # Programming Keys..
    #

    * MSV:
    [u32] bch + msv: 0x8BAC0FFE
    MSV extension programming disabled
    [u32] bch + msv: 0x8BAC0FFE

    * SWREV:
    [u32] SWREV-SBL: 0x1
    [u32] SWREV-SYSFW : 0x1
    SWREV extension programming disabled
    [u32] SWREV-SBL: 0x1
    [u32] SWREV-SYSFW : 0x1

    * FW CFG REV:
    [u32] SWREV-FW-CFG-REV: 0x1
    SWREV SEC BCFG extension programming disabled
    [u32] SWREV-FW-CFG-REV: 0x1

    * EXT OTP:
    EXT OTP extension programming disabled

    * BMPKH, BMEK:
    BMPKH extension programming disabled
    BMEK extension programming disabled

    * SMPKH, SMEK:
    SMPKH extension programming disabled
    SMEK extension programming disabled

    * KEYCNT:
    [u32] keycnt: 0x0
    Programmed 2/2 rows successfully
    [u32] keycnt: 0x2

    * KEYREV:
    [u32] keyrev: 0x0
    Programmed 2/2 rows successfully
    [u32] keyrev: 0x8

  • 0 in reply to Prashant Shivhare
    Prodigy 210 points

    hi,Prashant

      Good news. It is HS-SE  now.

      

      I will try the app(tiboot3.bin/tispl.bin/u-boot.img) built based on prebuilt-iamges

      

  • 0 in reply to ronny.cheng
    TI__Guru 57401 points

    Sure. Let me know in case of any doubts.

  • 0 in reply to Prashant Shivhare
    Prodigy 210 points

    hi, Prashant

      Thank you very much for supporting. While I still have some questions.

    (1) I generated two different certificates and two different tiboot3.bin, at last convert the SOC from HS-FS to HS-SE.

    Is this the normal process? I mean, all new SOC need two images to become HS-SE on our manufacturing line?

    (2) I tried to run with prebuilt images in SDK on EVM board, that was ok.

          While I ran with my images built referring to   https://software-dl.ti.com/processor-sdk-linux/esd/AM64X/09_00_00_03/exports/docs/linux/Foundational_Components/U-Boot/UG-General-Info.html

    BINMAN_INDIRS=/board-support/prebuilt-images

    it failed. Logs below

    --------------------------------------------

    ti_sci system-controller@44043000: ti_sci_get_response: Message receive failed. ret = -110
    ti_sci system-controller@44043000: ti_sci_get_response: Message receive failed. ret = -110
    ti_sci system-controller@44043000: ti_sci_get_response: Message receive failed. ret = -110
    no sysreset
    ### ERROR ### Please RESET the board ###

    ---------------------------------------------

    I do not modified the keys(board-support/ti-u-boot/board/ti/keys), but it seems that the key used by built is not TI dummy key. 

    What steps I missed? 

    (3) If we want to generate our own certificate and OTP Writer, what should we do?

    --1-->replace these files  here(source\security\sbl_keywriter\scripts\cert_gen\am64x\keys_devel\)

    --2-->and then use these two commands:

    #   ./gen_keywr_cert.sh -t tifek/ti_fek_public.pem --msv 0xC0FFE -b keys_devel/bmpk.pem  --bmek keys_devel/bmek.key -s keys_devel/smpk.pem --smek keys_devel/smek.key --keycnt 2 --keyrev 1

    #  ./gen_keywr_cert.sh -t tifek/ti_fek_public.pem --keycnt 2 --keyrev 1

    Is that so?

    (4) what is the exactly meaning of incremental program?  Can I set SMPK alone,  and set bmpk alone when we need?

    What should we do?

    Thank a lot

    BRs

    Ronny Cheng

  • 0 in reply to ronny.cheng
    TI__Guru 57401 points

    Hello,

    1. No. You can use One Shot Programming to program everything at once. Please refer to the OTP Keywriter User Guide section 3.2.2 Program Everything in One Shot

    2. Please make sure you are booting the HSSE tiboot3.bin only.

    Fullscreen
    1
    2
    3
    4
    ❯ pwd
    /home/p-shivhare/ti/psdk/am64x/09.01.00.08
    ❯ /usr/bin/ls -l board-support/u-boot-build/r5/tiboot3-am64x_sr2-hs-evm.bin
    -rw-r--r-- 1 p-shivhare p-shivhare 529427 Apr 17 12:58 board-support/u-boot-build/r5/tiboot3-am64x_sr2-hs-evm.bin
    XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

    3. You should create a separate folder for your keys and accordingly give the paths to the -s/--smek, -b/--bmek

    4. The device is not converted into HSSE until the KEYREV is programmed. So, incremental programming means programming different fields except the KEYREV in different phases and at last programming the KEYREV to convert the HSFS to HSSE.

    This is what you did previously. You had first programmed SMPK/SMEK without programming any other field. So, the device was still HSFS. Then, you programmed MSV, BMPK/BMEK. At last, you programmed KEYCNT/KEYREV to convert the device from HSFS to HSSE.

    Regards,

    Prashant

  • 0 in reply to Prashant Shivhare
    TI__Expert 3010 points

    Hi, Prashant

    This is basic flow I sort out, please let me know if I have something wrong:

    Dummy key(SMEK and SMPK)

    • ./gen_keywr_cert.sh -t tifek/ti_fek_public.pem --msv 0xC0FFE -b-def --bmek-def -s-def --smek-def --keycnt 2 --keyrev 1
    • python3 ../../../../../tools/bin2c/bin2c.py final_certificate.bin keycert.h KEYCERT
    • Go to directory <MCU_PLUS_SDK_INSTALL_DIR>/source/security/sbl_keywriter/am64x-evm/r5fss0-0_nortos/ti-arm-clang
    • make -sj clean PROFILE=debug
    • make -sj PROFILE=debug

     

    Customer key(SMEK and SMPK)

    • ./gen_keywr_cert.sh -t tifek/ti_fek_public.pem --msv 0xC0FFE -s PATH-TO-SMPK --smek PATH-TO-SMEK --keycnt 1 --keyrev 1
    • python3 ../../../../../tools/bin2c/bin2c.py final_certificate.bin keycert.h KEYCERT
    • Go to directory <MCU_PLUS_SDK_INSTALL_DIR>/source/security/sbl_keywriter/am64x-evm/r5fss0-0_nortos/ti-arm-clang
    • make -sj clean PROFILE=debug
    • make -sj PROFILE=debug

     

    Customer key(SMEK and SMPK, SMPK, SMEK)

    • ./gen_keywr_cert.sh -t tifek/ti_fek_public.pem --msv 0xC0FFE -b PATH-TO-BMPK --bmek PATH-TO-BMEK -s PATH-TO-SMPK --smek PATH-TO-SMEK --keycnt 2 --keyrev 1
    • python3 ../../../../../tools/bin2c/bin2c.py final_certificate.bin keycert.h KEYCERT
    • Go to directory <MCU_PLUS_SDK_INSTALL_DIR>/source/security/sbl_keywriter/am64x-evm/r5fss0-0_nortos/ti-arm-clang
    • make -sj clean PROFILE=debug
    • make -sj PROFILE=debug

     

    Compile boot file with TI Dummy key

    • host# sudo apt-get install build-essential autoconf automake bison flex libssl-dev bc u-boot-tools swig python3 python3-pip
    • host# pip3 install jsonschema
    • host# pip3 install pyelftools
    • Go to the top level of the SDK in terminal and run the following command to build all boot binaries and files
    • make u-boot

    This will generate 3 target files of interest:

    • tiboot3-am64x-hs-evm.binfrom <output directory>/r5
    • binfrom <output directory>/a53
    • u-boot.imgfrom <output directory>/a53
    • Copy those 3 files to the boot partition of the flashed SD card and overwrite the existing files.
    • Rename tiboot3-am64x-hs-evm.bin to tiboot3.bin and ensure that that is the only tiboot3.bin file on the SD card.

     

    Compile boot file with customer key

    • The keys are present at: <UBOOT_DIR>/board/ti/keys
    • Replace the custMpk.pem and custMpk.key with your keys.
    • Generate the custMpk.crt with the following command: openssl req -batch -new -x509 -key keys/dev.pem -out keys/dev.crt
    • Go to the top level of the SDK in terminal and run the following command to build all boot binaries and files
    • make u-boot
    • Copy those 3 files to the boot partition of the flashed SD card and overwrite the existing files.
    • Rename tiboot3-am64x-hs-evm.bin to tiboot3.bin and ensure that that is the only tiboot3.bin file on the SD card.

    Compile boot file with customer key, achieve extended HS boot(Kernel, dtb)

    • The keys are present at: <UBOOT_DIR>/board/ti/keys
    • Replace the custMpk.pem and custMpk.key with your keys.
    • Generate the custMpk.crt with the following command: openssl req -batch -new -x509 -key keys/dev.pem -out keys/dev.crt
    • Go to the top level of the SDK in terminal and run the following command to build all boot binaries and files
    • make linux
    • This will generate the customer key signed  kernel, DTB, replace the SD card.
    • make u-boot
    • Copy those 3 files to the boot partition of the flashed SD card and overwrite the existing files.
    • Rename tiboot3-am64x-hs-evm.bin to tiboot3.bin and ensure that that is the only tiboot3.bin file on the SD card.

    Regards

    Zekun

  • +1 in reply to Zekun Bai
    TI__Guru 57401 points

    Hi Zekun,

    Everything looks good.

  • 0 in reply to Prashant Shivhare
    TI__Expert 3010 points

    Thanks, Prashant.

    Regards

    Zekun