• State Resolved
  • Locked Locked
  • Replies 3 replies
  • Answers 1 answer
  • Subscribers 98 subscribers
  • Views 400 views
  • Users 0 members are here
Support feedback
Options
Options
Related

This thread has been locked.

If you have a related question, please click the "Ask a related question" button in the top right corner. The newly created question will be automatically linked to this question.

AM6422: AM64 HS-FS to HS-SE conversion using Secondary and Backup keys

Stefan Strobel
Prodigy 30 points
Part Number: AM6422

Hi everyone,

we are trying to write secondary as well as backup keys in our AM64xx based device to convert it from HS-FS to HS-SE.

I am using the sbl_keywriter addon (SDK 9.0) and the gen_keywr_cert.sh script to generate the keywriter binary as well as the certificate.

When using only secondary keys (SMPK, SMEK) everything seems to work just fine.

When adding backup keys (leading to the dual signed certificate) the keywriter/tisci reports an error (KEYWR_ERR_INTERAL_OP):

Keywriter Debug Response:0x20

I am using the following call to generate the keywriter certificate (from the sbl_keywriter SDK addon):

./gen_keywr_cert.sh -t tifek/ti_fek_public.pem -s keys_devel/smpk.pem --smek keys_devel/smek.key -b keys_devel/bmpk.pem --bmek keys_devel/bmek.key --keyrev 1 --keycnt 2

I also tried the suggested single shot certificate generation calls like:

./gen_keywr_cert.sh -t tifek/ti_fek_public.pem --msv 0xC0FFE --sr-sbl 1 --sr-sysfw 1 --sr-sysfw-ovrd --sr-sbl-ovrd --sr-bcfg 1 --sr-bcfg-ovrd -b keys_devel/bmpk.pem --bmek keys_devel/bmek.key -s keys_devel/smpk.pem --smek keys_devel/smek.key --keycnt 2 --keyrev 1

Or with default keys:

./gen_keywr_cert.sh -t tifek/ti_fek_public.pem --msv 0xC0FFE --sr-sbl 1 --sr-sysfw 1 --sr-sysfw-ovrd --sr-sbl-ovrd --sr-bcfg 1 --sr-bcfg-ovrd -b-def --bmek-def -s-def --smek-def --keycnt 2 --keyrev 1

The error remains the same.

Is there anything missing from the docs and/or the certificate generation script?

We are about to write keys in multiple devices sent to customers and would like to deliver them with backup keys in place.

Can anyone help?

Thanks a lot!

Stefan

  • 0
    TI__Guru 69541 points

    Hi Stefan,

    What is the OpenSSL version you are using?

    Please make sure the OpenSSL version is 1.1.x only

    ❯ openssl version
OpenSSL 1.1.1v  1 Aug 2023

    Regards,

    Prashant

  • 0 in reply to Prashant Shivhare
    Prodigy 30 points

    Hi Prashant,

    thanks for pointing this out - this fixed my Issue (I was using OpenSSL 3.0.x for testing).

    As we are implementing the certificate generation in our own system (python based (cryptography)) I checked the differences.

    The only relevant difference between OpenSSL 1.1.1 and 3.0.x in this case seems to be the default subjectKeyIdentifier extension.

    When removing the extension I get the same result as in OpenSSL 1.1.1.

    So please consider just disabling the subjectKeyIdentifier extension in the OpenSSL templates in the keywriter addon.

    This can be done by adding this line to the extension section of the two config file templates:

    subjectKeyIdentifier = none

    Thanks for your help.

    Regards

    Stefan

  • 0 in reply to Stefan Strobel
    TI__Guru 69541 points

    Hi Stefan,

    Thanks for the suggestion.

    The next OTP Keywriter releases will move to using the OpenSSL v3.x.x.

    Regards,

    Prashant