Tool/software:
Hi Team,
I use the AM62X EVM and want to enables secure boot HS-SE with custom keys.
Moving forward with custom keys, this are my steps attaching below
1. Generate a new set of keys:
./gen_keywr_cert.sh –g
2. In the keys folder :
aes256.key bmek.key bmpk.pem smek.key smpk.pem
3. Make the One Shot certificate, specifying SMPK as the certificate for secure boot
./gen_keywr_cert.sh -t tifek/ti_fek_public.pem -a keys/aes256.key --msv 0xC0FFE --bmpk keys/bmpk.pem -b-wp --bmek keys/bmek.key --bmek-wp --smpk keys/smpk.pem --smek keys/smek.key --keycnt 2 --keyrev 1
4. Output:
1… secondary_cert.bin
5… primary_cert.bin
7… ../../x509cert/final_certificate.bin
5. Convert the bin, produce the keycert.h:
python3 ~/ti/mcu_plus_sdk_am62x_09_01_00_39/tools/bin2c/bin2c.py final_certificate.bin keycert.h KEYCERT
6. Build the tiboot3.bin
ti-arm-clang$ make -sj clean PROFILE=debug
ti-arm-clang$ make -sj PROFILE=debug
7. Output:
ti-arm-clang/sbl_keywriter.debug.tiimage Done !!!
ti-arm-clang$ md5sum tiboot3.bin
db3eca1de8d2e0ccb811016691a265c8 tiboot3.bin
8. Install the custom signing key in the u-boot source tree, replacing the TI development key:
copy keys/smpk.pem to board/ti/keys/custMpk.pem
9. Rebuild u-boot, now signed with the new custom key.
Q1. Are these steps completed and valid?
Q2. Is the above steps can sign and secure till u-boot ?
Q3. if yes,How can i enable root of trust between u-boot and my FitImage.bin (fitimage conatains fs,kernal..).
Q4. when is the BMPK used ? how can i test this.
Q5. Should I leave board/ti/keys/custMpk.crt and board/ti/keys/custMpk.key untouched?
Regards,
-RJ
