PROCESSOR-SDK-AM64X: Can I delete --bmek keys/bmek.key and --smek keys/smek.key when making a oneshot program?

stephen zhang

Tool/software:

We use the following command to perform a oneshot program currently:
./gen_keywr_cert.sh -t tifek/ti_fek_public.pem -b keys/bmpk.pem --bmek keys/bmek.key -s keys/smpk.pem --smek keys/smek.key --keycnt 2 --keyrev 1

But our sign server only provide two rsa4096 key , so i want to remove --bmek keys/bmek.key and --smek keys/smek.key ,like the following:
./gen_keywr_cert.sh -t tifek/ti_fek_public.pem -b keys/bmpk.pem -s keys/smpk.pem --keycnt 2 --keyrev 1

Is it ok for this change？

7 months ago

0 Prashant Shivhare 7 months ago

TI__Guru 57231 points

Hello,

That is completely okay. It's just that you can't leverage the encrypted boot if you do not program the encryption keys.

0 stephen zhang 7 months ago in reply to Prashant Shivhare

Intellectual 320 points

https://e2e.ti.com/support/processors-group/processors/f/processors-forum/1309270/processor-sdk-am64x-how-to-sign-files-using-customer-key-in-sdk9-0/4982495?tisearch=e2e-sitesearch&keymatch=%2525252525252520user%252525252525253A565320#4982495

1. At the end of the link above，Hong said linux sdk now is not support encrypted boot ?

2. Does this mean that all images (tispl.bin, tiboot3.bin, u-boot.img, linux fitimage) do not support encrypted boot?

0 Prashant Shivhare 7 months ago in reply to stephen zhang

TI__Guru 57231 points

Hello,

Please note the following for the encryption keys:

Programmed => The encrypted boot is possible if the SDK supports it.
Not programmed => The encryption must not be used even if the SDK supports it.

At present, the Processor SDK does not support encrypting images but MCU+ SDK does. If really required, one may implement the encryption of the images in the Processor SDK & leverage encrypted boot if the encryption keys are programmed.

0 stephen zhang 7 months ago in reply to Prashant Shivhare

Intellectual 320 points

If supported, whether this feature（encrypted boot ） is on or off by default？

0 Prashant Shivhare 7 months ago in reply to stephen zhang

TI__Guru 57231 points

The ROM or TIFS decrypts an image as part of the authentication only if the encryption extension is found in the certificate.

https://software-dl.ti.com/tisci/esd/latest/2_tisci_msgs/security/sec_cert_format.html?highlight=x509#sysfw-encryption-ext

The image signed by the scripts in the PSDK will not have encryption extension since it doesn't support encryption while the MCU+ SDK has the following flags to control the encryption of the SBL & Application images.

Fullscreen

1
2
3
4
5
6
7
~/ti/mcu_plus_sdk/am64x/10_00_00_20
❯ grep -B1 "ENC.*ENABLED" -- devconfig/devconfig.mak
# Encryption option for application (yes/no)
ENC_ENABLED?=no
--
# Encryption option for SBL (yes/no)
ENC_SBL_ENABLED?=yes
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

~/ti/mcu_plus_sdk/am64x/10_00_00_20
❯ grep -B1 "ENC.*ENABLED" -- devconfig/devconfig.mak
# Encryption option for application (yes/no)
ENC_ENABLED?=no
--
# Encryption option for SBL (yes/no)
ENC_SBL_ENABLED?=yes

If the encryption keys are not programmed these must be set to NO.

0 stephen zhang 7 months ago in reply to Prashant Shivhare

Intellectual 320 points

thanks for your clear explanation.

Processors

Processors forum

PROCESSOR-SDK-AM64X: Can I delete --bmek keys/bmek.key and --smek keys/smek.key when making a oneshot program?