• State Resolved
  • Locked Locked
  • Replies 7 replies
  • Answers 1 answer
  • Subscribers 98 subscribers
  • Views 299 views
  • Users 0 members are here
Support feedback
Options
Options
Related

This thread has been locked.

If you have a related question, please click the "Ask a related question" button in the top right corner. The newly created question will be automatically linked to this question.

PROCESSOR-SDK-J784S4: Doubts in customized SBL image with security added

Jaime Jimenez
Prodigy 80 points
Part Number: PROCESSOR-SDK-J784S4

Tool/software:

Hello TI experts,

I have successfully generated some SBL images using the SDK (RTOS variant) V10.00.00.27 for GP and HS after an extensive reading through all the documentation, however, i still have some doubts for HS which i couldn't really clarify with the current documentation, so i would like your support with the following questions:

1-Which file between "sbl_ing.mk" and "sbl_component.mk" i should use to configure the image accordingly (after checking them seems like "sbl_component.mk" make use of "sbl_ing.mk")?

2-Regarding the "boardConfig", how is this file generated and where is located in the SDK?

3-Is the "x509 certificate" automatically generated during the generation of the SBL HS image (i saw a relation through common.mk file) or this is something that i should run apart manually running the x509CertificateGen script?

4-What is the correct way to run this "x509CertificateGen.sh" script (maybe a specific command with some arguments or just "./x509CertificateGen.sh" would be enough)?

5-Once triggered the script, where would be the output x509 certificate located and which name/extension it would have?

6-Does this x509CertificateGen script also encrypts and signs the HS image (and also the configBoard) or just generates the x509 certificate?

7-What determines if a "non-encrypted" vs "encrypted" SBL HS bin image is needed or this is just up to client requirements?

8-I noticed we can also create the x509 certificate through OpenSSL, so, what is the difference between using this method and the x509CertificateGen script?

9-Could you please share me the updated steps applicable for SDK-RTOS V10.00.00.27 to encrypt/compile the HS generated image (steps in PDK 5.2.6.3 doc seems to be outdated)?

10-Could you please also share me the steps applicable for SDK-RTOS V10.00.00.27 to sign the HS generated image? Do these apply also to sign the boardConfig?

Many thanks for your support! Slight smile

  • 0
    TI__Guru 56185 points

    Hi Jaime,

    Allow me some time to consolidate my answer , will respond you within 2 days.

    Regards
    Diwakar

  • 0 in reply to Diwakar Dhyani
    Prodigy 80 points

    Hello Diwakar!

    Sure, appreciate your support.

    Slight smile

  • 0 in reply to Jaime Jimenez
    TI__Guru 56185 points

    Hi Jaime,

    Jaime Jimenez said:
    1-Which file between "sbl_ing.mk" and "sbl_component.mk" i should use to configure the image accordingly (after checking them seems like "sbl_component.mk" make use of "sbl_ing.mk")?

    Can you elaborate more on this , what kind of changes you are expecting ?

    Jaime Jimenez said:

    2-Regarding the "boardConfig", how is this file generated and where is located in the SDK?

    Boardconfig file can be found at <RTOS_SDK>/<pdk>/packages/ti/drv/sciclient/soc/V6/

    when you build the board config, .c file gets compiled and get converted to .h format which is nothing but a binary in c array format.

    Jaime Jimenez said:
    3-Is the "x509 certificate" automatically generated during the generation of the SBL HS image (i saw a relation through common.mk file) or this is something that i should run apart manually running the x509CertificateGen script?

    When we build the sbl for HS device the build infra make use of x509CertificateGen.sh script to sign the SBL image.You can have a look at common.mk file for the same.

    Jaime Jimenez said:
    4-What is the correct way to run this "x509CertificateGen.sh" script (maybe a specific command with some arguments or just "./x509CertificateGen.sh" would be enough)?

    Please run x509CertificateGen.sh  to see the usage.

    Jaime Jimenez said:

    5-Once triggered the script, where would be the output x509 certificate located and which name/extension it would have?

    When you build the sbl for hs device you will get the signed binary at location: RTOS_SDK/packages/ti/boot/sbl/binary/<board>_evm_hs

    intermediate file like certificate will be get removed at the end of the script execution after concatenating it with binary.

     

    Jaime Jimenez said:

    6-Does this x509CertificateGen script also encrypts and signs the HS image (and also the configBoard) or just generates the x509 certificate?

    Current PDK build infra will only sign the image not encrypting it for better boot performance, though you can also do the encryption using same script.

    Jaime Jimenez said:

    7-What determines if a "non-encrypted" vs "encrypted" SBL HS bin image is needed or this is just up to client requirements?

    It depends on the customer what they want.PDK does support both sign or encrypted + sign.

    Jaime Jimenez said:

    8-I noticed we can also create the x509 certificate through OpenSSL, so, what is the difference between using this method and the x509CertificateGen script?

    x509CertificateGen.sh script make use of opensll command only, the script just provide ease of use.

    Jaime Jimenez said:
    9-Could you please share me the updated steps applicable for SDK-RTOS V10.00.00.27 to encrypt/compile the HS generated image (steps in PDK 5.2.6.3 doc seems to be outdated)?

    Please go though the app not to encrypt the image:https://www.google.com/url?sa=t&source=web&rct=j&opi=89978449&url=https://www.ti.com/lit/pdf/sprad04&ved=2ahUKEwi-6ZaqqIOJAxVJe2wGHVtKMscQFnoECBQQAQ&usg=AOvVaw2EnOf5MXjIhegsGhkOzwJh

    Jaime Jimenez said:
    10-Could you please also share me the steps applicable for SDK-RTOS V10.00.00.27 to sign the HS generated image? Do these apply also to sign the boardConfig?

    Build infra of  the PDK already taking care of signing board config, 

    These are signed board config 

    Suggested to go through x509CertificateGen.sh script to understand the signing mechanism in detail.

    Regards
    Diwakar 

  • 0 in reply to Diwakar Dhyani
    Prodigy 80 points

    Thanks for the answers Diwakar, after checking them such as the documentation you shared me, i have some additional follow doubts:

    1-I was not able to locate in common.mk nor in x509CertificateGen files where the boardConfig and TIFS images are generated and signed, however the SDK seems to provide these images signed by default by the TI Dummy keys, the question is in case i need to modify something and re-generate/re-sign these images, what should be the process?

    2-I noticed that there is another script called "fimwareHeaderGen", is this the one used to re-generate TIFS/boardConfig (or SYSFW)? could you provide me more information about this and an example of its usage?

    3-I would like to obtain more information about the UID (mentioned after HS image is generated), what is this ID purpose (i suppose is unique per device) and how can i modify it if needed (i suppose is calculated somehow according to some parameters)?

    4-What is the process and in which file i can update/modify the pinmux/gpio layout? (this in case i want to generate the images for a diff customized hw which is not the EVM but also using the same SoC)

    I will be pending to your answers.

    Slight smile

  • 0 in reply to Jaime Jimenez
    TI__Guru 56185 points

    Hi Jaime

    Jaime Jimenez said:
    1-I was not able to locate in common.mk nor in x509CertificateGen files where the boardConfig and TIFS images are generated and signed, however the SDK seems to provide these images signed by default by the TI Dummy keys, the question is in case i need to modify something and re-generate/re-sign these images, what should be the process?

    You are not able to find the file at this location ?

    Jaime Jimenez said:
    2-I noticed that there is another script called "fimwareHeaderGen", is this the one used to re-generate TIFS/boardConfig (or SYSFW)? could you provide me more information about this and an example of its usage?

     "fimwareHeaderGen" is used to generate the final tifs bin from the signed and encrypted tifs binary. for detail on the usage you can look at the "sysfw_migrate.sh" script 

    Jaime Jimenez said:
    3-I would like to obtain more information about the UID (mentioned after HS image is generated), what is this ID purpose (i suppose is unique per device) and how can i modify it if needed (i suppose is calculated somehow according to some parameters)?

    SOC UID is a device unique device id genrated by the ROM and can be obtain from the UART string or using TISCI API.

    You can't modify this value as it is calculated by ROM.

    Jaime Jimenez said:
    4-What is the process and in which file i can update/modify the pinmux/gpio layout? (this in case i want to generate the images for a diff customized hw which is not the EVM but also using the same SoC)

    I would suggest you raise new thread for this, so that relevant expert can reply on this.

    Regards
    Diwakar

  • 0 in reply to Diwakar Dhyani
    Prodigy 80 points

    Regarding my question number 1:

    Yes, i have the common.mk file available, but rephrasing my question: how can i re-generate and sign/encrypt the tifs and boardConfig images with different keys (not the TI dummy ones)? Is there a command or script for this? (sorry but this part is still not clear to me...)

    Additional question:

    So far, the process i have followed for HS with RTOS SDK has generated me this corresponding image for SBL for R5 Core in MCU domain, what if i also need to initialize MAIN domain (A72), should i generate a different image or to follow an additional process for this (this still using the RTOS SDK not the LINUX SDK)?

    Thanks for your patience! 

  • +1 in reply to Jaime Jimenez
    TI__Guru 56185 points

    Hi Jaime

    Jaime Jimenez said:
    how can i re-generate and sign/encrypt the tifs

    TIFS comes as a part of TI delivery, encrypted TIFS with TI MEK key and  signed certificate with TI MPK key are delivered by the TI as a part of SDK. Customer just need to sign the outer certificate of it using root trust keys. For this you can make use of fimwareHeaderGen.sh script.

    Jaime Jimenez said:
    boardConfig images with different keys

    Keys are exported inside platform.mk file 

    You just need to keep your root trust keys at the same location(/ti/build/makerules/), rest of the thing will be taken care by the build infra. This is just for the development purpose ideally you will sign the image using some secure HSM server, so that keys will not get exposed.

    Jaime Jimenez said:
    Is there a command or script for this?

    As said earlier to sign  tifs inner certificate with root trust keys you will make use of fimwareHeaderGen.sh and other component like SBL,BOARDCFG,APP image get signed using  x509CertificateGen.sh script.

    Jaime Jimenez said:
    So far, the process i have followed for HS with RTOS SDK has generated me this corresponding image for SBL for R5 Core in MCU domain, what if i also need to initialize MAIN domain (A72), should i generate a different image or to follow an additional process for this (this still using the RTOS SDK not the LINUX SDK)?

    Can you help me understand your boot flow, all the information is part of SDK documentation.If you are using combined app image you need to sigen that using  x509CertificateGen.sh  script.

    Regards
    Diwakar