AM625: otp_keywriter_am62x-linux

Hi John,

That's the only AM62x OTP Keywriter version available & is recommeded to be used with the mentioned MCU+ SDK version only. Please note the HSFS to HSSE conversion using OTP Keywriter is independent of the SDK version to be used for the development.

So, you may use the available Keywriter version for the conversion & then use any SDK version for the development.

Thanks!

Hi Preshant,

I was using mcu_plus_sdk_am62x_09_00_00_19 and able to compile the sbl_keywriter. I was trying to use the system uart1 for the debugging so I reconfigured it via sys-cfg but I didn't the logs.

So, I tried the ipc_rpmsg_echo_linux to spit out the data in system uart and I was able to see the logs in the uart.

The difference of the two is that the ipc_rpmsg_echo_linux is freertos and sbl_keywriter is nortos.

In sbl_keywriter, I tried adding the RAT and still didn't work. Could you help me what am I missing why the system uart1 didn't work?.

Regards,

John Tobias

ohh got the console working... 

John Tobias said:

ohh got the console working... 

Hi, does this mean everything is working as expected?

Hi Preshant,

I modified a bit. We don't use I2C for enabling VPP.

I have a follow up question:

1. The writer was using 2 uart for logging, 1 (UART0) for the R5 logs and UART1  for M4 logs. I was seeing the logs of the two and I would like to use one UART for both.

What I did from the sys config I removed CONFIG_UART1.

Then:

1.1 If I set (CONFIG_UART0) the "UART Instance" to USART0, it shows the R5 logs and but no M4 logs

1.2 If I set (CONFIG_UART0) the "UART Instance" to USART1, it shows the R5 and M4 logs

I want to use the USART0 to show the R5 and M4 logs, Is that possible?.

2. I followed this:

Then, load the image. I saw the logs:

Starting Keywriting
Enabled VPP
Using keys Certificate found: 0x43c14900
Keywriter Debug Response: 0x0
Success Programming Keys

3. Using OneShot

Then, I ran this command and rebuild the image.

But, when I load the image (My serial log output R5 and M4 in UART1), it was rejecting it now.

Starting Keywriting

keywriter_setVpp

Enabled VPP

keys Certificate found: 0x43c12680

0x409031
0x800023
#
# Decrypting extensions..
#
MPK Options: 0x0
MEK Options: 0x0
MPK Opt P1: 0x0
MPK Opt P2: 0x0
MEK Opt : 0x0
SMPKH extension programming disabled
SMEK extension programming disabled
EXT OTP extension programming disabled
* BCH code & MSV: fe0fac8b

KEY CNT extension programming disabled

KEY REV extension programming disabled

SWREV extension programming disabled

FW CFG REV extension programming disabled

* KEYWR VERSION: 0x20000

#
# Programming Keys..
#

* MSV:
[u32] bch + msv: 0x8BAC0FFE
Error: override not specified
debug_response: 0x40000000
Error in programming MSV
debug_response: 0x42000000
[u32] bch + msv: 0x8BAC0FFE

* SWREV:
[u32] SWREV-SBL: 0x1
[u32] SWREV-SYSFW : 0x1
SWREV extension programming disabled
[u32] SWREV-SBL: 0x1
[u32] SWREV-SYSFW : 0x1

* FW CFG REV:
[u32] SWREV-FW-CFG-REV: 0x1
SWREV SEC BCFG extension programming disabled
[u32] SWREV-FW-CFG-REV: 0x1

* EXT OTP:
EXT OTP extension programming disabled

* BMPKH, BMEK:
BMPKH extension programming disabled
BMEK extension programming disabled

* SMPKH, SMEK:
SMPKH extension programming disabled
SMEK extension programming disabled

* KEYCNT:
[u32] keycnt: 0x0
KEY CNT extension programming disabled
[u32] keycnt: 0x0

* KEYREV:
[u32] keyrev: 0x0
KEY REV extension programming disabled
[u32] keyrev: 0x0
Keywriter Debug Response:0x42000000

Error occured...

Since, I ran #2, it doesn't mean I cannot do the Oneshot anymore?

Regards,

John

Hello,

John Tobias said:

I want to use the USART0 to show the R5 and M4 logs, Is that possible?.

This is not possible. The TIFS always uses MAIN_UART1 port for UART logging.

John Tobias said:

Since, I ran #2, it doesn't mean I cannot do the Oneshot anymore?

Since you already programmed the MSV field, you should skip it for the oneshot procedure.

Regards,

Prashant

Hi Preshant,

I have a follow up questions. I ran the following commands (in order) before compiling the code:

gen_keywr_cert.sh -g
gen_keywr_cert.sh --msv 0xC0FFE -t tifek/ti_fek_public.pem
cd ../../x509cert && python3 ../../../../../tools/bin2c/bin2c.py final_certificate.bin keycert.h KEYCERT


Also, I ran:
gen_keywr_cert.sh -t tifek/ti_fek_public.pem --msv 0xC0FFE -b keys_devel/bmpk.pem --bmek keys_devel/bmek.key -s keys_devel/smpk.pem --smek keys_devel/smek.key --keycnt 1 --keyrev 1


As you noticed the gen_keywr_cert.sh parameters --keycnt and --keyrev was 1. After executing the said command, I compiled the code.

After loading the tiboot3.bin, I got the logs below. But, I've noticed that the keycnt and keyrev values are 0.

Starting Keywriting

keywriter_setVpp

Enabled VPP

Key Writer

keys Certificate found: 0x43c12680

0x409031
0x800023
#
# Decrypting extensions..
#
MPK Options: 0x0
MEK Options: 0x0
MPK Opt P1: 0x0
MPK Opt P2: 0x0
MEK Opt : 0x0
SMPKH extension programming disabled
SMEK extension programming disabled
EXT OTP extension programming disabled
* BCH code & MSV: fe0fac8b

KEY CNT extension programming disabled

KEY REV extension programming disabled

SWREV extension programming disabled

FW CFG REV extension programming disabled

* KEYWR VERSION: 0x20000

#
# Programming Keys..
#

* MSV:
[u32] bch + msv: 0x0
Programmed 2/2 rows successfully
[u32] bch + msv: 0x8BAC0FFE

* SWREV:
[u32] SWREV-SBL: 0x1
[u32] SWREV-SYSFW : 0x1
SWREV extension programming disabled
[u32] SWREV-SBL: 0x1
[u32] SWREV-SYSFW : 0x1

* FW CFG REV:
[u32] SWREV-FW-CFG-REV: 0x1
SWREV SEC BCFG extension programming disabled
[u32] SWREV-FW-CFG-REV: 0x1

* EXT OTP:
EXT OTP extension programming disabled

* BMPKH, BMEK:
BMPKH extension programming disabled
BMEK extension programming disabled

* SMPKH, SMEK:
SMPKH extension programming disabled
SMEK extension programming disabled

* KEYCNT:
[u32] keycnt: 0x0
KEY CNT extension programming disabled
[u32] keycnt: 0x0

* KEYREV:
[u32] keyrev: 0x0
KEY REV extension programming disabled
[u32] keyrev: 0x0
Keywriter Debug Response:0x0

Success Programming Keys

In the AM62X_OTP_Keywriter_User_Guide

• Each command in the table below results in a fresh boot of the device.
• In other words, with each command we program certain fields, build a new keywriter app
with a new certificate, and reboot the device.
• Until the KEYREV value is set to either 1 or 2, the device is considered an HS-FS device, and key
values can continue being programmed incrementally.
• This allows key programming to be done in multiple passes.
• However, once the KEYREV value is set to 1 or 2, the device becomes an HS-SE device, and the OTP
keywriter application will no longer boot since the user root key has now taken over as the root of
trust.
• So, programming the KEYREV should be left to the final step.


Also, 3.2.2:

"After a reboot or a power on reset, the device will become an HS-SE device and enforce secure
booting."

3.2.2 Program Everything in One Shot

./gen_keywr_cert.sh -t tifek/ti_fek_public.pem --msv 0xC0FFE -b keys_devel/bmpk.pem
--bmek keys_devel/bmek.key -s keys_devel/smpk.pem --smek keys_devel/smek.key --keycnt
2 --keyrev 1

• Above is the example command given for programming multiple fields at once (in one boot).
• The resulting certificate given will program the MSV, SMPK, SMEK, BMPK, BMEK, key count, and key
revision all at once.
• After a reboot or a power on reset, the device will become an HS-SE device and enforce secure
booting.
• One thing to keep in mind for this method is that the certificate should be less than 5400 bytes.
• If the certificate does not fit within 5400 bytes, use the incremental method instead.
• Additionally, if the extended OTP needs to be programmed via keywriter (for USB/PCIE VID/PID), make sure
to program the extended OTP before converting the device to an HS-SE device.

I want to set the device as HS-SE so meaning, I have to set the KEYREV to 2 or 1. Could you tell me what am I missing?

Regards,

John