• State TI Thinks Resolved
  • Locked Locked
  • Replies 7 replies
  • Answers 2 answers
  • Subscribers 100 subscribers
  • Views 502 views
  • Users 0 members are here
Support feedback
Options
Options
Related

This thread has been locked.

If you have a related question, please click the "Ask a related question" button in the top right corner. The newly created question will be automatically linked to this question.

Original question:

处理器-SDK-AM64X:Is there any solution to use HSM for image signing (linux sdk)?

PROCESSOR-SDK-AM64X: In addition to burning the certificate into OTP, is there any other flexible debugging method that can make multiple attempts to test whether the OTP certificate is valid?

stephen zhang
Intellectual 390 points
Part Number: PROCESSOR-SDK-AM64X


Tool/software:

We want to test whether the bin file of the otp certificate is valid. Because this certificate bin file is generated by hsm, we may need multiple test attempts. We used an irreversible method to burn the otp certificate into the otp before, but this method is irreversible. If the certificate is wrong, the test hardware can only be discarded. So is there any other test method that can be tried multiple times?

  • 0
    TI__Guru 73611 points

    Hello,

    If the certificate is invalid, the TIFS would reject it & not program the OTP.

  • 0 in reply to Prashant Shivhare
    Intellectual 390 points

    But it seems that the certificate is indeed written in, is there any test method, instead of bricking the hardware?

  • 0 in reply to stephen zhang
    TI__Guru 73611 points
    stephen zhang said:
    But it seems that the certificate is indeed written in, is there any test method, instead of bricking the hardware?

    I am not sure how you confirm this.

    I have supported many queries about the keywriter failure originating from the following mistakes:

    • Integrating the keywriter with different MCU+ SDK version than the one recommended in the user guide.
    • Using the OpenSSL version other than the one mentioned in the user guide.
    • VPP not enabled.
    • Reprogramming an already programmed field.

    In all of these cases, the device remains intact & the failure could be overcome by correcting the mistakes.

  • 0 in reply to Prashant Shivhare
    Intellectual 390 points

    Thanks for your update,。

    Actually, my focus is on whether there is a testing method that can prevent the hardware from becoming bricked.

    The key and certificate I generated myself can be started. We are debugging the key and certificate generated by HSM. Because in order to be compatible with HSM, some content was modified in the script, resulting in the failure to bring in the backup key information when the final certificate was generated. As a result, a piece of hardware has been bricked. My colleague is debugging this script. But we don't want to waste hardware anymore, so I would like to ask if there are other test methods to prevent the hardware from being bricked.  NXP has a similar test method to prevent the hardware from being bricked.

  • 0 in reply to Prashant Shivhare
    Intellectual 390 points

    Starting Keywriting
    Enabled VPP
    keys Certificate found: 0x43c15380
    Keywriter Debug Response:0x100000
    Error occured...

    An error was reported when writing the certificate.

    • Integrating the keywriter with different MCU+ SDK version than the one recommended in the user guide.

    ----------------Using this version of mcu+sdk, the certificate I generated myself can be written in normally.

    • Using the OpenSSL version other than the one mentioned in the user guide.

              We are using openssl 3.x.x.

  • 0 in reply to stephen zhang
    Intellectual 390 points

    In addition, we removed the s/bmek option when generating the certificate.

  • 0 in reply to stephen zhang
    TI__Mastermind 27440 points

    Hi,

    Closing the thread, as there is no response for long. Feel free to ping back, if you want to continue discussion.

    Regards

    Ashwani