This thread has been locked.

If you have a related question, please click the "Ask a related question" button in the top right corner. The newly created question will be automatically linked to this question.

AM625: Secure boot HS-SE

Part Number: AM625

Tool/software:

Hi,

I successfully used the otp writer to put the am625 into HS-SE mode. I did not use the default key and pem files (we generated our own)

aes256.key
bmek.key
bmpk.pem
smek.key
smpk.pem



1. Now,  I need to enable the R5 secure boot and found this info:

https://software-dl.ti.com/mcu-plus-sdk/esd/AM62X/09_02_01_06/exports/docs/api_guide_am62x/SECURE_BOOT.html#autotoc_md190

In the devconfig.mak


DEVICE_TYPE?=GP

CUST_MPK=$(SIGNING_TOOL_PATH)/custMpk_am62x.pem
CUST_MEK=$(SIGNING_TOOL_PATH)/custMek_am62x.txt

I set it to:

DEVICE_TYPE?=HS

CUST_MPK=$(SIGNING_TOOL_PATH)/smpk.pem

The content of custMek_am62x.txt is c143f03568798964d4a5769bd5a27d3adc0d6bdd8f3cc47b84229e50a54ab043
I couldn't find the info how to generate that hex value. Could you tell me how to convert the mek file into hex?

2. In the AM62x_Secure_SDK_v1.pdf file, the script gen_x509_combined_cert.sh was the tool for generating a signed tiboot3.bin.

Examples of usage:-
# Example of generation a combined boot image
./gen_x509_combined_cert.sh -b u-boot-spl.bin -l 0x41c00000 -s ti-sci-firmware-j7200-gp-vlab.bin -m 0x40000 -d combined-cfg.bin -n 0x7f000 -o tiboot3.bin

# Example of generation of a split boardcfg image for use with DM firmware
./gen_x509_combined_cert.sh -b u-boot-spl.bin -l 0x41c00000 -s ti-fs-firmware-j7200-gp.bin -m 0x40000 -d combined-tifs-cfg.bin -n 0x7f000 -t out/soc/j7200/evm/combined-dm-cfg.bin -y 0x41c80000 -k ti-degenerate-key.pem -o tiboot3.bin

Do I need to use that script to generate signed HS-SE tiboot3.bin?. If yes,

1. Could you give me the correct parameters to pass ti-sci-firmware-am64x-hs-cert.bin, ti-sci-firmware-am64x-hs-enc.bin

2. Is the addresses in the examples are the same addresses for am62x?

If no, the u-boot produced tiboot3.bin should I use that image and just sign it using the script secure-binary-image.sh?

I might missing something, please send me more references.

Regards,

John Tobias


./secure-rom-boot-image.sh -b u-boot-spl.bin -l 0x41c00000 -s ti-sci-firmware-j7200-gp-vlab.bin -m 0x40000 -d combined-cfg.bin -n 0x7f000 -o tiboot3.bin