This thread has been locked.
If you have a related question, please click the "Ask a related question" button in the top right corner. The newly created question will be automatically linked to this question.
Tool/software:
Hi,
I successfully used the otp writer to put the am625 into HS-SE mode. I did not use the default key and pem files (we generated our own)
aes256.key
bmek.key
bmpk.pem
smek.key
smpk.pem
1. Now, I need to enable the R5 secure boot and found this info:
https://software-dl.ti.com/mcu-plus-sdk/esd/AM62X/09_02_01_06/exports/docs/api_guide_am62x/SECURE_BOOT.html#autotoc_md190
In the devconfig.mak
DEVICE_TYPE?=GP
DEVICE_TYPE?=HS
2. In the AM62x_Secure_SDK_v1.pdf file, the script gen_x509_combined_cert.sh was the tool for generating a signed tiboot3.bin.
Examples of usage:-
# Example of generation a combined boot image
./gen_x509_combined_cert.sh -b u-boot-spl.bin -l 0x41c00000 -s ti-sci-firmware-j7200-gp-vlab.bin -m 0x40000 -d combined-cfg.bin -n 0x7f000 -o tiboot3.bin
# Example of generation of a split boardcfg image for use with DM firmware
./gen_x509_combined_cert.sh -b u-boot-spl.bin -l 0x41c00000 -s ti-fs-firmware-j7200-gp.bin -m 0x40000 -d combined-tifs-cfg.bin -n 0x7f000 -t out/soc/j7200/evm/combined-dm-cfg.bin -y 0x41c80000 -k ti-degenerate-key.pem -o tiboot3.bin
Do I need to use that script to generate signed HS-SE tiboot3.bin?. If yes,
1. Could you give me the correct parameters to pass ti-sci-firmware-am64x-hs-cert.bin, ti-sci-firmware-am64x-hs-enc.bin
2. Is the addresses in the examples are the same addresses for am62x?
If no, the u-boot produced tiboot3.bin should I use that image and just sign it using the script secure-binary-image.sh?
I might missing something, please send me more references.
Regards,
John Tobias
./secure-rom-boot-image.sh -b u-boot-spl.bin -l 0x41c00000 -s ti-sci-firmware-j7200-gp-vlab.bin -m 0x40000 -d combined-cfg.bin -n 0x7f000 -o tiboot3.bin
Hi Prashant,
I was able to confirm the board that's in HS-SE, thanks for the help!.
U-Boot 2024.04-00050-g742ee77f9f-dirty (Oct 24 2024 - 17:17:37 -0700)
SoC: AM62X SR1.0 HS-SE
I have a follow up question:
In "Extended Secure Boot Flow" of the document that I mentioned above,
section 3: A53 u-boot then loads, authenticates and executes Linux Kernel, DTBs
Do you have an info where I can find the info on how to enforce the u-boot to authenticate the Linux Kernel and DTBs?.
Regards,
John
Do you have an info where I can find the info on how to enforce the u-boot to authenticate the Linux Kernel and DTBs?.
It is done by default for HSSE devices. More information is available here: