• State Resolved
  • Locked Locked
  • Replies 7 replies
  • Answers 1 answer
  • Subscribers 99 subscribers
  • Views 471 views
  • Users 0 members are here
Support feedback
Options
Options
Related

This thread has been locked.

If you have a related question, please click the "Ask a related question" button in the top right corner. The newly created question will be automatically linked to this question.

Original question:

PROCESSOR-SDK-AM64X: How to sign files using customer key in SDK9.0?

SK-AM62B: Secure Boot Clarifications

Matthew Vernon
Prodigy 100 points
Part Number: SK-AM62B

Tool/software:

I have successfully written keys to a SK-AM62B development board using keys that I have generated. I have also integrated the SMPK into a yocto build (SDK 9) for signed boot images. The board does not come up except in serial boot mode and I am unable to load a bootloader in that mode. I have tried booting my new images from eMMC and SD card with either no output on serial ports or a triangle character.

Specific questions:

  1. What does a secure boot failure look like? Is there a way to differentiate signature failure from other bootloader failures?
  2. I have written SMEK. Does the bootloader need to be encrypted in order to boot? From other posts it sounds like an unencrypted binary will still boot?
  3. Is there a way to test the tiboot3 image to validate that it is correctly signed?
  4. Are there any recommended next steps in troubleshooting this?

This is urgent as I need to deliver signed images and keywriter to the factory soon.

  • 0
    Prodigy 100 points

    I believe that I have found answers to a few of my questions:

    1. Secure boot failure outputs nothing to the serial port
    2. An unencrypted image will boot correctly even if encryption keys are written

    Additionally I have found that the SDK produces multiple images and that the variable SYSFW_SUFFIX must be set to "hs" (note: not "hs-se") for the k3r5 build in order to select the signed images.

    I am hoping for question 3 that there is some way to extract the key hash from tiboot3 in order to verify the image before loading it to a device.

  • 0 in reply to Matthew Vernon
    TI__Guru 68210 points

    Have we captured the two logs from R5/M4 when running the OTP key programming?

  • 0 in reply to Hong Guan64
    Prodigy 100 points 

    0x4F8B0000
0x4F80001C
0x4003007
0x4400907
0x20800000
0x20800001
0x4F8A00FF
0x4F8B0001
0x4F80001C
0x4C40001C
0x4C40001C
0x4C40001C
0x4C40001C
0x4C40001C
0x4C40001C
0x4C40001C
0x4C40001C
0x4C40001C
0x4C40001C
0x4C40001C
0x4C40001C
0x4C40001C
0x4C40001C
0x4C40001C
0x4C40001C
0x4C40001C
0x4C40001C
0x420021
0x820024
0x40000C
0x800023
0x4F8A00FF
0x4F8B0001
0x4F80001C
0x420002
0x820024
0x4003007
0x4400907
FWL Bit  0x4
Exception addr  0x45B09000
FWL Exception  0x1008000
0x90000
0x400A78
0x0
0xFF923D4
0x8

0x4F8A0000
0x4F8B0000
0x4F80001C
0x4003007
0x4400907
0x20800000
0x20800001
0x4F8A00FF
0x4F8B0001
0x4F80001C
0x4C40001C
0x4C40001C
0x4C40001C
0x4C40001C
0x4C40001C
0x4C40001C
0x4C40001C
0x4C40001C
0x4C40001C
0x4C40001C
0x4C40001C
0x4C40001C
0x4C40001C
0x4C40001C
0x4C40001C
0x4C40001C
0x4C40001C
0x4C40001C
0x420021
0x820024
0x40000C
0x800023
0x4F8A00FF
0x4F8B0001
0x4F80001C
0x420002
0x820024
0x4003007
0x4400907
FWL Bit  0x4
Exception addr  0x45B09000
FWL Exception  0x1008000
0x90000
0x400A78
0x0
0xFF923D4
0x8

0x409031
0x800023
#
# Decrypting extensions..
#
MPK Options:  0x0
MEK Options:  0x0
MPK Opt P1:  0x0
MPK Opt P2:  0x0
MEK Opt   :  0x0
* SMPKH Part 1 BCH code: 6034e3f5

* SMPKH Part 2 BCH code: 40584524

* SMPK Hash (part-1,2):

55327281682de63ace8cfa2e31326394b20cdab8bb28031692dcede3ea6e0cfe00

ebe2228de6a7c45703ae57fc38ec1770a707a869dc3448bb3a8420ea4f6c4b2800

* SMEK BCH code: 20993d5f

* SMEK Hash: 9f1b5696c0d7e2213ebcaa6096e668389990a2d2308b1e2ae6a4d9351006246087e32155ffbb7fee949209012f74dbacab11e84e46a4e42c79abf6e0378bdaca

* BMPKH Part 1 BCH code: c0f85f85

* BMPKH Part 2 BCH code: 0096bcf5

* BMPK Hash (part-1,2):

ad929e3a8d6afddf45c69bad6e54dda4223a49dd47ead194afb307e544da69b200

208120952d77fcbff93f6cc0975c96c74ec7f8fe63c7d9732784b086577e081800

* BMEK BCH code: e007d412

* BMEK Hash: 511e1d80319e9c68fd265f0f545b9eb448d43bf0a4f926463f46ec3d852fe18d917886254c491021dded5e8e6583f1158027f5c18f5ae8c6e1fcae482f3356cc

EXT OTP extension programming disabled
* BCH code & MSV: fe0fac8b

* KEY CNT: 03030000

* KEY REV: 01010000

SWREV extension programming disabled

FW CFG REV extension programming disabled

* KEYWR VERSION:  0x20000

#
# Programming Keys..
#

* MSV:
[u32] bch + msv:  0x0
Programmed 2/2 rows successfully
[u32] bch + msv:  0x8BAC0FFE

* SWREV:
[u32] SWREV-SBL:  0x1
[u32] SWREV-SYSFW  :  0x1
SWREV extension programming disabled
[u32] SWREV-SBL:  0x1
[u32] SWREV-SYSFW  :  0x1

* FW CFG REV:
[u32] SWREV-FW-CFG-REV:  0x1
SWREV SEC BCFG extension programming disabled
[u32] SWREV-FW-CFG-REV:  0x1

* EXT OTP:
EXT OTP extension programming disabled

* BMPKH, BMEK:
Programmed 11/11 rows successfully
Programmed 2/2 rows successfully
Programmed 11/11 rows successfully
Programmed 2/2 rows successfully
Programmed 11/11 rows successfully
Programmed 2/2 rows successfully

* SMPKH, SMEK:
Programmed 11/11 rows successfully
Programmed 2/2 rows successfully
Programmed 11/11 rows successfully
Programmed 2/2 rows successfully
Programmed 11/11 rows successfully
Programmed 2/2 rows successfully

* KEYCNT:
[u32] keycnt:  0x0
Programmed 2/2 rows successfully
[u32] keycnt:  0x2

* KEYREV:
[u32] keyrev:  0x0
Programmed 2/2 rows successfully
[u32] keyrev:  0x1

    M4 serial output is detailed here.

  • 0
    Prodigy 100 points

    Update: I have gotten an image to boot. From the SDK using Yocto I had to change a couple of things to get the right image.

    I am still looking for answers to the numbered questions, and also a new question:

    5. What is the difference between the "hs" and "hs-fs" images? Is it correct that a "hs" image will not bot on a hs-fs device without keys written?

  • +1 in reply to Matthew Vernon
    TI__Guru 68210 points

    It is good to know you're able to secure boot the signed binary
    1/. Binary integrity check by ROM would fail on incorrectly signed binary, and user code doesn't boot at all
    2/. Binary encryption with SMEK is optional for secure boot
    3/. One option is booting it on target
    4/. Capture key programming log, log SoC_UID dump by ROM from UART booting on the converted HS-SE, and compare the SMPK-H from the two logs.
    5/. The two different TIFS binary are linked into the two tiboot3.bin for HS-SE vs HS-FS. The tiboot3.bin is not exchangeable for HS-SE vs HS-FS
    Best,
    -Hong

  • 0 in reply to Hong Guan64
    Prodigy 100 points

    For #3, since the x509 certificate is the first file in tiboot3.bin it is possible to examine the certificate with openssl:

    openssl x509 -noout -text -in tiboot3.bin

  • 0 in reply to Matthew Vernon
    TI__Guru 68210 points

    Yes, openssl is one of options to do x509 certificate operations offline.
    Best,
    -Hong