TDA4VH-Q1: How to Obtain the OTP keywriter add-on package?

hongyao.jin

Intellectual 720 points

Part Number: TDA4VH-Q1
Other Parts Discussed in Thread: TDA4VH

Tool/software:

TDA4VH

SDK 0900 linux+freertos

customer board

We want to debug a secure boot, first of all we want to convert our GP board to HS board via keywriter.

However, we know from the keywriter's documentation that "OTP keywriter add-on package" is required, how do we get it

8 days ago

0 Suman Anna 7 days ago

TI__Guru* 93775 points

Hi Hongyao,

hongyao.jin said:
However, we know from the keywriter's documentation that "OTP keywriter add-on package" is required, how do we get it

Yes, correct. The KeyWriter application is part of the PDK within the RTOS SDK and available in the folder, <ti-processor-sdk-rtos-j784s4-evm-10_00_00_05>/pdk_j784s4_10_00_00_27/packages/ti/boot/keywriter.

The build of this KeyWriter application does require the KeyWriter binary and the TI Public FEK from the "OTP keywriter Add-On package", which is not publicly available.

Please reach out to your corresponding Field Applications Engineer to request access for this. This would have to be done over email.

regards

Suman

0 hongyao.jin 7 days ago in reply to Suman Anna

Intellectual 720 points

We have got the "OTP keywriter add-on package". Next we need to generate the certificate, but we don't know how to use gen_keywr_cert.sh

In the help information of the gen_keywr_cert.sh, we see two ways to generate certificates. What is the difference between the two and which one should we use.

also, is it necessary to generate the key by run "./gen_keywr_cert.sh -h" ?

0 Suman Anna 7 days ago in reply to hongyao.jin

TI__Guru* 93775 points

Hi Hongyao,

hongyao.jin said:
In the help information of the gen_keywr_cert.sh, we see two ways to generate certificates. What is the difference between the two and which one should we use.

What two options are you talking about here? The gen_keywr_cert.sh is a shell script and performs a lot of different things based on the arguments provided to it. Please clarify.

hongyao.jin said:
also, is it necessary to generate the key by run "./gen_keywr_cert.sh -h" ?

This is the help command option. Do you mean the "./gen_keywr_cert.sh -g" option?

This is just a helper utility to generate some example/reference keys to use with the KeyWriter. The actual keys for production will typically be on your HSM Server, and you have to generate the certificate on your HSM server for the KeyWriter

regards

Suman

0 hongyao.jin 6 days ago in reply to Suman Anna

Intellectual 720 points

Suman Anna said:
What two options are you talking about here?

There are two ways to generate certificates in the example usage in gen_keywr_cert.sh. We don't understand the difference between the two, and which one we should use for testing is better

Suman Anna said:
Do you mean the "./gen_keywr_cert.sh -g" option?

yes

Suman Anna said:
The actual keys for production will typically be on your HSM Server

The actual key means that it is generated by ourselves, right? The HSM server you means is DMSC or tifs.bin, right?

0 hongyao.jin 6 days ago in reply to Suman Anna

Intellectual 720 points

At present, we are running keywriter_img_j784s4_release.tiimage through DFU mode, but the serial port of R5 and the serial port of M3 do not have any output, what is the possible reason?

0 hongyao.jin 6 days ago in reply to hongyao.jin

Intellectual 720 points

The MCU uart outputs a log with version information, but the M3 uart still does not have any output

0 Diwakar Dhyani 6 days ago in reply to hongyao.jin

TI__Mastermind 41290 points

hongyao.jin said:
The MCU uart outputs a log with version information, but the M3 uart still does not have any output

Have you downloaded the keywriter package ? If not please contact you local FAE for the same.

Regards
Diwakar

0 Suman Anna 6 days ago in reply to hongyao.jin

TI__Guru* 93775 points

Hi Hangyao,

hongyao.jin said:
There are two ways to generate certificates in the example usage in gen_keywr_cert.sh. We don't understand the difference between the two, and which one we should use for testing is better

These are just two examples, and your usage might vary. Please see the 4.17. OTP KEYWRITER section of the PDK documentation and Key Writer section of the TI-SCI documentation for further details.

The first example will program the SMPK, SMEK, BMPK and BMEK keys, but will not convert the device into a HS-SE since you are missing KEYREV and KEYCNT.

The second example is a bit more exhaustive example but the --sr-bcfg 16 --sr-sbl 16 --sr-sysfw 16 are all bogus values, so don't use this one as is. This will convert the HS-FS into a HS-SE device though, but you will not be able to boot using TI SDK binaries because of the bogus values.

I would recommend that you start with the most trivial one that only programs the MSV eFuse while you try to get a working setup for KeyWriter.

./gen_keywr_cert.sh --msv 0xC0FFE -t ti_fek_public.pem

The KeyWriter supports a multi-pass configuration, where you can incrementally program the keys, and finally convert the device into a HS-SE when you program the KEYREV and KEYCNT efuses. Take a look at the scripts in the <RTOS SDK>/<PDK>/packages/ti/boot/keywriter/scripts/generate_test_binaries.sh file.

hongyao.jin said:
The actual key means that it is generated by ourselves, right? The HSM server you means is DMSC or tifs.bin, right?

Actual Keys - yes, whatever are your production keys. The HSM Server means the Secure Server which is where your private keys are stored and what you use to sign your binaries. It is not the DMSC or TIFS.bin.

This script in the PDK is a development environment script.

regards

Suman

0 Suman Anna 6 days ago in reply to hongyao.jin

TI__Guru* 93775 points

Hi Hangyao,

hongyao.jin said:
The MCU uart outputs a log with version information, but the M3 uart still does not have any output

This is mostly a case of not having the correct KeyWriter binary incorporated into your KeyWriter application. Please ensure that your KeyWriter application is built properly with the KeyWriter binary.

Check that the <PDK>/packages/ti/boot/keywriter/tifs_bin/j784s4/ti-fs-keywriter.bin is the proper file and the generated tifs_keywriter.h in the keywriter/soc/j784s4/ folder is not zeroes.

regards

Suman

0 hongyao.jin 5 days ago in reply to Suman Anna

Intellectual 720 points

Now we can run keywriter_img normally, but there are still some errors

If we generate certificates by this way , keywriter will report "Debug response: 0x10000"

./gen_keywr_cert.sh -s keys/smpk.pem --smek keys/smek.key -t ti_fek_pub.pem -a keys/aes256.key

If we generate certificates by this way , keywriter will report "Debug response: 0x800"

./gen_keywr_cert.sh -s keys/smpk.pem --smek keys/smek.key -b keys/bmpk.pem --bmek keys/bmek.key -t ti_fek_pub.pem -a keys/aes256.key

0 Diwakar Dhyani 5 days ago in reply to hongyao.jin

TI__Mastermind 41290 points

Hi Hangyao,

Are you able to write the MSV value as suggested by suman earlier?

Suman Anna said:
I would recommend that you start with the most trivial one that only programs the MSV eFuse while you try to get a working setup for KeyWriter.

./gen_keywr_cert.sh --msv 0xC0FFE -t ti_fek_public.pem

Is the VPP is same in your custom board as of EVM?

Regards
Diwakar

0 hongyao.jin 4 days ago in reply to Diwakar Dhyani

Intellectual 720 points

We have successfully converted the HS-FS device to HS-SE, and while trying to boot the device. we found that after modify all the keyfile field to our own key in the uboot device tree k3-j784s4-binman.dtsi, we compiled tiboot3-j784s4-evm.bin tispl.bin u-boot.img, Using DFU boot we can boot to uboot normally.

the boot log as follows

[2024-11-29 16:40:19]  U-Boot SPL 2023.04-tda4vhdv (Jul 13 2023 - 05:36:12 +0000)
[2024-11-29 16:40:19]  SYSFW ABI: 3.1 (firmware rev 0x0009 '9.0.6--v09.00.06 (Kool Koala)')
[2024-11-29 16:40:19]  SPL initial stack usage: 13424 bytes
[2024-11-29 16:40:19]  Trying to boot from DFU
[2024-11-29 16:40:19]  ######DOWNLOAD ... OK
[2024-11-29 16:40:23]  Ctrl+C to exit ...
[2024-11-29 16:40:23]  alloc space exhausted
[2024-11-29 16:40:23]  Could not get FIT buffer of 1526312 bytes
[2024-11-29 16:40:23]  check CONFIG_SYS_SPL_MALLOC_SIZE
[2024-11-29 16:40:23]  Authentication passed
[2024-11-29 16:40:23]  Authentication passed
[2024-11-29 16:40:23]  Authentication passed
[2024-11-29 16:40:23]  Authentication passed
[2024-11-29 16:40:23]  Authentication passed
[2024-11-29 16:40:23]  Loading Environment from nowhere... OK
[2024-11-29 16:40:23]  init_env from device 18 not supported!
[2024-11-29 16:40:23]  Starting ATF on ARM64 core...
[2024-11-29 16:40:23]  
[2024-11-29 16:40:23]  NOTICE:  BL31: v2.8(release):v2.8-226-g2fcd408bb3-dirty
[2024-11-29 16:40:23]  NOTICE:  BL31: Built : 00:42:57, Jan 13 2023
[2024-11-29 16:40:23]  I/TC: 
[2024-11-29 16:40:23]  I/TC: OP-TEE version: 3.20.0 (gcc version 11.3.0 (GCC)) #1 Fri Jan 20 15:42:54 UTC 2023 aarch64
[2024-11-29 16:40:23]  I/TC: WARNING: This OP-TEE configuration might be insecure!
[2024-11-29 16:40:23]  I/TC: WARNING: Please check https://optee.readthedocs.io/en/latest/architecture/porting_guidelines.html
[2024-11-29 16:40:23]  I/TC: Primary CPU initializing
[2024-11-29 16:40:23]  I/TC: SYSFW ABI: 3.1 (firmware rev 0x0009 '9.0.6--v09.00.06 (Kool Koala)')
[2024-11-29 16:40:23]  I/TC: HUK Initialized
[2024-11-29 16:40:23]  I/TC: Activated SA2UL device
[2024-11-29 16:40:23]  I/TC: Enabled firewalls for SA2UL TRNG device
[2024-11-29 16:40:23]  I/TC: SA2UL TRNG initialized
[2024-11-29 16:40:23]  I/TC: SA2UL Drivers initialized
[2024-11-29 16:40:23]  I/TC: Primary CPU switching to normal world boot
[2024-11-29 16:40:23]  
[2024-11-29 16:40:23]  U-Boot SPL 2023.04-tda4vhdv (Jul 13 2023 - 05:36:12 +0000)
[2024-11-29 16:40:23]  SYSFW ABI: 3.1 (firmware rev 0x0009 '9.0.6--v09.00.06 (Kool Koala)')
[2024-11-29 16:40:23]  Trying to boot from DFU
[2024-11-29 16:40:23]  cdns-usb3-peripheral usb@6000000: Unable to get USB2 phy (ret -61)
[2024-11-29 16:40:23]  cdns-usb3-peripheral usb@6000000: Unable to get USB3 phy (ret -22)
[2024-11-29 16:40:23]  cdns-usb3-peripheral usb@6000000: DRD version v1 (ID: 0004024e, rev: 00000200)
[2024-11-29 16:40:24]  cdns-usb3-peripheral usb@6000000: Initialized  ep0 support:  
[2024-11-29 16:40:24]  cdns-usb3-peripheral usb@6000000: Initialized  ep1out support: BULK, INT ISO
[2024-11-29 16:40:24]  cdns-usb3-peripheral usb@6000000: Initialized  ep2out support: BULK, INT ISO
[2024-11-29 16:40:24]  cdns-usb3-peripheral usb@6000000: Initialized  ep3out support: BULK, INT ISO
[2024-11-29 16:40:24]  cdns-usb3-peripheral usb@6000000: Initialized  ep4out support: BULK, INT ISO
[2024-11-29 16:40:24]  cdns-usb3-peripheral usb@6000000: Initialized  ep5out support: BULK, INT ISO
[2024-11-29 16:40:24]  cdns-usb3-peripheral usb@6000000: Initialized  ep6out support: BULK, INT ISO
[2024-11-29 16:40:24]  cdns-usb3-peripheral usb@6000000: Initialized  ep7out support: BULK, INT ISO
[2024-11-29 16:40:24]  cdns-usb3-peripheral usb@6000000: Initialized  ep8out support: BULK, INT ISO
[2024-11-29 16:40:24]  cdns-usb3-peripheral usb@6000000: Initialized  ep9out support: BULK, INT ISO
[2024-11-29 16:40:24]  cdns-usb3-peripheral usb@6000000: Initialized  ep10out support: BULK, INT ISO
[2024-11-29 16:40:24]  cdns-usb3-peripheral usb@6000000: Initialized  ep11out support: BULK, INT ISO
[2024-11-29 16:40:24]  cdns-usb3-peripheral usb@6000000: Initialized  ep12out support: BULK, INT ISO
[2024-11-29 16:40:24]  cdns-usb3-peripheral usb@6000000: Initialized  ep13out support: BULK, INT ISO
[2024-11-29 16:40:24]  cdns-usb3-peripheral usb@6000000: Initialized  ep14out support: BULK, INT ISO
[2024-11-29 16:40:24]  cdns-usb3-peripheral usb@6000000: Initialized  ep15out support: BULK, INT ISO
[2024-11-29 16:40:24]  cdns-usb3-peripheral usb@6000000: Initialized  ep1in support: BULK, INT ISO
[2024-11-29 16:40:24]  cdns-usb3-peripheral usb@6000000: Initialized  ep2in support: BULK, INT ISO
[2024-11-29 16:40:24]  cdns-usb3-peripheral usb@6000000: Initialized  ep3in support: BULK, INT ISO
[2024-11-29 16:40:24]  cdns-usb3-peripheral usb@6000000: Initialized  ep4in support: BULK, INT ISO
[2024-11-29 16:40:24]  cdns-usb3-peripheral usb@6000000: Initialized  ep5in support: BULK, INT ISO
[2024-11-29 16:40:24]  cdns-usb3-peripheral usb@6000000: Initialized  ep6in support: BULK, INT ISO
[2024-11-29 16:40:24]  cdns-usb3-peripheral usb@6000000: Initialized  ep7in support: BULK, INT ISO
[2024-11-29 16:40:24]  cdns-usb3-peripheral usb@6000000: Initialized  ep8in support: BULK, INT ISO
[2024-11-29 16:40:24]  cdns-usb3-peripheral usb@6000000: Initialized  ep9in support: BULK, INT ISO
[2024-11-29 16:40:24]  cdns-usb3-peripheral usb@6000000: Initialized  ep10in support: BULK, INT ISO
[2024-11-29 16:40:24]  cdns-usb3-peripheral usb@6000000: Initialized  ep11in support: BULK, INT ISO
[2024-11-29 16:40:24]  cdns-usb3-peripheral usb@6000000: Initialized  ep12in support: BULK, INT ISO
[2024-11-29 16:40:24]  cdns-usb3-peripheral usb@6000000: Initialized  ep13in support: BULK, INT ISO
[2024-11-29 16:40:24]  cdns-usb3-peripheral usb@6000000: Initialized  ep14in support: BULK, INT ISO
[2024-11-29 16:40:24]  cdns-usb3-peripheral usb@6000000: Initialized  ep15in support: BULK, INT ISO
[2024-11-29 16:40:24]  ####DOWNLOAD ... OK
[2024-11-29 16:40:27]  Ctrl+C to exit ...
[2024-11-29 16:40:27]  Authentication passed
[2024-11-29 16:40:28]  Authentication passed
[2024-11-29 16:40:28]  
[2024-11-29 16:40:29]  
[2024-11-29 16:40:29]  U-Boot 2023.04-tda4vhdv (Jul 13 2023 - 05:36:12 +0000)
[2024-11-29 16:40:29]  
[2024-11-29 16:40:29]  SoC:   J784S4 SR1.0 HS-SE
[2024-11-29 16:40:29]  Model: Texas Instruments J784S4 EVM
[2024-11-29 16:40:29]  DRAM:  32 GiB
[2024-11-29 16:40:29]  idle-statesCore:  82 devices, 29 uclasses, devicetree: separate
[2024-11-29 16:40:29]  Flash: 0 Bytes
[2024-11-29 16:40:29]  MMC:   mmc@4f80000: 0, mmc@4fb0000: 1
[2024-11-29 16:40:29]  Loading Environment from MMC... *** Warning - bad CRC, using default environment
[2024-11-29 16:40:29]  
[2024-11-29 16:40:29]  In:    serial@2880000
[2024-11-29 16:40:29]  Out:   serial@2880000
[2024-11-29 16:40:29]  Err:   serial@2880000
[2024-11-29 16:40:29]  Hit any key to stop autoboot:  2  1  0 
[2024-11-29 16:40:31]  Unknown command '' - try 'help'
[2024-11-29 16:40:31]  ** No partition table - mmc 0 **
[2024-11-29 16:40:31]  k3_r5f_rproc r5f@41000000: Core 1 is already in use. No rproc commands work
[2024-11-29 16:40:31]  k3_r5f_rproc r5f@41400000: Core 2 is already in use. No rproc commands work
[2024-11-29 16:40:31]  ** No partition table - mmc 0 **
[2024-11-29 16:40:31]  Couldn't find partition mmc 0:2
[2024-11-29 16:40:31]  Can't set block device
[2024-11-29 16:40:31]  ** No partition table - mmc 0 **
[2024-11-29 16:40:31]  Couldn't find partition mmc 0:2
[2024-11-29 16:40:31]  Can't set block device
[2024-11-29 16:40:31]  name_overlays_fit= conf-ti_k3-j784s4-evm-virt-mac-client.dtbo conf-ti_k3-j784s4-vision-apps.dtbo
[2024-11-29 16:40:31]  name_fit_config=conf-ti_k3-j784s4-evm.dtb
[2024-11-29 16:40:31]  Wrong Image Format for bootm command
[2024-11-29 16:40:31]  ERROR: can't get kernel image!
[2024-11-29 16:40:31]  switch to partitions #0, OK
[2024-11-29 16:40:31]  mmc0(part 0) is current device
[2024-11-29 16:40:31]  ** No partition table - mmc 0 **
[2024-11-29 16:40:31]  Couldn't find partition mmc 0:1
[2024-11-29 16:40:31]  switch to partitions #0, OK
[2024-11-29 16:40:31]  mmc0(part 0) is current device
[2024-11-29 16:40:31]  ** No partition table - mmc 0 **
[2024-11-29 16:40:31]  Couldn't find partition mmc 0:1
[2024-11-29 16:40:31]  starting USB...
[2024-11-29 16:40:31]  No working controllers found
[2024-11-29 16:40:31]  USB is stopped. Please issue 'usb start' first.

I want to know whether our modification of uboot is correct, and our linux use fitimage format. How should we configure our key to sign fitimage

0 Diwakar Dhyani 1 day ago in reply to hongyao.jin

TI__Mastermind 41290 points

Hi Hangyao,

The thread was related to keywriter and the original question is already answered . Please raise a new question for the above query it will help to streamline the thread.

Thanks for understanding.

Regards
Diwakar

0 hongyao.jin 1 day ago in reply to Diwakar Dhyani

Intellectual 720 points

i raise a new question, which you can access via the link below

https://e2e.ti.com/support/processors-group/processors/f/processors-forum/1445392/tda4vh-q1-how-to-sign-an-image-such-as-tiboot3-tispl-atf-optee-uboot-spl-uboot-fitimage-linux

0 Diwakar Dhyani 1 day ago in reply to hongyao.jin

TI__Mastermind 41290 points

Sure will follow up i new thread and close this one.

Regards
Diwakar

Processors

Processors forum

TDA4VH-Q1: How to Obtain the OTP keywriter add-on package?