• State TI Thinks Resolved
  • Locked Locked
  • Replies 3 replies
  • Answers 1 answer
  • Subscribers 98 subscribers
  • Views 335 views
  • Users 0 members are here
Support feedback
Options
Options
Related

This thread has been locked.

If you have a related question, please click the "Ask a related question" button in the top right corner. The newly created question will be automatically linked to this question.

AM623: Secure Boot Implementation on AM62x EVM (HS-FS to HS-SE Conversion)

Murali Vikash Ganireddy
Intellectual 470 points
Part Number: AM623


Tool/software:

Hi Team,

I am working with the AM62x board and need to implement a secure boot. My device is currently in HS-FS (High-Security Field Securable) mode, and I need to convert it to HS-SE (High-Security Secure Enforced) by flashing the key to the eFuse via the OTP keywriter.

I would like confirmation on whether my understanding is correct:

  1. The HS-FS device can be converted to HS-SE by programming the necessary keys into eFuse.
  2. The images for secure boot should be built using the same key that is flashed into eFuse.

If my understanding is correct, could you please provide guidance on:

  1. The exact process to flash the key into eFuse – is there any specific TI software/tool available for this purpose?
  2. The steps to build secure boot images with this key in the Yocto environment.

Any official documentation, example procedures, or recommendations would be highly appreciated.

Thank you for your support.

Best Regards, Vikash

  • 0
    TI__Guru 73281 points

    Hello,

    Murali Vikash Ganireddy said:
    • The HS-FS device can be converted to HS-SE by programming the necessary keys into eFuse.
    • The images for secure boot should be built using the same key that is flashed into eFuse.

    That is correct.

    Murali Vikash Ganireddy said:
    The exact process to flash the key into eFuse – is there any specific TI software/tool available for this purpose?

    There is OTP Keywriter tool and guide available on the following secure portal:

    https://www.ti.com/drr/opn/AM62X-RESTRICTED-SECURITY

    Regards,

    Prashant

  • 0 in reply to Prashant Shivhare
    Intellectual 470 points

    Hi Prashanth,

    Thank you for the tool and guide need some clarification on Keywriter Process and eFuse Flashing.

    Based on my understanding, the keywriter builds the tiboot3.bin image using the following steps:

    • ./gen_keywr_cert.sh --msv 0xC0FFE -t tifek/ti_fek_public.pem
    • python3 ../../../../../tools/bin2c/bin2c.py final_certificate.bin keycert.h KEYCERT
    • <MCU_PLUS_SDK_INSTALL_DIR>/source/security/sbl_keywriter/am62x-sk/r5fss0-0_nortos/ti-arm-clang
      gmake -sj clean PROFILE=debug
      gmake -sj PROFILE=debug

    Once tiboot3.bin is built, if I flash it using USB DFU/UART/OSPI, will this process directly burn the key into eFuse, or are there additional steps required to complete the eFuse programming? Please confirm the necessary procedure.

    Regards, Vikash

  • 0 in reply to Murali Vikash Ganireddy
    TI__Guru 73281 points

    Hello,

    The OTP programming depends on how you generated the certificate.

    Murali Vikash Ganireddy said:
    ./gen_keywr_cert.sh --msv 0xC0FFE -t tifek/ti_fek_public.pem

    This would only program the MSV field not the keys and other things. Please refer to the Keywriter user guide for generating certificates that programs keys and converts the device to HSSE.

    Regards,

    Prashant