• State Resolved
  • Locked Locked
  • Replies 1 reply
  • Subscribers 97 subscribers
  • Views 752 views
  • Users 0 members are here
Support feedback
Options
Options
Related

This thread has been locked.

If you have a related question, please click the "Ask a related question" button in the top right corner. The newly created question will be automatically linked to this question.

[FAQ] SYSFW keyring importing support on AM62x

Hong Guan64
Guru 71990 points

Part Number: AM625

Tool/software:

SYSFW/TIFS supports keyring import on AM62x HS-SE.
https://software-dl.ti.com/tisci/esd/latest/6_topic_user_guides/keyring.html
https://software-dl.ti.com/tisci/esd/latest/2_tisci_msgs/security/keyring.html

The FAQ lists how to add SYSFW/TIFS keyring import API in u-boot (R5-SPL), and verify the binary signed with the imported keyring on AM62x HS-SE with AM62x Linux SDK 11.1.5.3 (TIFS 11.1.2)
https://www.ti.com/tool/download/PROCESSOR-SDK-LINUX-AM62X/11.01.05.03

  • +1
    TI__Guru 71990 points

    1/. Generate and sign the keyring import certificate
    a. untar the package "keyring_gen_sign.tar.xz"
    b. read "README.md" on how to generate and sign the keyring import certificate
    c. sample cmds are listed below, which generate the keyring import certificate "keyring_init.h"
    - "python3 gen_keyring.py"
    - "python3 sign_keyring.py './keys/root/custMpk.pem' 6 0"

    2/. u-boot patches (keyring-patch.tar.xz)
    Apply the following u-boot patches
    - 0001-tisci-driver-for-sysfw-keyring-import-API.patch: tisci driver for sysfw keyring import API
    - 0001-calling-sysfw-keyring-import-API-in-r5-spl.patch: calling sysfw keyring import API in r5-spl
    - 0001-tisci-cmd-to-verify-bin-via-TISCI-API: test cmd to verify the test binary signed with the imported key

    3/. Sign test binary with the imported key
    run "./sign_bin.sh" from the above untared folder in step #1 above
    - sign the test binary with the imported key for positive test
    - sign the test binary with the un-imported key for negative test

    4/. Test log (am62_11.1.5.3_keyring.log)
    - SYSFW/TIFS keyring import API is called in u-boot (r5-spl)
    - u-boot test cmds to verify two test binary, where one (signed_1.bin) is signed with the imported key (positive test), and one (signed_7.bin) signed with the un-imported key (negative test)
    - sample u-boot test cmd from SD boot, where signed_1.bin & signed_7.bin are copied to SD boot partition

    load mmc 1 $loadaddr signed_1.bin; tisci_verify $loadaddr $filesize
load mmc 1 $loadaddr signed_7.bin; tisci_verify $loadaddr $filesize

    https://e2e.ti.com/cfs-file/__key/communityserver-discussions-components-files/791/7120.keyring_5F00_gen_5F00_sign.tar.xz

    https://e2e.ti.com/cfs-file/__key/communityserver-discussions-components-files/791/keyring_2D00_patch.tar.xz

    am62_11.1.5.3_keyring.log