• State Resolved
  • Locked Locked
  • Replies 1 reply
  • Subscribers 100 subscribers
  • Views 113 views
  • Users 0 members are here
Support feedback
Options
Options
Similar topics

This thread has been locked.

If you have a related question, please click the "Ask a related question" button in the top right corner. The newly created question will be automatically linked to this question.

[FAQ] SYSFW keyring importing support on AM62x

Hong Guan64
Guru 64845 points
Part Number: AM625

Tool/software:

SYSFW/TIFS supports keyring import on AM62x HS-SE.
https://software-dl.ti.com/tisci/esd/latest/6_topic_user_guides/keyring.html
https://software-dl.ti.com/tisci/esd/latest/2_tisci_msgs/security/keyring.html

The FAQ lists how to add SYSFW/TIFS keyring importing API in u-boot (R5-SPL), and verify the binary signed
with the imported keyring on AM62x HS-SE with AM62x Linux SDK 10.1.10.4 (TIFS 10.1.8)
https://www.ti.com/tool/download/PROCESSOR-SDK-LINUX-AM62X/10.01.10.04

  • +1
    TI__Guru 64845 points

    1/. Generate and sign the keyring import certificate
    a. untar the package "keyring_gen_sign.tar.xz"
    b. read "README.md" on how to generate and sign the keyring import certificate
    c. sample cmds are listed below, which generate the keyring import certificate "keyring_init.h"
    - "python3 gen_keyring.py"
    - "python3 sign_keyring.py './keys/root/custMpk.pem' 6 0"

    2/. Sign test binary with the imported key
    run "./sign_bin.sh" from the above untared folder to
    - sign the test binary with the imported key for positive test
    - sign the test binary with the un-imported key for negative test

    3/. u-boot patches (keyring_patch-folder.tar.xz)
    Apply the following u-boot patches
    - 0001-tisci-driver-for-sysfw-keyring-import-API.patch: tisci driver for sysfw keyring import API
    - 0001-calling-sysfw-keyring-import-API-in-r5-spl.patch: calling sysfw keyring import API in r5-spl
    - 0001-test-cmd-to-verify-bin-signed-with-the-imported-key.patch: test cmd to verify the test binary signed with the imported key

    4/. Test log (am62_uboot_keyring_verify.log)
    - SYSFW/TIFS keyring importing API is called in u-boot (r5-spl)
    - u-boot test cmds to verify two test binary, where one is signed with the imported key (positive test), and one signed with the un-imported key (negative test)

    8357.keyring_gen_sign.tar.xz

    7610.keyring_patch-folder.tar.xz

    6052.am62_uboot_keyring_verify.log 
    U-Boot SPL 2024.04-00003-gf2fec81a-dirty (Mar 07 2025 - 15:52:46 -0600)
SYSFW ABI: 4.0 (firmware rev 0x000a '10.1.8--v10.01.08 (Fiery Fox)')
k3_sysfw_keyring_import:
SPL initial stack usage: 13392 bytes
Trying to boot from MMC2
Authentication passed
Authentication passed
Authentication passed
Authentication passed
Authentication passed
Starting ATF on ARM64 core...

NOTICE:  BL31: v2.11.0(release):v2.11.0-906-g58b25570c9-dirty
NOTICE:  BL31: Built : 04:20:32, Nov  1 2024

U-Boot SPL 2024.04-00003-gf2fec81a-dirty (Mar 07 2025 - 15:53:20 -0600)
SYSFW ABI: 4.0 (firmware rev 0x000a '10.1.8--v10.01.08 (Fiery Fox)')
SPL initial stack usage: 1904 bytes
Error (-2): cannot determine file size
Trying to boot from MMC2
Authentication passed
Authentication passed


U-Boot 2024.04-00003-gf2fec81a-dirty (Mar 07 2025 - 15:53:20 -0600)

SoC:   AM62X SR1.0 HS-SE
Model: Texas Instruments AM625 SK
EEPROM not available at 0x50, trying to read at 0x51
Reading on-board EEPROM at 0x51 failed -121
DRAM:  2 GiB
Core:  81 devices, 31 uclasses, devicetree: separate
MMC:   mmc@fa10000: 0, mmc@fa00000: 1
Loading Environment from nowhere... OK
In:    serial
Out:   serial
Err:   serial
EEPROM not available at 0x50, trying to read at 0x51
Net:   eth0: ethernet@8000000port@1
Hit any key to stop autoboot:  2  0 
=> tisci  

1/. positigve test: verify bin signed with the imported key
cert verify passed!

2/. negative test: verify bin signed with the un-imported key
ti_sci system-controller@44043000: Message not acknowledged
Authentication failed!
cert verify failed!
=>