• State Resolved
  • Locked Locked
  • Replies 1 reply
  • Subscribers 99 subscribers
  • Views 156 views
  • Users 0 members are here
Support feedback
Options
Options
Similar topics

This thread has been locked.

If you have a related question, please click the "Ask a related question" button in the top right corner. The newly created question will be automatically linked to this question.

[FAQ] SYSFW API on key revoke in OPTEE on AM62x

Hong Guan64
Guru 65505 points
Part Number: AM625

Tool/software:

SYSFW/TIFS supports key revoke use case via TISCI API TISCI_MSG_WRITE_KEYREV.
https://software-dl.ti.com/tisci/esd/latest/6_topic_user_guides/otp_revision.html#dual-signed-certificate-for-writing-keyrev
https://software-dl.ti.com/tisci/esd/latest/2_tisci_msgs/security/otp_revision.html#sec-api-wr-keyrev-otp

The FAQ lists how to call the TISCI API TISCI_MSG_WRITE_KEYREV by secure OPTEE running on ARM TZ A53.
There is an companion FAQ on how to call the API from R5 core
https://e2e.ti.com/support/processors-group/processors/f/791/t/1202686

  • 0
    TI__Guru 65505 points

    1/. 0001-add-optee-TISCI-key-revoke-test-code.patch: the OPTEE driver patch with OPTEE 4.0 tag as baseline.
    https://git.ti.com/cgit/optee/ti-optee-os/commit/?h=4.0.0
    - The OPTEE driver is sanity tested in the patch by calling it directly from OPTEE init function, and it should be called by TA/PTA/Linux in real OTA update use case.
    - Calling the TIFS API on key revoke needs to be triggered by system OTA update process which also prompts firmware (signed with BMPK) update in flash memory concurrently.
    - Refer to the companion FAQ on how to generate the dual-signed certificates "dual_cert_keyrev.h" used in the patch

    2/. The attached OPTEE patch is added for AM62x SoC,
    For AM64x SoC, one line change is listed below since AM64x has a different SRAM memory map comparing to AM62x.

    - #define SRAM_SCRATCH_BASE 0x43C3B000
+ #define SRAM_SCRATCH_BASE 0x701A0000

    3/. The sample test log on AM62x-SK board (HS-SE)

    I/TC: >>>> ti_sci_set_keyrev() unit test start
I/TC: req.value = 0x00000002  
I/TC: req.cert_addr_lo = 0x43C3B000  
I/TC: req.cert_addr_hi = 0x00000000  
I/TC: req.hdr.type = 0x9035  
I/TC: req.hdr.host = 0xB  
I/TC: req.hdr.seq = 0x4  
I/TC: req.hdr.flags = 0x2  
I/TC: resp.hdr.type = 0x9035  
I/TC: resp.hdr.host = 0xB  
I/TC: resp.hdr.seq = 0x4  
I/TC: resp.hdr.flags = 0x2  
I/TC: >>>> ti_sci_set_keyrev() return success!!!

    0001-add-optee-TISCI-key-revoke-test-code.patch