• State
  • Locked Locked
  • Replies 13 replies
  • Subscribers 99 subscribers
  • Views 359 views
  • Users 0 members are here
Support feedback
Options
Options
Related

This thread has been locked.

If you have a related question, please click the "Ask a related question" button in the top right corner. The newly created question will be automatically linked to this question.

TDA4VM: Sysfw.itb Authentication Issue After SDK Migration

Kishore Mali
Intellectual 345 points
Part Number: TDA4VM

Tool/software:

Hello Team,  

We’ve migrated our  hs-prime custom board from:  
Old SDK Versions: 
  - ti-processor-sdk-linux-j7-evm-08_01_00_07  
  - ti-processor-sdk-rtos-j721e-evm-08_01_00_13  


New SDK Versions:  
  - ti-processor-sdk-linux-adas-j721e-evm-09_02_00_05  
  - ti-processor-sdk-rtos-j721e-evm-09_02_00_05  

 

We have developed a custom infra to validate/authenticate all the images (tiboot3, tispl, sysfw.bin, uboot.img, fitimage) before flashing during OTA. Custom infra has been written to use ti_sci_cmd_proc_auth_boot_image()::drivers/firmware/ti_sci.c in the kernel to validate the image using TISCI framework. This infra has been working fine on 8.1 SDK.

 

The above infra has been ported to 9.2 SDK as well and it is working fine for validating/authenticating all the images, except sysfw.bin.

 

Please find the steps which have been followed on 9.2 SDK to build sysfw.

 

<Steps to build sysfw> : 
1. Downloaded TIFS SRC and dependencies for 9.2 SDK:  
   - TIFS-SRC-Release_SDK-9.1.zip  
   - xdctools_3_51_03_28_core_linux.zip  
   - bios_6_76_00_08.run  
   - ti_cgt_tms470_18.1.3.LTS_linux_installer_x86.bin  
2. Generated `ti-fs-firmware-j721e-hs.bin`.  
3. Placed customer key in:  
   `{RTOS_SDK}/pdk_jacinto_09_02_00_30/packages/ti/build/makerules/`  

And updated "pdk_jacinto_09_02_00_30/packages/ti/build/makerules/x509CertificateGen.sh".


4. Executed:  

   cd {RTOS_SDK}/pdk_jacinto_09_02_00_30/packages/ti/drv/sciclient/tools  
   export TIFS_DIR=/home/${USER}/tifs_srcs/tifs_v09.01.02  
   ./firmwareHeaderGen.sh j721e-hsp  

   Output: `tifs-hsp.bin` at `pdk_jacinto_08_01_00_36/packages/ti/drv/sciclient/soc/V1/`.  
5. Renamed `tifs-hsp.bin` to `sysfw.bin` and copied to:  
   `{LINUX_SDK}/board-support/ti-u-boot-2023.04+gitAUTOINC+f9b966c674/build/r5`  
6. Removed `sysfw` node in:  
   `{LINUX_SDK}/board-support/ti-u-boot-2023.04+gitAUTOINC+f9b966c674/arch/arm/dts/k3-j721e-binman.dtsi`  

-       sysfw {
-               filename = "sysfw.bin";
-               ti-secure-rom {
-                       content = <&ti_fs_cert>;
-                       core = "secure";
-                       load = <0x40000>;
-                       keyfile = "custMpk.pem";
-                       countersign;
-               };
-               ti_fs_cert: ti-fs-cert.bin {
-                       filename = "ti-sysfw/ti-fs-firmware-j721e_sr1_1-hs-cert.bin";
-                       type = "blob-ext";
-                       optional;
-               };
-               ti-fs-firmware-j721e_sr1_1-hs-enc.bin {
-                       filename = "ti-sysfw/ti-fs-firmware-j721e_sr1_1-hs-enc.bin";
-                       type = "blob-ext";
-                       optional;
-               };
-       };


7. Built U-Boot:  

   cd {LINUX_SDK}  
   make u-boot –j32  

   Output: `sysfw-j721e_sr1_1-hs-evm.itb` at `{LINUX_SDK}/board-support/ti-u-boot-2023.04+gitAUTOINC+f9b966c674/build/r5`.  

 

 

NOTE THAT THE SYSFW BUILT WITH THE ABOVE MENTIONED STEPS HAVE BEEN FLASHED TO OSPI MEMORY AND WE ARE ABLE TO SUCCESSFULLY SECURE-BOOT and USE THIS IMAGE.

 

However, while validating the same image using the above mentioned infra, we are seeing an issue.

 

The ti_sci_cmd_proc_auth_boot_image() is returning the error "Mbox send fail -110"

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Image Name: sysfw.bin Addr: 0xa9b5c100 Size: 264053 offset: 256
[  633.120156] ti-sci 44083000.system-controller: Mbox timedout in resp(caller: ti_sci_chrdev_unlocked_ioctl+0x2f0/0x350)
[  633.130866] ti-sci 44083000.system-controller: Mbox send fail -110
sysfw.bin image authentication status FAIL
Image Name: board-cfg.bin Addr: 0xa9b9c8f0 Size: 1727 offset: 264432
[  634.140154] ti-sci 44083000.system-controller: Mbox timedout in resp(caller: ti_sci_chrdev_unlocked_ioctl+0x2f0/0x350)
[  634.150857] ti-sci 44083000.system-controller: Mbox send fail -110
board-cfg.bin image authentication status FAIL
Image Name: pm-cfg.bin Addr: 0xa9b9d020 Size: 1700 offset: 266272
[  635.164157] ti-sci 44083000.system-controller: Mbox timedout in resp(caller: ti_sci_chrdev_unlocked_ioctl+0x2f0/0x350)
[  635.174861] ti-sci 44083000.system-controller: Mbox send fail -110
pm-cfg.bin image authentication status FAIL
Image Name: rm-cfg.bin Addr: 0xa9b9d734 Size: 5409 offset: 268084
[  636.188157] ti-sci 44083000.system-controller: Mbox timedout in resp(caller: ti_sci_chrdev_unlocked_ioctl+0x2f0/0x350)
[  636.198873] ti-sci 44083000.system-controller: Mbox send fail -110
rm-cfg.bin image authentication status FAIL
Image Name: sec-cfg.bin Addr: 0xa9b9ecc8 Size: 2048 offset: 273608
[  637.212158] ti-sci 44083000.system-controller: Mbox timedout in resp(caller: ti_sci_chrdev_unlocked_ioctl+0x2f0/0x350)
[  637.222868] ti-sci 44083000.system-controller: Mbox send fail -110

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

 

OIDs used for sysfw image (pdk_jacinto_09_02_00_30/packages/ti/build/makerules/x509CertificateGen.sh):

[ v3_ca ]
  basicConstraints = CA:true
  1.3.6.1.4.1.294.1.3=ASN1:SEQUENCE:swrv
  1.3.6.1.4.1.294.1.34=ASN1:SEQUENCE:sysfw_image_integrity
  1.3.6.1.4.1.294.1.35=ASN1:SEQUENCE:sysfw_image_load
  1.3.6.1.4.1.294.1.4=ASN1:SEQUENCE:encryption
  1.3.6.1.4.1.294.1.1=ASN1:SEQUENCE:boot_seq
  1.3.6.1.4.1.294.1.2=ASN1:SEQUENCE:image_integrity

 

Can you please guide us to have mandatory OIDs for sysfw and the sequence to be followed.

Please advise on resolving the authentication issue.  

+++++++++++++++++++++++++++++++++++++++++++++++++++

Thanks in advance!

Regards,

Kishore

  • 0
    TI__Guru 56295 points

    HI Kishore,

    Are you able to authenticate latest generated sysfw.itb on 8.1 infra ?

    Can you compare the certificate of both the sysfw 9.2 vs 8.1?

    Can you share the logs where you are able to authenticate other images  in 9.2 infra?

    Regards
    Diwakar

  • 0 in reply to Diwakar Dhyani
    Intellectual 345 points

    Hi Diwakar,

    Thanks for your response.

    Regarding the points:

    1. Can you authenticate the latest sysfw.itb on 8.1 infra?

    • Yes, we have tested this, and the latest image authentication is successful on 8.1 infra.

    2. Can you compare the certificates of sysfw 9.2 vs. 8.1?

    • We used the pdk_jacinto_09_02_00_30/packages/ti/build/makerules/x509CertificateGen.sh script with the following OIDs:
    [v3_ca]
basicConstraints = CA:true
1.3.6.1.4.1.294.1.3=ASN1:SEQUENCE:swrv
1.3.6.1.4.1.294.1.34=ASN1:SEQUENCE:sysfw_image_integrity
1.3.6.1.4.1.294.1.35=ASN1:SEQUENCE:sysfw_image_load
1.3.6.1.4.1.294.1.4=ASN1:SEQUENCE:encryption
1.3.6.1.4.1.294.1.1=ASN1:SEQUENCE:boot_seq
1.3.6.1.4.1.294.1.2=ASN1:SEQUENCE:image_integrity

    Note: The same certificate (x509CertificateGen.sh) from the 8.1 SDK was used for generating the sysfw certificate for 9.2.

    3. Can you share logs from 9.2 infra where other images are authenticated?

    Here are the logs for image authentication:

    • tiboot3.bin

      Image to be validated: /datafs/upgrade/flash_images/tiboot3.bin
Memory Allocation for Image Validation succeeded
VIRTUAL MMAP ADDRESS: 0x0xffff8bdb0000
Size of image file: 196361
MMAP of IMAGE FILE SUCCEEDED
Base Addr: 0x8bd80000
FIT Image format check succeeded
Image Name: tiboot3 Addr: 0x8bd80000 Size: 196361 offset: 0
tiboot3 image authentication status SUCCESS

    • tispl.bin

      Image to be validated: /datafs/upgrade/flash_images/tispl.bin
Memory Allocation for Image Validation succeeded
VIRTUAL MMAP ADDRESS: 0x0xffffb35a0000
Size of image file: 998119
MMAP of IMAGE FILE SUCCEEDED
Base Addr: 0xb34ac000
FIT Image format check succeeded
Image Name: atf Addr: 0xb34ac158 Size: 54588 offset: 344
atf image authentication status SUCCESS
Image Name: tee Addr: 0xb34b9728 Size: 433947 offset: 55080
tee image authentication status SUCCESS
Image Name: dm Addr: 0xb35236e4 Size: 254044 offset: 489188
dm image authentication status SUCCESS
Image Name: spl Addr: 0xb35617e8 Size: 240748 offset: 743400
spl image authentication status SUCCESS
Image Name: k3-j721e-common-proc-board.dtb Addr: 0xb359c4e8 Size: 12465 offset: 984296
k3-j721e-common-proc-board.dtb image authentication status SUCCESS

    Please let me know if you need any further details.

    Regards,

    Kishore

  • 0 in reply to Kishore Mali
    Intellectual 345 points

    One more thing I would like to mention, the above successful logs are coming from ti_sci_cmd_proc_auth_boot_image()::drivers/firmware/ti_sci.c, where ti_sci_cmd_proc_auth_boot_image() returns success for tiboot3 and tispl images.

  • 0 in reply to Kishore Mali
    Intellectual 345 points

    Hi Team,

    Gentle reminder.

  • 0 in reply to Kishore Mali
    TI__Guru** 111415 points

    Hi Kishore,

    Diwakar is on vacation, and won't be in office until mid-next week.

    Kishore Mali said:
    The ti_sci_cmd_proc_auth_boot_image() is returning the error "Mbox send fail -110"

    Which component is performing this check? Linux Kernel?

    The Mbox send fail is typically an issue if the MCU1_0 firmware is not responding. Are you able to connect to the MCU1_0 core, and check where the core is stuck at?

    regards

    Suman

  • 0 in reply to Suman Anna
    Intellectual 345 points

    Hi Diwakar,

    Regarding, 
    Which component is performing this check? Linux Kernel?
    >> Yes, it is Linux Kernel.

    Apart from sysfw.itb generated for sdk9.2 as mentioned above, all images are getting authenticated on sdk9.2.

    Also, the same latest sdk9.2 sysfw.itb image is able to authenticate on sdk8 infra.

    Regards,

    Kishore

  • 0 in reply to Kishore Mali
    TI__Guru** 111415 points

    Hi Kishore,

    Kishore Mali said:
    Apart from sysfw.itb generated for sdk9.2 as mentioned above, all images are getting authenticated on sdk9.2.

    The authentication process in general is agnostic of the data being authenticated.

    Is the mbox failure triggered only during the authentication of sysfw.itb or is proceeding even before? Can you try reauthenticating repeatedly some of the previously authenticated images?

    Kishore Mali said:
    Also, the same latest sdk9.2 sysfw.itb image is able to authenticate on sdk8 infra.

    Well, atleast this suggests there are no issues with the sysfw.itb file.

    Nevertheless, I would suggest you to compare the contents of this 9.2 sysfw.itb against the previous 8.1 SDK. You can check on the image size as well as the contents using the U-Boot's dumpimage utility.

    regards

    Suman

  • 0 in reply to Suman Anna
    Intellectual 345 points

    Hi Team,
    Thanks for your reply.

    We are trying to understand if the issue points to any changes in the SDK 9.2 sysfw.itb, particularly if it demands additional OIDs or requires a specific order of OIDs to successfully validate.

    Here are the details we observed:

    • When flashing sysfw 8.1 in the SDK 9.2 software, all images were validated successfully.
    • However, when flashing sysfw 9.2 in the SDK 9.2 software, all images passed initially, but when sysfw 9.2 itself was validated, we encountered an MBOX error. This led to subsequent failures for other images that had previously passed validation.
    • Additionally, we tried removing the encryption OID in the SDK 9.2 software as sdk8.1 also not having it, but this caused the board to fail to boot.

     

    Action Component Validation Status
    1. Flashed sysfw8.1 in SDK9.2 SW tiboot3 Passed
      fitimage Passed
      tispl Passed
      sysfw8.1 Passed
      sysfw9.2 Passed
    2. Flashed sysfw9.2 in SDK9.2 SW tiboot3 Passed
      fitimage Passed
      tispl Passed
      sysfw8.1 Failed with mbox error
      sysfw9.2 Failed with mbox error
      tiboot3 Failed with mbox error
      fitimage Failed with mbox error
      tispl Failed with mbox error
    3. Flashed sysfw9.2 in SDK9.2 SW (First validated sysfw9.2) sysfw9.2 Failed with mbox error
      tiboot3 Failed with mbox error
      fitimage Failed with mbox error
      tispl Failed with mbox error
      sysfw8.1 Failed with mbox error

     The difference between Point 2 and 3 is the order/sequence in which the firmware images are validated. 
     As explicitly visible from the table once the sysfw is validated, the system enters into mbox error mode after which it does not recover.
     In this sequence, when we go for soft reboot then during booting also couple of mbox errors are observed.

     It is clearly visible that when board is loaded with sdk9.2 sysfw and followed by validation of sysfw (sysfw_8.1 and sysfw_9.2), the system enters into mbox error mode. 

    With these observations in mind, we have a few questions:

    1. Does the SDK 9.2 sysfw.itb require additional OIDs or a specific order of OIDs to be validated correctly?
    2. Is there a mandatory list of OIDs required for the proper functioning and validation in SDK 9.2?


    Regarding,
    Nevertheless, I would suggest you to compare the contents of this 9.2 sysfw.itb against the previous 8.1 SDK. You can check on the image size as well as the contents using the U-Boot's dumpimage utility.
    >>

    sdk9.2 :

    
1.3.6.1.4.1.294.1.3=ASN1:SEQUENCE:swrv
1.3.6.1.4.1.294.1.34=ASN1:SEQUENCE:sysfw_image_integrity
1.3.6.1.4.1.294.1.35=ASN1:SEQUENCE:sysfw_image_load
1.3.6.1.4.1.294.1.4=ASN1:SEQUENCE:encryption
1.3.6.1.4.1.294.1.1=ASN1:SEQUENCE:boot_seq
1.3.6.1.4.1.294.1.2=ASN1:SEQUENCE:image_integrity


    sdk8.1:
    1.3.6.1.4.1.294.1.3=ASN1:SEQUENCE:swrv
    1.3.6.1.4.1.294.1.34=ASN1:SEQUENCE:sysfw_image_integrity
    1.3.6.1.4.1.294.1.35=ASN1:SEQUENCE:sysfw_image_load
    1.3.6.1.4.1.294.1.4=ASN1:SEQUENCE:encryption
    1.3.6.1.4.1.294.1.1=ASN1:SEQUENCE:boot_seq
    1.3.6.1.4.1.294.1.2=ASN1:SEQUENCE:image_integrity

    Content wise:



    Thanks in advance.

    Regards,
    Kishore

  • 0 in reply to Kishore Mali
    TI__Guru** 111415 points

    Hi Kishore,

    Kishore Mali said:
    We are trying to understand if the issue points to any changes in the SDK 9.2 sysfw.itb, particularly if it demands additional OIDs or requires a specific order of OIDs to successfully validate.

    The required OIDs are all fixed for a given binary, so this is not an issue, and no additional OIDs are required for 9.2 sysfw.itb. 

    Kishore Mali said:
    Here are the details we observed:

    Thanks for the detailed notes.

    Kishore Mali said:
    However, when flashing sysfw 9.2 in the SDK 9.2 software, all images passed initially, but when sysfw 9.2 itself was validated, we encountered an MBOX error. This led to subsequent failures for other images that had previously passed validation.

    The mbox error is a result of not getting a response properly. This is usually a result of the MCU R5F core entering an exception. Once this error is encountered, the TI-SCI protocol is non-functional, and all subsequent TI-SCI messages will be non-functional (not limiting to just the authentication of further images you are testing).

    Given that you are performing an authentication step through Linux, the TI-SCI request is routed through the MCU R5F firmware. What firmware do you use on MCU R5F, it appears that there is an issue with your SDK 9.2 MCU R5F firmware.

    Kishore Mali said:
    Additionally, we tried removing the encryption OID in the SDK 9.2 software as sdk8.1 also not having it, but this caused the board to fail to boot.

    TIFS firmware is the primary Security Root-of-Trust firmware, and is an encrypted firmware. So, you cannot remove this OID, that is needed to decrypt the firmware.

    Kishore Mali said:
     The difference between Point 2 and 3 is the order/sequence in which the firmware images are validated.

    Your table does show the 8.1 sysfw.itb file also failing in Point 2. 

    Kishore Mali said:
    Does the SDK 9.2 sysfw.itb require additional OIDs or a specific order of OIDs to be validated correctly?

    No

    Kishore Mali said:
    Is there a mandatory list of OIDs required for the proper functioning and validation in SDK 9.2?

    This is not an issue with OIDs.

    Kishore Mali said:
    Content wise:

    Thanks for this dump. Overall, nothing stands out. The 9.2 sysfw.itb files/contents are slightly larger, and this comes due to the increased size differences in certificates coming from OpenSSL 3.x on the newer Ubuntu 22.04 machines that SDK 9.x is released with.

    regards

    Suman

  • 0 in reply to Suman Anna
    Intellectual 345 points

    Hi Team,

    We have enabled the enet lwIP example on SDK 9.2 for the MCU10 R5F firmware, and it works as expected. Every 10 seconds, we print the CPU load, as shown below.

    Still the issue persists, where the sysfw.bin validation from SDK 9.2 is failing with an Mbox error when sdk9.2 based sysfw is flashed.

    MCU10 Logs:

    ++++++++++++++++++++++++++++++++++++++++++++++ 
    ==========================
    Enet lwIP App
    ==========================
    EnetBoard_setupPorts: 1 of 1 ports configurations found
    CPU Load: 5%
    Starting lwIP, local interface IP is 192.168.0.25
    EnetAppUtils_reduceCoreMacAllocation: Reduced Mac Address Allocation for CoreId:0 From 1 To 0
    EnetAppUtils_reduceCoreMacAllocation: Reduced Mac Address Allocation for CoreId:4 From 1 To 0
    EnetMcm: CPSW_2G on MCU NAVSS
    Mdio_open: MDIO manual mode enabled
    PHY 0 is alive
    PHY 1 is alive
    PHY 2 is alive
    PHY 3 is alive
    PHY 4 is alive
    PHY 5 is alive
    PHY 6 is alive
    PHY 7 is alive
    PHY 8 is alive
    PHY 9 is alive
    PHY 10 is alive
    PHY 11 is alive
    PHY 12 is alive
    PHY 13 is alive
    PHY 14 is alive
    PHY 15 is alive
    PHY 16 is alive
    PHY 17 is alive
    PHY 18 is alive
    PHY 19 is alive
    PHY 20 is alive
    PHY 21 is alive
    PHY 22 is alive
    PHY 23 is alive
    PHY 24 is alive
    PHY 25 is alive
    PHY 26 is alive
    PHY 27 is alive
    PHY 28 is alive
    PHY 29 is alive
    PHY 30 is alive
    Cpsw_openPortLinkNoPhy: Port 1: Link up: 1-Gbps Full-Duplex
    Host MAC address: 34:08:e1:5f:44:06
    [LWIPIF_LWIP] Enet LLD netif initialized successfully
    status_callback==UP, local interface IP is 192.168.0.25
    Enet lwIP App: Added Network IP address I/F ti0: 192.168.0.25
    Initializing apps
    UDP server listening on port 5001
    MAC Port 1: link up
    link_callback==UP
    CPU Load: 5%
    CPU Load: 2%
    CPU Load: 2%
    CPU Load: 2%
    CPU Load: 2%
    CPU Load: 2%
    CPU Load: 2%
    CPU Load: 2%
    CPU Load: 2%
    CPU Load: 2%
    CPU Load: 2%
    CPU Load: 2%
    CPU Load: 2%

    ++++++++++++++++++++++++++++++++++++++++++++++

    Observations:

    • All other images are successfully validated as mentioned in above table also.

    • The issue only occurs when flashing and validating the sysfw.bin based on SDK 9.2.

    Given our observations, could you please guide us on how to resolve this issue?

    Thank you for your assistance.

    Best regards,
    Kishore

  • 0 in reply to Kishore Mali
    TI__Guru** 111415 points

    Hi Kishore,

    Kishore Mali said:
    Given our observations, could you please guide us on how to resolve this issue?

    Are you able to connect and debug your MCU R5F core? Can you check if your MCU R5F core is stuck in an exception?

    Also, I would also recommend to enable the traces and capture the TIFS debug log from Wkup UART (if your board has support for this)?

    regards

    Suman

  • 0 in reply to Suman Anna
    Intellectual 345 points

    Hi Suman,

    Regarding,
    Are you able to connect and debug your MCU R5F core? 

    >> Board has no support for this.

    Also, we are able to see the regular CPU load print on MCU10 UART. If exception is there it should stuck which is not the case.

    Regarding,

    Also, I would also recommend to enable the traces and capture the TIFS debug log from Wkup UART (if your board has support for this)?

    >> Board has no support for this.

    Regards,

    Kishore

  • 0 in reply to Kishore Mali
    TI__Guru** 111415 points

    Hi Kishore,

    Kishore Mali said:
    Are you able to connect and debug your MCU R5F core?

    I am very surprised that you have no JTAG debug support, this makes it extremely hard for debug during development.

    Kishore Mali said:
    Also, we are able to see the regular CPU load print on MCU10 UART. If exception is there it should stuck which is not the case.

    The mbox failure is only caused when the MCU R5F is not responding to the requests. Are you sure the interrupts are not disabled somehow on the MCU R5F?

    Kishore Mali said:

    Also, I would also recommend to enable the traces and capture the TIFS debug log from Wkup UART (if your board has support for this)?

    >> Board has no support for this.

    This is understandable, not every customer pins out Wkup UART on their boards. You can rely on some memory-based debug, but having no access to JTAG doesn't help your debug.

    regards

    Suman