AM6412: TI supports for tiboot3 certificates with validity beyond 2049

Anh-Tuan Hoang

Part Number: AM6412

Tool/software:

Hi,

I am running into an issue where my HS-FS device does not boot. I believe it failed to authenticate the tiboot3 certificate. The only difference between the working and the non-working certificate is the `NOT_AFTER` date (besides the signature). According to RFC5280, the date should be in generic format if it is after 2049 (4 digits for the year instead of 2). Examining the certificate, it looks like openssl automatically adjust the format bases on the date to include 2 extra bytes for the year.

My understanding is that TI ROM/sysfw does not check the date on the certificate as this happens very early during boot.

1. Does TI ROM/sysfw support both date formats?

2. Is the authentication done by the ROM or sysfw? Possible to fix if it is an issue?

Thank you for your support.

5 days ago

+1 Prashant Shivhare 5 days ago

TI__Guru 57231 points

Hello,

This is a known ROM issue where it fails to correctly parse the X.509 certificates using the GENERALIZED time format. The workaround is to keep the validity before 2049 to ensure the UTC time format is used for the enddate.

Regards,

Prashant

0 Anh-Tuan Hoang 4 days ago in reply to Prashant Shivhare

Prodigy 50 points

Thank you for the response. Can you confirm that the validity is not checked in any boot stage?

Regards

Anh-Tuan

+1 Prashant Shivhare 4 days ago in reply to Anh-Tuan Hoang

TI__Guru 57231 points

Anh-Tuan Hoang said:
Can you confirm that the validity is not checked in any boot stage?

The validity indeed is not checked at any boot stage.

Processors

Processors forum

AM6412: TI supports for tiboot3 certificates with validity beyond 2049