• State Resolved
  • Locked Locked
  • Replies 9 replies
  • Subscribers 98 subscribers
  • Views 402 views
  • Users 0 members are here
Support feedback
Options
Options
Related

This thread has been locked.

If you have a related question, please click the "Ask a related question" button in the top right corner. The newly created question will be automatically linked to this question.

Original question:

AM62P: How to make image for linux and boot while securebooting?

AM62P: How use my personal keys

KONG XIANGXU
Expert 1986 points
Part Number: AM62P

Tool/software:

Hi,Team

a@abc:~/ti/mcu_plus_sdk_am62px_09_01_00_39 (copy)/source/security/sbl_keywriter/scripts/cert_gen/am62px$ ./gen_keywr_cert.sh -g
Generating keys in PKCS#1 Format!!
a@abc:~/ti/mcu_plus_sdk_am62px_09_01_00_39 (copy)/source/security/sbl_keywriter/scripts/cert_gen/am62px$ ./gen_keywr_cert.sh -t  -b keys/v15/bmpk.pem \
--bmek keys/bmek.key -b-wp --bmek-wp -s keys/v15/smpk.pem \
--smek keys/smek.key -s-wp --smek-wp
ERR: -b doesn't exist. 
a@abc:~/ti/mcu_plus_sdk_am62px_09_01_00_39 (copy)/source/security/sbl_keywriter/scripts/cert_gen/am62px$ ./gen_keywr_cert.sh   -b keys/v15/bmpk.pem --bmek keys/bmek.key -b-wp --bmek-wp -s keys/v15/smpk.pem --smek keys/smek.key -s-wp --smek-wp
ERR: TIFEK Public Key is required!!

I want to use my own key to secure boot. But I'm not so sure which comman I use.

Also, if I put my key in sbl_keywriter/scripts/cert_gen/am62px/keys folder as it says in the doc" The commands below will generate random keys for testing in sbl_keywriter/scripts/cert_gen/am62px/keys folder  " ,how should I fill the devconfig.mak path.

else ifeq ($(DEVICE),am62px)
    CUST_MPK=$(SIGNING_TOOL_PATH)/custMpk_am62px.pem
    CUST_MEK=$(SIGNING_TOOL_PATH)/custMek_am62px.txt
else
    CUST_MPK=$(SIGNING_TOOL_PATH)/custMpk_am64x_am243x.pem
    CUST_MEK=$(SIGNING_TOOL_PATH)/custMek_am64x_am243x.txt
endif

# Encryption option for application (yes/no)
ENC_ENABLED?=no

# Encryption option for SBL (yes/no)
ENC_SBL_ENABLED?=yes

# Debug option for HS (yes/no)
DBG_ENABLED?=no

Thank you for your support.

Best Regards, KONG XIANGXU

  • 0
    TI__Guru 69561 points
    KONG XIANGXU said:
    I want to use my own key to secure boot. But I'm not so sure which comman I use.

    Please use the same command as you used below with the paths to the keys modified as required:

    https://e2e.ti.com/support/processors-group/processors/f/processors-forum/1498468/am62p-secure-boot-keywrite/5763861#5763861

    KONG XIANGXU said:
    how should I fill the devconfig.mak path.

    Modify the CUST_MPK and CUST_MEK variable to the paths to the programmed keys.

  • 0 in reply to Prashant Shivhare
    Expert 1986 points

    I don't know how to generate my own keys.

  • 0 in reply to KONG XIANGXU
    TI__Guru 69561 points 
    a@abc:~/ti/mcu_plus_sdk_am62px_09_01_00_39 (copy)/source/security/sbl_keywriter/scripts/cert_gen/am62px$ ./gen_keywr_cert.sh -g

    This command generated custom keys in the "keys" folder.

  • 0 in reply to Prashant Shivhare
    Expert 1986 points 

    a@abc:~/ti/mcu_plus_sdk_am62px_10_00_00_14/source/security/sbl_keywriter/scripts/cert_gen/am62px$ ./gen_keywr_cert.sh -g
Generating keys in PKCS#1 Format!!
a@abc:~/ti/mcu_plus_sdk_am62px_10_00_00_14/source/security/sbl_keywriter/scripts/cert_gen/am62px$ ./gen_keywr_cert.sh -t tifek/SR_10/ti_fek_public.pem -b keys/v15/bmpk.pem --bmek keys/bmek.key -s keys/v15/smpk.pem --smek keys/smek.key --keycnt 2 --keyrev 1
# Using Key Count: 0x00000003
# Using Key Rev: 0x00000001
Generating Dual PKCS#1v1.5 signed certificate!!
GEN: AES256 key generated, since not provided
# encrypt aes256 key with tifek public part
# encrypt SMPK-priv signed aes256 key(hash) with tifek public part
# encrypt smpk-pub hash using aes256 key
# encrypt smek (sym key) using aes256 key
# encrypt BMPK-priv signed aes256 key(hash) with tifek public part
# encrypt bmpk-pub hash using aes256 key
# encrypt bmek (sym key) using aes256 key
1668 secondary_cert.bin
5383 primary_cert.bin
7051 ../x509cert/final_certificate.bin
# SHA512 Hashes of keys are stored in verify_hash.csv for reference..

    1.should I use -t tifek/SR_10/ti_fek_public.pem here?

    2.How to generate the txt file like custMek_am62px.txt?

  • 0 in reply to KONG XIANGXU
    TI__Guru 69561 points
    KONG XIANGXU said:
    1.should I use -t tifek/SR_10/ti_fek_public.pem here?

    Yes, it is needed.

    KONG XIANGXU said:
    2.How to generate the txt file like custMek_am62px.txt?

    You may use the following command to convert the encryption key into the format expected by the MCU+ SDK:

    ❯ xxd -p -c 10000 smek.key | tr -d $'\n' | tee smek.txt

  • 0 in reply to Prashant Shivhare
    Expert 1986 points 

    Starting Keywriter
Starting Keywrite
Enabled VPP
Dummy log!! Hi Prashant:) 250421

DMSC Firmware Version 9.2.6-v09.02.06-1-gdf86f (Kool
DMSC Firmware revision 0x9
DMSC ABI revision 3.1

Starting Keywrite  getversioncheck
keys Certificate found: 0x43c16d00

--TIFS_LOGS--
0x4F8A0000
          0x4F8B0000
                    0x4F80001C
                              0x4F8A0000
                                        0x4F8B0000
                                                  0x4F8000C8
                                                            0x4003007
                                                                     0x4400926
                                                                              0x20800000
                                                                                        0x20800001
                                                                                                  0x4F8A00FF
                                                                                                            0x4F8B0001
                                                                                                                      0x4F80001C
                                                                                                                                0x4C40001C
                                                                                                                                          0x4C40001C
                                                                                                                                                    0x4C40001C
                                                                                                                                                              0x4C40001C
                                                                                                                                                                        0x4C40001C
                                                                                                                                                                                  0x4C40001C
                                                                                                                                                                                            0x4C40001C
                                                                                                                                                                                                      0x4C40001C
                                                                                                                                                                                                                0x4C40001C
         0x4C40001C
                   0x4C40001C
                             0x4C40001C
                                       0x4C40001C
                                                 0x4C40001C
                                                           0x4C40001C
                                                                     0x4C40001C
                                                                               0x4C40001C
                                                                                         0x4C40001C
                                                                                                   0x4C40001C
                                                                                                             0x4C40001C
                                                                                                                       0x4F8A00FF
                                                                                                                                 0x4F8B0001
                                                                                                                                           0x4F8000C8
                                                                                                                                                     0x429000
                                                                                                                                                             0x820024
                                                                                                                                                                     0x429000
                                                                                                                                                                             0x820024
                                                                                                                                                                                     0x429000
                                                                                                                                                                                             0x820024
                                                                                                                                                                                                     0x420021
                                                                                                                                                                                                             0x820024
    0x42000C
            0x820024
                    0x4F8A00FF
                              0x4F8B0001
                                        0x4F80001C
                                                  0x4F8A00FF
                                                            0x4F8B0001
                                                                      0x4F8000C8
                                                                                0x420002
                                                                                        0x820024
                                                                                                0x4003007
                                                                                                         0x4400926
                                                                                                                  0x420002
                                                                                                                          0x820024
                                                                                                                                  0x4003007
                                                                                                                                           0x4400926

--TIFS_LOGS--

--TIFS_LOGS--
0x4F8A0000
          0x4F8B0000
                    0x4F80001C
                              0x4F8A0000
                                        0x4F8B0000
                                                  0x4F8000C8
                                                            0x4003007
                                                                     0x4400926
                                                                              0x20800000
                                                                                        0x20800001
                                                                                                  0x4F8A00FF
                                                                                                            0x4F8B0001
                                                                                                                      0x4F80001C
                                                                                                                                0x4C40001C
                                                                                                                                          0x4C40001C
                                                                                                                                                    0x4C40001C
                                                                                                                                                              0x4C40001C
                                                                                                                                                                        0x4C40001C
                                                                                                                                                                                  0x4C40001C
                                                                                                                                                                                            0x4C40001C
                                                                                                                                                                                                      0x4C40001C
                                                                                                                                                                                                                0x4C40001C
         0x4C40001C
                   0x4C40001C
                             0x4C40001C
                                       0x4C40001C
                                                 0x4C40001C
                                                           0x4C40001C
                                                                     0x4C40001C
                                                                               0x4C40001C
                                                                                         0x4C40001C
                                                                                                   0x4C40001C
                                                                                                             0x4C40001C
                                                                                                                       0x4F8A00FF
                                                                                                                                 0x4F8B0001
                                                                                                                                           0x4F8000C8
                                                                                                                                                     0x429000
                                                                                                                                                             0x820024
                                                                                                                                                                     0x429000
                                                                                                                                                                             0x820024
                                                                                                                                                                                     0x429000
                                                                                                                                                                                             0x820024
                                                                                                                                                                                                     0x420021
                                                                                                                                                                                                             0x820024
    0x42000C
            0x820024
                    0x4F8A00FF
                              0x4F8B0001
                                        0x4F80001C
                                                  0x4F8A00FF
                                                            0x4F8B0001
                                                                      0x4F8000C8
                                                                                0x420002
                                                                                        0x820024
                                                                                                0x4003007
                                                                                                         0x4400926
                                                                                                                  0x420002
                                                                                                                          0x820024
                                                                                                                                  0x4003007
                                                                                                                                           0x4400926
                                                                                                                                                    0x409031
                                                                                                                                                            0x800023
                                                                                                                                                                    #
                                                                                                                                                                     # Decrypting extensions..
                                                                                                                                                                                              #
                                                                                                                                                                                               MPK Options:  0x0
                                                                                                                                                                                                                MEK Options:  0x0
                MPK Opt P1:  0x0
                                MPK Opt P2:  0x0
                                                MEK Opt   :  0x0
                                                                Error in Decrypting SMPKH
                                                                                         debug_response:  0x10

--TIFS_LOGS--
Keywriter Debug Response:0x10
Error occured...

    I got this output,could you tell me what might went wrong?

  • +1 in reply to KONG XIANGXU
    TI__Guru 69561 points 
    a@abc:~/ti/mcu_plus_sdk_am62px_10_00_00_14/source/security/sbl_keywriter/scripts/cert_gen/am62px$ ./gen_keywr_cert.sh -t tifek/SR_10/ti_fek_public.pem -b keys/v15/bmpk.pem --bmek keys/bmek.key -s keys/v15/smpk.pem --smek keys/smek.key --keycnt 2 --keyrev 1

    Have you used SDK v10.0 for Keywriter as suggested by this log?

  • 0 in reply to Prashant Shivhare
    Expert 1986 points 

    Drivers_open()

SYSFW Firmware Version 10.0.8--v10.00.08 (Fiery Fox)
SYSFW Firmware revision 0xa
SYSFW ABI revision 4.0

Sciclient_getVersionCheck(1)
Bootloader_Handle bootHandleLinux
Bootloader_Params_init
Bootloader_BootImageInfo_init(&bootImageInfoLinux);
noOfFiles < BOOTLOADER_SD_MAX_NO_OF_FILES
pp_OpenloadableImage(pFiles[noOfFiles]) == SystemP_SUCCESS
bootHandle = Bootloader_open(CONFIG_BOOTLOADER_APP, &bootParams);
bootHandle != NULL
in  Bootloader_getMulticoreImageSize

--- Bootloader Configuration ---
bootMedia:        0xB0070001
bootImageSize:    0 bytes
coresPresentMap:  0x00000000
enableDma:        false
scratchMemPtr:    00000000
socCoreOpMode:    43C275D4
fxns:             43C27064
args:             43C27504

Core Presence Map Interpretation:

--- Bootloader Configuration ---
bootMedia:        0xB0070001
bootImageSize:    0 bytes
coresPresentMap:  0x00000000
enableDma:        false
scratchMemPtr:    00000000
socCoreOpMode:    43C275D4
fxns:             43C27064
args:             43C27504

Core Presence Map Interpretation:
Multicore image size: 0 bytes
Bootloader_Config *bootConfig;
bootConfig->coresPresentMap = 0;
  before Check if the certificate length is within valid range
  after Check if the certificate length is within valid range
  struct tisci_msg_proc_auth_boot_req authReq;
 Sciclient_procBootAuthAndStart(&authReq, SystemP_WAIT_FOREVER);0
  after Bootloader_socAuthImage(certLoadAddr);
Bootloader_parseMultiCoreAppImage
(SystemP_SUCCESS == status) && (TRUE == Bootloader_isCorePresent(bootHandle, CSL_CORE_ID_MCU_R5FSS0_0)
Bootloader_loadCpu(bootHandle, &(bootImageInfo->cpuInfo[CSL_CORE_ID_MCU_R5FSS0_0]));
Image loading status: 0
status = App_loadImages(bootHandle, &bootImageInfo);
noOfFiles++;
noOfFiles < BOOTLOADER_SD_MAX_NO_OF_FILES
pp_OpenloadableImage(pFiles[noOfFiles]) == SystemP_SUCCESS
bootHandle = Bootloader_open(CONFIG_BOOTLOADER_APP, &bootParams);
bootHandle != NULL
in  Bootloader_getMulticoreImageSize

--- Bootloader Configuration ---
bootMedia:        0xB0070001
bootImageSize:    57920 bytes
coresPresentMap:  0x00000001
enableDma:        false
scratchMemPtr:    00000000
socCoreOpMode:    43C275D4
fxns:             43C27064
args:             43C27504

Core Presence Map Interpretation:
  Core 0: Present

--- Bootloader Configuration ---
bootMedia:        0xB0070001
bootImageSize:    57920 bytes
coresPresentMap:  0x00000001
enableDma:        false
scratchMemPtr:    00000000
socCoreOpMode:    43C275D4
fxns:             43C27064
args:             43C27504

Core Presence Map Interpretation:
  Core 0: Present
Multicore image size: 57920 bytes
Bootloader_Config *bootConfig;
bootConfig->coresPresentMap = 0;
  before Check if the certificate length is within valid range
  after Check if the certificate length is within valid range
  struct tisci_msg_proc_auth_boot_req authReq;
 Sciclient_procBootAuthAndStart(&authReq, SystemP_WAIT_FOREVER);0
  after Bootloader_socAuthImage(certLoadAddr);
Bootloader_parseMultiCoreAppImage
Bootloader_loadSelfCpu(bootHandle, &(bootImageInfo->cpuInfo[CSL_CORE_ID_WKUP_R5FSS0_0]));
Bootloader_profileAddProfilePoint(App_loadImages(CSL_CORE_ID_WKUP_R5FSS0_0));
Image loading status: 0
status = App_loadImages(bootHandle, &bootImageInfo);
noOfFiles++;
if(App_OpenloadableImage(BOOTLOADER_SD_A53_APPIMAGE_FILENAME) == SystemP_SUCCESS)
SystemP_SUCCESS == status A1
bootHandleLinux != NUL
in  Bootloader_getMulticoreImageSize

--- Bootloader Configuration ---
bootMedia:        0xB0070001
bootImageSize:    283248 bytes
coresPresentMap:  0x00000002
enableDma:        false
scratchMemPtr:    00000000
socCoreOpMode:    43C275D4
fxns:             43C27064
args:             43C27504

Core Presence Map Interpretation:
  Core 1: Present

--- Bootloader Configuration ---
bootMedia:        0xB0070001
bootImageSize:    283248 bytes
coresPresentMap:  0x00000002
enableDma:        false
scratchMemPtr:    00000000
socCoreOpMode:    43C275D4
fxns:             43C27064
args:             43C27504

Core Presence Map Interpretation:
  Core 1: Present
appImageSize+=Bootloader_getMulticoreImageSize(bootHandleLinux);
  before Check if the certificate length is within valid range
  after Check if the certificate length is within valid range
  struct tisci_msg_proc_auth_boot_req authReq;
 Sciclient_procBootAuthAndStart(&authReq, SystemP_WAIT_FOREVER);0
  after Bootloader_socAuthImage(certLoadAddr);
status = Bootloader_parseMultiCoreAppImage(bootHandle, bootImageInfo);
bootImageInfo->cpuInfo[CSL_CORE_ID_A53SS0_0].clkHz = Bootloader_socCpuGetClkDefault(CSL_CORE_ID_A53SS0_0);
 Bootloader_loadCpu(bootHandle, &(bootImageInfo->cpuInfo[CSL_CORE_ID_A53SS0_0]));0
status = App_loadLinuxImages(bootHandleLinux, &bootImageInfoLinux);
 Bootloader_profileAddProfilePoint(App_loadLinuxImages);
 status = SOC_moduleClockEnable(TISCI_DEV_MMCSD1, 0);Bootloader_profileUpdateAppimageSize(appImageSize);
 SystemP_SUCCESS == status A2
[BOOTLOADER_PROFILE] Boot Media       : SD Card
[BOOTLOADER_PROFILE] Boot Image Size  : 333 KB
[BOOTLOADER_PROFILE] Cores present    :
mcu-r5f0-0
wkup-r5f0-0
a530-0
[BOOTLOADER PROFILE] System_init                      :      25696us
[BOOTLOADER PROFILE] Drivers_open                     :       2889us
[BOOTLOADER PROFILE] Board_driversOpen                :       1464us
[BOOTLOADER PROFILE] Sciclient Get Version            :      10171us
[BOOTLOADER PROFILE] App_loadImages(CSL_CORE_ID_WKUP_R5FSS0_0) :     821231us
[BOOTLOADER PROFILE] App_loadLinuxImages              :     504863us
[BOOTLOADER_PROFILE] SBL Total Time Taken             :    1366316us

Image loading done, switching to application ...
Starting linux and RTOS/Baremetal applications
  int32_t status = SystemP_FAILURE;
  SOC_unlockAllMMR();17:14
  Value of socCpuCores[CSL_CORE_ID_A53SS0_0]: 1
  if(socCpuCores[CSL_CORE_ID_A53SS0_0] == BOOTLOADER_SD_APP_IMAGE_LOADED)
  statuNOTICEs:  B L31:= v2. 10.0(reBleasoe):v2o.10.t0-367-gl00of1ec6b8a7-dirty
NOTdICE:  BeL3r1:_ Built : 16r:09:05,u Fenb  9C 2024
pu(bootHandle, &bootCpuInfo[CSL_CORE_ID_A53SS0_0]);
 status = App_runLinuxCpu(bootHandleLinux, &bootImageInfoLinux);0
Bootloader_close(bootHandleLinux);
 status = App_runCpus(bootHandle);

U-Boot SPL 2024.04-ti-gfda88f8bcea3 (Jul 26 2024 - 11:00:12 +0000)
SYSFW ABI: 4.0 (firmware rev 0x000a '10.0.8--v10.00.08 (Fiery Fox)')
SPL initial stack usage: 1904 bytes
Trying to boot from MMC2
i2c_write: error waiting for data ACK (status=0x116)
pca953x gpio@22: Error reading output register
ti_sci system-controller@44043000: Message not acknowledged
Authentication failed!
### ERROR ### Please RESET the board ###

    Yes,I did. I fix that and got this output.

  • 0 in reply to KONG XIANGXU
    TI__Guru 69561 points

    I take that you are able to program the custom keys successfully!

    For the latest issue, please see if the following workaround helps:

    software-dl.ti.com/.../UG-Memory.html