PROCESSOR-SDK-J721E: tda4evm

Notes:

Documentation I referred to on "From these documentation:"

https://www.ti.com/lit/an/sprad04/sprad04.pdf?ts=1710220582340&ref_url=https%253A%252F%252Fwww.google.com%252F

https://e2e.ti.com/support/processors-group/processors/f/processors-forum/1061584/faq-tda4vm-hs-building-booting-on-hs-devices-on-latest-linux-sdk

Hi 

Mac Alfred Pinnock-Chacon said:

b. I have a GP processor, I would be able to boot the board? I have to wait until get the HS-FS device to convert it to HS-SE with the keywritter, but I would like to be one step further on the testing.

The above binary is a keywriter application whose job is to burn the data into the effuse like root trust keys,MSV.SWREV..etc. You cant run keywriter tool into GP devices. you have to use HS device for the same.

You can refer to the PDK documentation in order to understand keywriter process:

• https://software-dl.ti.com/jacinto7/esd/processor-sdk-rtos-jacinto7/08_02_00_05/exports/docs/pdk_jacinto_08_02_00_21/docs/userguide/jacinto/modules/keywriter.html
• https://software-dl.ti.com/tisci/esd/latest/6_topic_user_guides/key_writer.html

Thought the pdk documentation is referring ti older 8.2 sdk but this is valid for newer sdk as well.

Mac Alfred Pinnock-Chacon said:

a. The documentation seems to be not updated, and I'm currently working over SDK 10. I checked that the patch they refer it's already implemented on the SDK, so far so good. But some things, like the changes on Rules.make, no longer apply because the names of the defconfigs changed. Could you provide the right ones?

From SDK 9.X onwards it uses binman to package and sign the binary. How to package and sign the binary defined in the arch/arm/dts/k3-j721e-binman.dtsi file.

You need to replace the keys accordingly . Customer can place their keys at <Linux_SDK>/board-support/ti-u-boot/arch/arm/mach-k3/keys. Using binman flow it will generate the image for all soc type (GP,HS-FS,HS-SE), if the corresponding node is present in binmain dtsi.

Mac Alfred Pinnock-Chacon said:

b. How does the platform verify those new boot files x509 certificate if the certificate created on psdkra doesn't exist in psdkla because in no step is mentioned to copy anything from side to side?

Question is not very clear to me , what is your boot flow can you add more details over here.

Regards
Diwakar

Hi,

Regarding question 1.a I will suppose that my supposition is right.

About question 2.b, the question was answered by you in answer for question 2.a, thanks.

For your answer for my question 2.a, I have a new question:

I checked the source code, and the k3-j721e-binman.dtsi file only refers to custMPK.pem, available on arch/arm/mach-k3/keys. How do I get that .pem file from the x509 certificate I created with the gen_keywr_cert.sh script? Or can I change custMPK.pem to custMPK.key and then use the AES 256 key I used to create the x509 certificate?

Thanks in advance for your answers.

Hi

Will respond you within 2 days on this.

Regards
Diwakar

Hi

Mac Alfred Pinnock-Chacon said:

How do I get that .pem file from the x509 certificate I created with the gen_keywr_cert.sh script?

This script is to generate the keywriter certificate blob, your question is not clear to me.

you should have smpk key before generating the blob , you will pass the key as an argument to the script like below:

./gen_keywr_cert.sh -s keys/smpk.pem --smek keys/smek.key -b keys/bmpk.pem --bmek keys/bmek.key -t ti_fek_public.pem -a keys/aes256.key

if the keys are not provided to script, it will generate the random keys.

I would suggest you to go through below script to get better understanding. 

• generate_test_binaries.sh
• gen_keywr_cert.sh

Regards
Diwakar

Hi,

I was running the script with only the -t and -a options, omitting the other options.

So that means, that every time I run the command with only those 2 options I mentioned, the script will automatically generate random keys of the other options for -s, -smek, etc options?

In case I generate manually the smpk.pem key, are you sure that this is the file that will go into arch/arm/mach-k3/keys directory? Why not the bmpk.pem key file?

Best regards,

Alfred Pinnock.

Hi Alfred,

Mac Alfred Pinnock-Chacon said:

So that means, that every time I run the command with only those 2 options I mentioned, the script will automatically generate random keys of the

Yes script will internally generate the random root of trust keys if you are not providing as an argument to the script.

you can also check the same in logs while generating the certificate blob.

Mac Alfred Pinnock-Chacon said:

In case I generate manually the smpk.pem key, are you sure that this is the file that will go into arch/arm/mach-k3/keys directory? Why not the bmpk.pem key file?

Right now in the default sdk we are using TI dummy development keys. You can compare the keys present in pdk/packages/ti/boot/keywriter/scripts/keys/smpk.pem with the key present in arch/arm/mach-k3/keys/

Mac Alfred Pinnock-Chacon said:

Why not the bmpk.pem key file?

BMPK is a backup key. By any means if your primary root trust keys(smpk) get compromised. you can use this backup keys in that case to authenticate the images.

Suggest you to go through  below document along with the reference link shared earlier to get better understanding of the flow:

https://www.ti.com/lit/an/sprad04/sprad04.pdf?ts=1752120035890&ref_url=https%253A%252F%252Fwww.google.com%252F

Regards
Diwakar