DRA821U: DRA821 J7200 customer key programming binding problem

Rich Chen

Part Number: DRA821U
Other Parts Discussed in Thread: DRA821

Tool/software:

Dear champ,

My customer has much experience on security and have done development on TI AM62x and AM64x respectively with secure boot.

Customer uses HSM machine for key store and signing so they have created procedure to get their private key from HSM and work with AM62x and AM64x without problem.

TI sign example uses private key store in computer which is not practice to real user case.

Now the question from customer is about the procedure or sign difference between Jacinto and Sitara product and which could be the missing or different part in creating final image.

OTP key writer has been programmed onto DRA821 successfully per the log been parsed via UART boot.

Please help to check if any step is missing or incorrect if possible.

Secondary, we would like to arrange a remote desktop meeting to check the procedure virtually if we cannot find root cause via e2e.

Feel free to advice any information or possible log you could check. It is a little difficult to describe the issue without much logs. Thanks!

Customer Steps:

Create J7200 final_certificate.bin (method same as Am62x and Am64x)
Cover ./pdk_j7200_11_00_00_21/packages/ti/boot/keywriter/x509cert/final_certificate.bin of MCU SDK
cd pdk_j7200_11_00_00_21/packages/ti/build/
make keywriter_img_combined BOARD=j7200_evm
Boot by /home/alvin/ti_j7200_otp/pdk_j7200_11_00_00_21/packages/ti/boot/keywriter/binary/j7200/keywriter_img_combined_j7200_release.tiimage (Uart boot mode)

get message that J7200 HSFS -> HSSE

-----------------------

SoC ID Header Info:

-----------------------

NumBlocks : [2]

-----------------------

SoC ID Public ROM Info:

-----------------------

SubBlockId : 1

SubBlockSize : 26

DeviceName : j7vcl

DeviceType : HSSE

DMSC ROM Version : [0, 2, 1, 1]

R5 ROM Version : [0, 2, 1, 1]

-----------------------

SoC ID Secure ROM Info:

-----------------------

Sec SubBlockId : 2

Sec SubBlockSize : 166

Sec Prime : 0

Sec Key Revision : 1

Sec Key Count : 2

Sec TI MPK Hash : 04a0cc3e38a1aa0a31fad2423895bfc21ffc7da765dff4aa6e0991fb6e197442ae4d3becef35fe5ed4b63abbcc45c3ecca5ce97ad552fb882fc0eb008c9e5ce2

Sec Cust MPK Hash : e15337a70e7c89e34f000170caaa99db7c7c27fba4eeb51bc14944965a2db965a26c035f3af08900512ee0ab4b815902798029cdc9d674e77004bf5824104fe3

Sec Unique ID : a214e17fefa9e4c55f992e2b4c61b3bbc61c724737fe4075c7bf8e2646d7648d

Q1: Just have to replace file "final_certificate.bin" the keywriter_img_combined_j7200_release.tiimage will burn my public key hash ?

Q2: I build the uboot for HSSE by ti-fs-firmware-j7200_sr2-hs-cert.bin ,ti-fs-firmware-j7200_sr2-hs-enc.bin and sign with the private Key (final_certificate.bin) but it do not work (It had no log message). Steps same as J7200 HSFS.

Q3: How the make sure "Sec Cust MPK Hash" ??

BR, Rich

1 month ago

0 Diwakar Dhyani 1 month ago

TI__Guru 56415 points

Hi Rich,

Is it possible for you to share the tiboot3.bin signed binary as well?

Regards
Diwakar

0 Alvin Chen 1 month ago in reply to Diwakar Dhyani

Intellectual 400 points

tiboot3.txt

Hi Ti

0 Diwakar Dhyani 1 month ago in reply to Alvin Chen

TI__Guru 56415 points

Hi Alvin,

The binary which you shared is signed with TI dummy key while you have flash custom key on the board that is the reason it is not booting.

You have to use your own private key to sign the image.

Regards
Diwakar

0 Alvin Chen 1 month ago in reply to Diwakar Dhyani

Intellectual 400 points

Hi Ti

Can you tell me the Ti dummy key path?? Or you just upload it here.

0 Alvin Chen 1 month ago in reply to Alvin Chen

Intellectual 400 points

Is it here pdk_j7200_11_00_00_21/packages/ti/build/makerules/k3_dev_mpk.pem ???

0 Diwakar Dhyani 1 month ago in reply to Alvin Chen

TI__Guru 56415 points

Path for TI dummy private key in RTOS and linux sdk are as below:

<RTOS_SDK>/<PDK>/packages/ti/build/makerules/k3_dev_mpk.pem
<llinux_SDK>/board-support/<UBOOT>/board/ti/keys/custMpk.pem if you are using SDK older than 9.x path will be <llinux_SDK>/board-support/core-secdev-k3/keys/custMpk.pem

Regards
Diwakar

0 Alvin Chen 1 month ago in reply to Alvin Chen

Intellectual 400 points

Or give me your tiboot3.bin signed with Ti dummy key . Let me vertify my secure boot .

0 Diwakar Dhyani 1 month ago in reply to Alvin Chen

TI__Guru 56415 points

You custom board is signed with the different key how it is going to work with the image signed with TI dummy key ?

Regards
Diwakar

0 Rich Chen 1 month ago in reply to Diwakar Dhyani

TI__Expert 4160 points

Diwakar,

This is TI FAE again.

Alvin can program TI dummy key onto their custom board and try to verify the image he signed.

As mentioned, he implemented secure boot on AM62x and AM64x and there could be some difference offering or procedure in DRA821 compare to Sitara SOC.

One question from myself, how can you tell "customer tiboot3.bin binary is signed with TI dummy key while you have flash custom key on the board"?

Can this be tell from the content of binary file?

BR, Rich

0 Diwakar Dhyani 1 month ago in reply to Rich Chen

TI__Guru 56415 points

Hi Rich,

XX509 certificate in the image contain the public key, I checked that and compared the hash of it with the TI dummy key hash, which was same.

TI Public dummy key hash:1f6002b07cd9b0b7c47d9ca8d1aae57b8e8784a12f636b2b760d7d98a18f189760dfd0f23e2b0cb10ec7edc7c6edac3d9bdfefe0eddc3fff7fe9ad875195527d

if it is correctly signed has should match with the SMPK (hash) fused into effuses.

Regards
Diwakar

Processors

Processors forum

DRA821U: DRA821 J7200 customer key programming binding problem