AM623: How to use tifs to verify authenticate signed customer files, non-app files in SPL boot mode

Biao Li

Part Number: AM623

Tool/software:

Hi Expert,

My customer wants to use secure boot method to authenticate some special customer file in file system, can you help give some guide to me? How to achieve this?

BR,

Biao

23 days ago

0 Hong Guan64 23 days ago

TI__Guru 68420 points

Hi Biao,
yes, it is possible to verify the signed binary blob in SPL/u-boot.
1/. The core function on signaure verification
https://git.ti.com/cgit/ti-u-boot/ti-u-boot/tree/arch/arm/mach-k3/security.c?h=11.01.10#n72
2/. TIFS TISCI API on signature verification
https://software-dl.ti.com/tisci/esd/latest/2_tisci_msgs/security/PROC_BOOT.html#proc-boot-authenticate-image-and-configure-processor
3/. how to sign binary blob
- Linux SDK 9.x onwards
BINMAN is used to sign binary blob for SPL/u-boot
https://git.ti.com/cgit/ti-u-boot/ti-u-boot/tree/arch/arm/dts/k3-binman.dtsi?h=11.01.10

- Linux SDK 8.x
Signing binary blob (after tiboot3.bin) is via "secure-binary-image.sh" which is accessible at
https://git.ti.com/cgit/security-development-tools/core-secdev-k3/tree/scripts
Here is an early e2e on how to sign binary blob with "secure-binary-image.sh" for your reference.
RE: AM625: tiboot3.bin UART/Xmodem file transfer

Best,
-Hong

Processors

Processors forum

AM623: How to use tifs to verify authenticate signed customer files, non-app files in SPL boot mode