• State Resolved
  • Locked Locked
  • Replies 1 reply
  • Subscribers 97 subscribers
  • Views 179 views
  • Users 0 members are here
Support feedback
Options
Options
Related

This thread has been locked.

If you have a related question, please click the "Ask a related question" button in the top right corner. The newly created question will be automatically linked to this question.

[FAQ] TDA4AL-Q1: Reference code to update keyrev using OPTEE

Diwakar Dhyani
Guru 58865 points
Part Number: TDA4AL-Q1


Tool/software:

Help with the reference code to update the KEYREV using optee.

  • +1
    TI__Guru 58865 points

    Key Revision Update Process in OPTEE

    Overview

    This guide provides a comprehensive walkthrough for updating key revisions using OPTEE, involving certificate generation, trusted application creation, and client application implementation.

    Detailed Steps

    1. Dual Signed Certificate Generation

    Objective: Create a certificate with two-level signing mechanism

    • Primary certificate signed with SMPK (Primary Keys)
    • Secondary certificate signed with BMPK (Backup Keys)

    Certificate Generation Process

    1. Use this script to generate the dual signed certificate.
      python3 dualCertGen.py  -s smpk.pem -b bmpk.pem
    2. Above script will generate a certificate in binary format. Convert binary to".h" format using:
      xxd -i dual_cert_keyrev.bin > keycert.h

    2. Trusted Application Development

    Preparation:

    • Develop trusted application for key revision handling
    • Reference File: https://e2e.ti.com/cfs-file/__key/communityserver-discussions-components-files/791/0001_2D00_OPTEE_2D00_OS_2D00_Trsuted_2D00_application_2D00_to_2D00_handle_2D00_key_2D00_rev_2D00_updat.patch

    Critical Consideration:

    • Dual signed cert is copied to OCMC memory(0x41CFEFFF) before calling the TIFS api ,
      make sure you do these changes accordingly if you are already using the mentioned address range(0x41CFEFFF).

    3. Client Application Creation

    Implementation:

    • Develop client application for dual signed certificate transmission
    • Reference File:https://e2e.ti.com/cfs-file/__key/communityserver-discussions-components-files/791/0001_2D00_OPTEE_2D00_Example_2D00_Add_2D00_client_2D00_application_2D00_to_2D00_send_2D00_dual_2D00_si.patch

    Key Requirements:

    • Utilize keycert.h (converted dual signed certificate in #STEP1)
    • Ensure proper integration with trusted application

    4. Compilation and Deployment Steps

    1. Compile OPTEE OS following  SDK documentation.
    2. Compile client application
    3. Copy client application to root file system

    5. Verification Process

    1. Boot target device
    2. Enable VPP.
    3. Execute /optee_example_otp_keyrev
    4. Upon getting success from the above application execution, key rev will get updated.
    5. To verify the same . Follow the steps mentioned in the FAQ.You should see updated value of the keyrev like below.

      Before Keyrev update:
      -----------------------
SoC ID Header Info:
-----------------------
NumBlocks            : 2
-----------------------
SoC ID Public ROM Info:
-----------------------
SubBlockId           : 1
SubBlockSize         : 26
DeviceName           : j7aep
DeviceType           : HSSE
DMSC ROM Version     : [0, 1, 0, 1]
R5 ROM Version       : [0, 1, 0, 1]
-----------------------
SoC ID Secure ROM Info:
-----------------------
Sec SubBlockId       : 2
Sec SubBlockSize     : 166
Sec Prime            : 0
Sec Key Revision     : 1
Sec Key Count        : 2
Sec TI MPK Hash      : bf0efb75bade39aa63eab5514b98ebda84cb1dd8a35e07b7a0f473760592a465d82f4945ee60da406209b1748f16074e47ccd30cea5c2ba494eca747ad876d1c
Sec Cust MPK Hash    : 1f6002b07cd9b0b7c47d9ca8d1aae57b8e8784a12f636b2b760d7d98a18f189760dfd0f23e2b0cb10ec7edc7c6edac3d9bdfefe0eddc3fff7fe9ad875195527d
Sec Unique ID        : 8ed01cc5eafff89affa2b44942b8659ff5c57a2159878c3cbfb656c78c130699

      After keyrev update:
      -----------------------
SoC ID Header Info:
-----------------------
NumBlocks            : 2
-----------------------
SoC ID Public ROM Info:
-----------------------
SubBlockId           : 1
SubBlockSize         : 26
DeviceName           : j7aep
DeviceType           : HSSE
DMSC ROM Version     : [0, 1, 0, 1]
R5 ROM Version       : [0, 1, 0, 1]
-----------------------
SoC ID Secure ROM Info:
-----------------------
Sec SubBlockId       : 2
Sec SubBlockSize     : 166
Sec Prime            : 0
Sec Key Revision     : 2
Sec Key Count        : 2
Sec TI MPK Hash      : bf0efb75bade39aa63eab5514b98ebda84cb1dd8a35e07b7a0f473760592a465d82f4945ee60da406209b1748f16074e47ccd30cea5c2ba494eca747ad876d1c
Sec Cust MPK Hash    : 1f6002b07cd9b0b7c47d9ca8d1aae57b8e8784a12f636b2b760d7d98a18f189760dfd0f23e2b0cb10ec7edc7c6edac3d9bdfefe0eddc3fff7fe9ad875195527d
Sec Unique ID        : 8ed01cc5eafff89affa2b44942b8659ff5c57a2159878c3cbfb656c78c130699


    6. Reference:

    1. software-dl.ti.com/.../otp_revision.html


    Regards
    Diwakar