• State Resolved
  • Locked Locked
  • Replies 10 replies
  • Answers 2 answers
  • Subscribers 99 subscribers
  • Views 420 views
  • Users 0 members are here
Support feedback
Options
Options
Related

This thread has been locked.

If you have a related question, please click the "Ask a related question" button in the top right corner. The newly created question will be automatically linked to this question.

AM625: AM625 Secure Boot with Custom Keys – Full Process Confirmation

Kapil Vyas
Prodigy 60 points

Part Number: AM625

Hi TI team,

I’d like to get a detailed confirmation on the secure boot flow using custom keys for the AM625 device.

Here is my current setup and what I’ve done so far:

  • I have already fused one SOM to HS-SE using the TI dummy keys, and that device boots successfully with images signed using the dummy keys.

  • As an experiment, I generated custom keys using the OTP keywriter (-g) command and created an otp-keywriter.bin.

  • I understand from your previous reply on last thread that the OTP keywriter binary can only be used on HS-FS devices, not HS-SE, and that once the device is converted to HS-SE the key fuses are locked.

 

Now I want to implement the complete secure boot flow with my own custom keys on a fresh HS-FS custome SOM.

Below are the steps which already mentioned in ti secure boot guide, I plan to follow — could you please review them and confirm if this sequence is correct, or let me know if any changes are needed?

Planned Steps for Secure Boot with Custom Keys 

cd $SDK_DIR/source/security/sbl_keywriter/scripts/cert_gen/am62x

1. Generate your RSA-4096 production key pairs: ./gen_keywr_cert.sh –g

 2. Generate a full provisioning certificate for inspection:

 ./gen_keywr_cert.sh \

  -t tifek/ti_fek_public.pem \

  --msv 0xC0FFE \

  -b keys_devel/bmpk.pem \

  --bmek keys_devel/bmek.key \

  -s keys_devel/smpk.pem \

  --smek keys_devel/smek.key \

  --keycnt 2 \

  --keyrev 1

3.Convert the certificate binary to .h format. 

 python3 ../../../../../tools/bin2c/bin2c.py final_certificate.bin 
keycert.h KEYCERT

4.In following directory:   /source/security/ sbl_keywriter/am62ax-sk/r5fss0-0_nortos/ti-arm-clang 

Clean : 
make -sj clean PROFILE=debug
Then run:  
make -sj PROFILE=debug

 5.Flash and run the otp-keywriter.bin on the HS-FS device to fuse the generated keys into OTP.          

 6.Rebuild all boot components (tiboot3.bin, SPL/U-Boot, and FIT image) signed with the same     
   custom key set.

 7.Verify boot on HS-FS — confirm that images signed with custom keys boot correctly.

 8.Convert device to HS-SE mode to permanently enforce secure boot with custom keys.

 9.After conversion, test DFU and boot flow again to ensure only images signed with my custom   
    keys are accepted.

Additional Clarification

For building the R5 and A53 boot components (tiboot3.bin, SPL/U-Boot, and FIT image),
please confirm if the correct method is simply to copy the key folder (generated by the OTP keywriter)
and place it in the paths used by the respective build systems, e.g.: 

$ cp source/security/sbl_keywriter/scripts/cert_gen/am62x/keys  UBOOT_PATH/board/ti/keys

so that each build stage automatically picks the same custom key set during the signing process.

Is this the right approach to ensure all boot binaries are signed with the same fused key set?

 

Can you please confirm if the above sequence is correct and whether any additional steps or     
   configurations are required for AM625?  

thanks and regards,

Kapil.              

 

  • 0
    TI__Guru* 75890 points

    Hi Kapil,
    Yes, the outlined steps looks good.
    1/. HS-FS conversion to HS-SE happened in step 5, Step 7/step 8 are not needed.
    2/. The key folder "u-boot/arch/march-k3/keys/" in the newer Linux SDK
    Best,
    -Hong

  • 0 in reply to Hong Guan64
    Prodigy 60 points

    Hello Hong,
    Thank you for the clarifications and for confirming the secure-boot steps. I have one more question regarding the Keywriter keys and the U-Boot keys.

    During Keywriter certificate generation, I am using the keys located in the MCU+ SDK , for example:

    • smpk.pem, smpk.key

    • bmpk.pem, bmpk.key

    But in the Processor SDK (U-Boot) path under board/ti/keys/, there are different key files such as:

    • custMpk.pem

    • custMpk.key

    • custMpk.cert

    • ti-digenerate-key.pem

    Following your previous guidance, I understand that I can copy the Keywriter keys (SMPK, etc.) into the U-Boot board/ti/keys/ folder for FIT signing.

    I want to understand the correct relation between these two sets of keys

    • U-Boot expects key files with names like custMpk.pem, while the Keywriter keys are named smpk.pem, etc. Does U-Boot care about the file names, or only the key content?

    • The Keywriter certificate includes BMPK, BMEK, and SMEK keys, but U-Boot signing only uses SMPK. Is this the expected and correct behavior for the secure boot image chain?

    Thank you again for your support.

    Regards,

    Kapil.

  • 0 in reply to Kapil Vyas
    TI__Guru* 75890 points
    Kapil Vyas said:
    U-Boot expects key files with names like custMpk.pem, while the Keywriter keys are named smpk.pem, etc. Does U-Boot care about the file names, or only the key content?

    One simple option is copying/renaming your own RSA root key you used for key programming to "custMpk.pem" under "u-boot/arch/march-k3/keys/" in the newer Linux SDK.
    - "cp -p custMpk.pem custMpk.key"
    - "openssl req -batch -new -x509 -key custMpk.key -out custMpk.crt"

    Kapil Vyas said:
    The Keywriter certificate includes BMPK, BMEK, and SMEK keys, but U-Boot signing only uses SMPK. Is this the expected and correct behavior for the secure boot image chain?

    Yes, SMEK/BMEK are not used in Linux SDK as only binary integrity verification is supported with SMPK/BMPK, but not binary decryption with SMEK/BMEK in Linux SDK secure boot flow.

    Best,
    -Hong

  • 0 in reply to Hong Guan64
    Prodigy 60 points

    Hello Hong,

    Thank you for your previous guidance regarding using our RSA root key in Processor SDK. I would like to confirm one specific point to ensure I follow the secure boot flow correctly.

    In MCU+ SDK, the provided keys are:

    smpk.pem, smek.key
    bmpk.pem, bmpk.key, aes256.key

    I notice that there is no smpk.key (private key) provided.

    My current understanding of the flow is:

    1. We run ./gen_keywr_cert.sh –g to generate the 5 keys (SMPK, BMPK, SMEK, BMEK, AES key). After this step, the SMPK private key is missing.

    2. For Processor SDK, we need to copy/rename the key as custMpk.key.and custmpk.pem

    My question for confirmation:

    • Should I generate the SMPK private key (smpk.key) manually ( using OpenSSL) and place it inside the MCU+ SDK /keys path before proceeding?

    • For reference,  OpenSSL 1.1.1 to generate the key and certificate:
            openssl genrsa -out smpk.key 4096
            openssl req -batch -new -x509 -key smpk.key -out smpk.pem
    • Then, as per your earlier instructions, can I copy/rename it as custMpk.key and generate custMpk.crt for Processor SDK signing of SPL, U-Boot, and FIT images?

    In other words, I want to confirm that the private key must exist in MCU+ SDK for OTP/fuse certificate generation and then can be reused in Processor SDK for image signing, ensuring full alignment with the official secure boot flow.

    Thank you for your clarification.

    Best regards,

    -Kapil.

  • 0 in reply to Kapil Vyas
    TI__Guru* 75890 points

    Hi Kapil,

    Yes, your understanding is correct that the customer private key is generated with the script “ ./gen_keywr_cert.sh –g“, and the generated private key is used for signing process as we discussed. 

    Best, 

    -Hong

  • 0 in reply to Hong Guan64
    Prodigy 60 points

    Hello Hong, 

    we have done Otp Keywriting part. fused the tiboot3.bin (otp kewriter binary) to SoC.

    SoC:   AM62X SR1.0 HS-SE
Model: Texas Instruments AM625 SK

    this uart logs from terminal output lines show that the soc is converted to HS-SE so we moved forward

    and do following steps but after switching the boot mode unable to get any uart logs on terminal.

    1.flash R5 and A53 u-boot files ( tiboot3-am62x-hs-evm.bin , tispl.bin, u-boot.img and raw files)

    2. Flash Ext4 with valid fitimage

    Via DFU 

    but after this we do 

    enter ctrl-C and enter below commands -
mmc partconf 0 1 1 1
mmc bootbus 0 2 0 0

    Till this trminal is showing uart logs but after changing the switch mode and start the device after that we can't see any output on terminal.

    unable to find the reason why uart logs are not showing.

    Please help us in this ?

    Best Regards,

    Kapil.

  • 0 in reply to Kapil Vyas
    TI__Guru* 75890 points

    Hi Kapil,

    Kapil Vyas said:

    this uart logs from terminal output lines show that the soc is converted to HS-SE so we moved forward

    and do following steps but after switching the boot mode unable to get any uart logs on terminal.

    1.flash R5 and A53 u-boot files ( tiboot3-am62x-hs-evm.bin , tispl.bin, u-boot.img and raw files)

    2. Flash Ext4 with valid fitimage

    Via DFU 

    You were able to flash the image via DFU, is my understanding correct?
    Best,
    -Hong

  • 0 in reply to Hong Guan64
    Prodigy 60 points

    Hello Hong,

    Yes, we are able to flash the image via DFU.

    As there was no reply on this thread since the many days, we created a new thread and shared more details there

    link:

    https://e2e.ti.com/support/processors-group/processors/f/processors-forum/1600587/am625-am62x-hs-se-custom-keys-dfu-flashing-succeeds-but-no-uart-output-after-switching-to-emmc-boot

    , and also discussed this with the Prashant. We need your support to proceed further as this is urgent for production.

    Thank you for your support.

  • +1 in reply to Kapil Vyas
    TI__Guru* 75890 points

    Hi Kapil,
    Most of TI team (Prashant & myself) were on holiday vacation, and I'm currently travelling.
    Let's close this e2e, and continue our discussions in the new e2e.
    Best,
    -Hong

  • 0 in reply to Hong Guan64
    Prodigy 60 points


    Understood, thanks for the update Hong. We’ll close this E2E and continue the discussion in the new E2E thread going forward.

    Thanks for your support.