This thread has been locked.

If you have a related question, please click the "Ask a related question" button in the top right corner. The newly created question will be automatically linked to this question.

AM625: AM625 secure boot is not enabled

Part Number: AM625

Dear TI

I'm verifying secure boot according to "AM62X_OTP_Keywriter_User_Guide_11.01.00.pdf"

I installed all required packages and SDK and execute below command.

4.2.3 Build the Keywriter Certificates

  • ./gen_keywr_cert.sh --msv 0xC0FFE -t tifek/ti_fek_public.pem

Then I could find "final_certificate.bin" in source/security/sbl_keywriter/scripts/cert_gen/x509cert/

4.2.4 Build the example

  • make -sj clean PROFILE=debug && make -sj PROFILE=debug

Then I could find tiboot3.bin in source/security/sbl_keywriter/am62x-sk/r5fss0-0_nortos/ti-arm-clang

I set AM625_SK EVM to SD boot mode and boot with this tiboot3.bin

Below is the log from R5, unfortunately I missed M4 log but I can confirm that the debug_response is 0x0000 and "Success Programming Keys" message.

0x420002
0x820024
0x4003007
0x4400B17
0x409031
0x800023

# Decrypting extensions..
#
MPK Options:  0x0
MEK Options:  0x0
MPK Opt P1:  0x0
MPK Opt P2:  0x0
MEK Opt   :  0x0

SMPKH extension programming disabled
SMEK extension programming disabled
EXT OTP extension programming disabled

* BCH code & MSV: fe0fac8b
JTAG DISABLE programming disabled
KEY CNT extension programming disabled
KEY REV extension programming disabled
SWREV extension programming disabled
FW CFG REV extension programming disabled

* KEYWR VERSION:  0x20000

#
# Programming Keys..
#

* MSV:
[u32] bch + msv:  0x0
Programmed 2/2 rows successfully
[u32] bch + msv:  0x8BAC0FFE

* JTAG DISABLE:
[u32] JTAG DISABLE:  0x0
JTAG DISABLE extension programming disabled
[u32] JTAG DISABLE:  0x0

* SWREV:
[u32] SWREV-SBL:  0x1
[u32] SWREV-SYSFW:  0x1
SWREV extension programming disabled
[u32] SWREV-SBL:  0x1
[u32] SWREV-SYSFW:  0x1

* FW CFG REV:
[u32] SWREV-FW-CFG-REV:  0x1
SWREV SEC BCFG extension programming disabled
[u32] SWREV-FW-CFG-REV:  0x1

* EXT OTP:
EXT OTP extension programming disabled

* BMPKH, BMEK:
BMPKH extension programming disabled
BMEK extension programming disabled

* SMPKH, SMEK:
SMPKH extension programming disabled
SMEK extension programming disabled

* KEYCNT:
[u32] keycnt:  0x0
KEY CNT extension programming disabled
[u32] keycnt:  0x0

* KEYREV:
[u32] keyrev:  0x0
KEY REV extension programming disabled
[u32] keyrev:  0x0

But when I check the boot log with UART boot, it is still HSFS

-----------------------
SoC ID Header Info:
-----------------------
NumBlocks            : 2
-----------------------
SoC ID Public ROM Info:
-----------------------
SubBlockId           : 1
SubBlockSize         : 26
DeviceName           : am62x
DeviceType           : HSFS
DMSC ROM Version     : [0, 1, 0, 1]
R5 ROM Version       : [0, 1, 0, 1]
-----------------------
SoC ID Secure ROM Info:
-----------------------
Sec SubBlockId       : 2
Sec SubBlockSize     : 166
Sec Prime            : 0
Sec Key Revision     : 0
Sec Key Count        : 0
Sec TI MPK Hash      : d68ecb2c055dff11ade95bd927e837d2a53bc23b0a2800cebce4f106bcf309df2213912d77a157a8b7c2df40672a06a918034aa4c7d603e462481475225d49b8
Sec Cust MPK Hash    : ad0bc40b000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
Sec Unique ID        : c090e3c49076ef1bfab52a03204c9df515e10237962b22e0c8c2fe099281ac1a

Could you check and let me know how to debug it ?

BR

Jace

  • Hello,

    But when I check the boot log with UART boot, it is still HSFS

    It is because you have programmed MSV only. You would have to program the keys along with certain other field to convert the device to HSSE. Please refer to the "One shot programming" section of the keywriter user guide.

  • Hello Prashant

    I made a new keywritter according to "One shot programming"

     ./gen_keywr_cert.sh -t tifek/ti_fek_public.pem --msv 0xC0FFE -b keys_devel/bmpk.pem --bmek keys_devel/bmek.key -s keys_devel/smpk.pem --smek keys_devel/smek.key --keycnt 2 --keyrev 1
    
    # Using MSV[19:0]: 0x000C0FFE
    # Using Key Count: 0x00000003
    # Using Key Rev: 0x00000001
    Generating Dual PKCS#1v1.5 signed certificate!!
    GEN: AES256 key generated, since not provided
    # encrypt aes256 key with tifek public part
    # encrypt SMPK-priv signed aes256 key(hash) with tifek public part
    # encrypt smpk-pub hash using aes256 key
    # encrypt smek (sym key) using aes256 key
    # encrypt BMPK-priv signed aes256 key(hash) with tifek public part
    # encrypt bmpk-pub hash using aes256 key
    # encrypt bmek (sym key) using aes256 key
    1668    secondary_cert.bin
    5413    primary_cert.bin
    7081    ../x509cert/final_certificate.bin
    # SHA512 Hashes of keys are stored in verify_hash.csv for reference..

    But when I tried to boot with this binary it caused error like below.

    Starting Keywriting
    Enabled VPP

    SYSFW Firmware Version 11.1.7-v11.01.07_am62x_keywrite
    SYSFW Firmware revision 0xb
    SYSFW ABI revision 4.0

    keys Certificate found: 0x43c15800
    Keywriter Debug Response:0x42000000
    Error occured...

    I used the same board which I executed the binary with programmed MSV only.

    Should I use the new board that has never executed keywriter ?

    BR

    Jace

  • I used the same board which I executed the binary with programmed MSV only.

    Since you had already programmed the MSV, please skip programming it by removing the "--msv" option in the new certificate.

  • Hello Prashant

    I could write all OTP data successfully and the board wa boot-up with signed image with default key

    Thank you for your help

    BR

    Jace