• State Resolved
  • Locked Locked
  • Replies 3 replies
  • Answers 1 answer
  • Subscribers 99 subscribers
  • Views 196 views
  • Users 0 members are here
Support feedback
Options
Options
Related

This thread has been locked.

If you have a related question, please click the "Ask a related question" button in the top right corner. The newly created question will be automatically linked to this question.

Original question:

AM625: AM625 boot fail with FDT_ERR_NOTFOUND

AM625: AM625 Signed Kernal and DTB authentication

LEE INJAE
Intellectual 510 points

Part Number: AM625

Dear TI

I'm using "ti-processor-sdk-linux-am62xx-evm-09.02.01.09" and verifying secure boot.

I could change HSFS device to HSSE and succeeded to boot with signed boot loader and fitImage.

But I'm not quite sure whether it also pass the authentication of signature of kenel and dtb.

Below log is a part of boot logo when it loads fit image, but I could not find any "authentication pass" message.

8408726 bytes read in 105 ms (76.4 MiB/s)
name_fit_config=conf-ti_k3-am625-sk.dtb
## Loading kernel from FIT Image at 90000000 ...
   Using 'conf-ti_k3-am625-sk.dtb' configuration
   Verifying Hash Integrity ... sha512,rsa4096:custMpk+ OK
   Trying 'kernel-1' kernel subimage
     Description:  Linux kernel
     Type:         Kernel Image
     Compression:  gzip compressed
     Data Start:   0x900000f4
     Data Size:    8216626 Bytes = 7.8 MiB
     Architecture: AArch64
     OS:           Linux
     Load Address: 0x81000000
     Entry Point:  0x81000000
     Hash algo:    sha512
     Hash value:   c1014b2ff3bfe7d7285c4963a710a6a0357476583da55eaedfe5dec8e719dd895092935b0f8a38a29a45ee763fe8cd17eb4dca5dc9cf65a69127e707f215b785
   Verifying Hash Integrity ... sha512+ OK
## Loading fdt from FIT Image at 90000000 ...
   Using 'conf-ti_k3-am625-sk.dtb' configuration
   Verifying Hash Integrity ... sha512,rsa4096:custMpk+ OK
   Trying 'fdt-ti_k3-am625-sk.dtb' fdt subimage
     Description:  Flattened Device Tree blob
     Type:         Flat Device Tree
     Compression:  uncompressed
     Data Start:   0x907e5230
     Data Size:    59546 Bytes = 58.2 KiB
     Architecture: AArch64
     Load Address: 0x83000000
     Hash algo:    sha512
     Hash value:   f05cc2def183826a0634e6ab99feb93a1ce63835ff8ba604c83493d9ac3f8498a75cdeb41b76342fda8f7f6cd7a6dd824eaa109021245420331b6fbea214c2c2
   Verifying Hash Integrity ... sha512+ OK
   Loading fdt from 0x907e5230 to 0x83000000
   Booting using the fdt blob at 0x83000000
Working FDT set to 83000000
   Uncompressing Kernel Image
   Loading Device Tree to 000000008ffee000, end 000000008ffff899 ... OK
Working FDT set to 8ffee000
Starting kernel ...

Could you let me know whether kernel image contains signature and it was checked in this log ?

If the signature is not checked, could you guide me how to sign kernel and dtb file ?

Is it related TI_SECURE_DEV_PKG(core-secdev-k3) which is mentioned in "AM62x_Secure_SDK_v1.pdf" ?

BR

Jace

  • 0
    TI__Guru* 75890 points

    Yes, the log shows the kernel/dtb is verified by u-boot proper.

    There's change in u-boot proper verifying the kernel FIT image starting from SDK 9.x, where the generic u-boot FIT signature verification with supporting the signed configuration is used instead of TIFS TISCI API to verify the kernel FIT image. The rational is verifying u-boot binary with ROM/TIFS to establish SoC-level RoT secure boot which make it possible to use the generic u-boot FIT signature verification flow for the rest of secure boot chain...

    Please refer to this early e2e for the details.
    RE: AM6412: Signing kernel FIT image for secure boot 

    Best,
    -Hong

  • 0 in reply to Hong Guan64
    Intellectual 510 points

    Hi Hong

    Then do we not need to consider TI_SECURE_DEV_PKG(core-secdev-k3) any more from SDK 9 ?

    Can I think that all secure function works correctly with default key ?

    FYI, I also added the boot log before kernel verificaiton

    U-Boot SPL 2023.04-ti-gf9b966c67473 (Mar 19 2024 - 20:31:40 +0000)
SYSFW ABI: 3.1 (firmware rev 0x0009 '9.2.7--v09.02.07 (Kool Koala)')
SPL initial stack usage: 13408 bytes
Trying to boot from MMC2
Authentication passed
Authentication passed
Authentication passed
Authentication passed
Authentication passed
Starting ATF on ARM64 core...

NOTICE:  BL31: v2.10.0(release):v2.10.0-367-g00f1ec6b87-dirty
NOTICE:  BL31: Built : 16:09:05, Feb  9 2024

U-Boot SPL 2023.04-dirty (Dec 02 2025 - 14:59:28 +0900)
SYSFW ABI: 3.1 (firmware rev 0x0009 '9.2.7--v09.02.07 (Kool Koala)')
SPL initial stack usage: 1856 bytes
Trying to boot from MMC2
Authentication passed
Authentication passed


U-Boot 2023.04-dirty (Dec 02 2025 - 14:59:28 +0900)

SoC:   AM62X SR1.0 HS-SE
Model: Texas Instruments AM625 SK
EEPROM not available at 80, trying to read at 81
Board: AM62B-SKEVM-P1 rev A
DRAM:  2 GiB
Core:  72 devices, 32 uclasses, devicetree: separate
MMC:   mmc@fa10000: 0, mmc@fa00000: 1
Loading Environment from nowhere... OK
In:    serial
Out:   serial
Err:   serial
Net:   eth0: ethernet@8000000port@1
Hit any key to stop autoboot:  0
switch to partitions #0, OK
mmc1 is current device










SD/MMC found on device 1
Failed to load 'boot.scr'
574 bytes read in 16 ms (34.2 KiB/s)
Loaded env from uEnv.txt
Importing environment from mmc1 ...
## Error: "main_cpsw0_qsgmii_phyinit" not defined
8408726 bytes read in 106 ms (75.7 MiB/s)
name_fit_config=conf-ti_k3-am625-sk.dtb
## Loading kernel from FIT Image at 90000000 ...
   Using 'conf-ti_k3-am625-sk.dtb' configuration
   Verifying Hash Integrity ... sha512,rsa4096:custMpk+ OK
   Trying 'kernel-1' kernel subimage
     Description:  Linux kernel
     Type:         Kernel Image
     Compression:  gzip compressed
     Data Start:   0x900000f4
     Data Size:    8216626 Bytes = 7.8 MiB
     Architecture: AArch64
     OS:           Linux
     Load Address: 0x81000000
     Entry Point:  0x81000000
     Hash algo:    sha512
     Hash value:   c1014b2ff3bfe7d7285c4963a710a6a0357476583da55eaedfe5dec8e719dd895092935b0f8a38a29a45ee763fe8cd17eb4dca5dc9cf65a69127e707f215b785
   Verifying Hash Integrity ... sha512+ OK
## Loading fdt from FIT Image at 90000000 ...
   Using 'conf-ti_k3-am625-sk.dtb' configuration
   Verifying Hash Integrity ... sha512,rsa4096:custMpk+ OK
   Trying 'fdt-ti_k3-am625-sk.dtb' fdt subimage
     Description:  Flattened Device Tree blob
     Type:         Flat Device Tree
     Compression:  uncompressed
     Data Start:   0x907e5230
     Data Size:    59546 Bytes = 58.2 KiB
     Architecture: AArch64
     Load Address: 0x83000000
     Hash algo:    sha512
     Hash value:   f05cc2def183826a0634e6ab99feb93a1ce63835ff8ba604c83493d9ac3f8498a75cdeb41b76342fda8f7f6cd7a6dd824eaa109021245420331b6fbea214c2c2
   Verifying Hash Integrity ... sha512+ OK
   Loading fdt from 0x907e5230 to 0x83000000
   Booting using the fdt blob at 0x83000000
Working FDT set to 83000000
   Uncompressing Kernel Image
   Loading Device Tree to 000000008ffee000, end 000000008ffff899 ... OK
Working FDT set to 8ffee000

Starting kernel ...

    BR

    Jace

  • +1 in reply to LEE INJAE
    TI__Guru* 75890 points
    LEE INJAE said:
    Then do we not need to consider TI_SECURE_DEV_PKG(core-secdev-k3) any more from SDK 9 ?

    https://software-dl.ti.com/processor-sdk-linux/esd/AM62X/11_01_05_03/exports/docs/linux/Foundational_Components_Migration_Guide.html#k3-image-gen
    "K3-image-gen is no longer used in 9.0 SDK. Binman is now used instead to package images in u-boot source..."

    LEE INJAE said:

    Can I think that all secure function works correctly with default key ?

    FYI, I also added the boot log before kernel verificaiton

    Yes, the log shows secure boot works.
    Best,
    -Hong