SK-AM64B: Enable Secure Boot

Brycen Hillukka

Part Number: SK-AM64B
Other Parts Discussed in Thread: SYSCONFIG, TCA9538

Hello,

I am trying to enable secure boot on the SK-AM64B development board using the OTP keywriter application from the sbl_keywriter software package. So far I have not been able to change the device type from HS-FS to HS-SE.

My current development environment matches the one described in the PDF document: ~/ti/mcu_plus_sdk_am64x_10_01_00_32/source/security/sbl_keywriter/user_guide/am64x/AM64X_AM243X OTP Keywriter User Guide.pdf

I am using the following:

MCU+SDK 10.00.00

Sysconfig 1.20.0

CCS 12.5.0

TI ARM CLANG 3.2.0 LTS

Openssl 3.2.1

Python 3.12.3

I have also tried using:

MCU+SDK 10.01.00

Sysconfig 1.21.2

TI ARM CLANG 4.0.1 LTS

Steps I have tried from the user guide:

Generate the x509 certificate:

Screenshot from 2026-03-10 18-39-37.png

I also tried this method:

Screenshot from 2026-03-10 18-24-56.png

Building the example R5F firmware:

make -sj clean PROFILE=debug
make -sj PROFILE=debug

Note that I did not modify board.c.

Then, I set my SK-AM64B to UART boot mode and sent tiboot3.bin to it using the following command:

Screenshot from 2026-03-10 18-43-24.png

After this point, I get no debug logs on UART0/1 or /dev/ttyUSB0 and /dev/ttyUSB1 like the user guide suggests that I should. Why don't I get any logs?

When I reboot the device (in UART boot mode) and check the system type, it is still marked as HS-FS. Why is this happening? What am I doing incorrectly?

Additionally, I need secure boot to work for both the bootloaders and Linux. How can I configure the OTP keywriter to work for this? Encryption is not a requirement for me but it would be nice to have.

Also, how can I configure the OTP keywriter to enable secure boot for both the bootloaders and Linux? Encryption is not necessary for me but would be a nice to have. I am building my images using the Docker image from these instructions for Ubuntu. What changes need to be made to this to create images for secure boot?

I look forward to hearing back and learning how to use secure boot!

1 month ago

0 Prashant Shivhare 1 month ago

TI__Guru* 80321 points

Hello,

For SK-AM64B board, you would have to modify the keywriter application as discussed in the following FAQ

e2e.ti.com/.../faq-how-to-run-otp-keywriter-on-sk-am64b

0 Brycen Hillukka 1 month ago in reply to Prashant Shivhare

Prodigy 100 points

Thanks for the quick reply. Are there any special configurations I need to change in the OTP keywriter to enable secure boot on the bootloaders and Linux, or is this configured by default?

How do I get my Yocto environment to build the bootloaders and Linux to work with secure boot? This part seems unclear from the user guide.

I will try out the changes mentioned in the FAQ today.

0 Prashant Shivhare 1 month ago in reply to Brycen Hillukka

TI__Guru* 80321 points

Brycen Hillukka said:
Are there any special configurations I need to change in the OTP keywriter to enable secure boot on the bootloaders and Linux, or is this configured by default?

Once the device is converted to HSSE, the secure boot is by default enforced.

Brycen Hillukka said:
How do I get my Yocto environment to build the bootloaders and Linux to work with secure boot? This part seems unclear from the user guide.

Please see if the following helps

https://software-dl.ti.com/processor-sdk-linux/esd/AM64X/11_02_08_02/exports/docs/linux/Foundational_Components_Security.html

0 Brycen Hillukka 1 month ago in reply to Prashant Shivhare

Prodigy 100 points

Hello,

I have added the ioexp_9538.h/c files like you suggested and recompiled the R5F libraries for the MCU+SDK 10.00.00. I rebuilt the libraries using:

cd ${SDK_INSTALL_PATH}

gmake -s libs-clean PROFILE=debug

gmake -s libs PROFILE=debug

Everything compiled fine. Then, I recompiled the OTP keywriter (tiboot3) using the following from the FAQ:

cd ../security/sbl_keywriter/am64x-evm/r5fss0-0_nortos/ti-arm-clang
make clean -sj PROFILE=debug && make -sj PROFILE=debug

I then sent tiboot3.bin to the SK-AM64B using uart_bootloader.py. It appears to have been sent successfully.

After this point I get no output on /dev/ttyUSB0 or /dev/ttyUSB1. These are the two ports that show up when I plug in the DEBUG_CONSOLE port of the SK-AM64B.

Why is my tiboot3 not working? Should I be seeing output from the UART ports? Based on the Linux academy, I think I should be. The device type remains as HS-FS.

This is the only output I get once tiboot3 is loaded on the device. This comes from the XDS110 Class Application/User UART port. This does not appear like the expected output from the user guide.

What should my next steps be to enable secure boot?

Thanks for your help.

0 Prashant Shivhare 1 month ago in reply to Brycen Hillukka

TI__Guru* 80321 points

Brycen Hillukka said:
Then, I recompiled the OTP keywriter (tiboot3) using the following from the FAQ:

Did you make changes in the "board.c" file of the keywriter application as well as suggested in the FAQ?

Brycen Hillukka said:
Should I be seeing output from the UART ports?

You won't see any UART logs because the application would have booted by the time you connect to the UART port after sending the application over UART using "uart_bootloader.py" script.

I would recommend using tools like picocom or minicom to send the binary over XMODEM protocol. This way you should be able to see the logs.

0 Prashant Shivhare 1 month ago in reply to Prashant Shivhare

TI__Guru* 80321 points

The following response lists the steps for booting a SBL (like keywriter's tiboot3.bin) over UART bootmode using Picocom.

https://e2e.ti.com/support/processors-group/processors/f/processors-forum/1229024/am625-error-xmodem-send-failed-no-response-or-incorrect-response-from-evm-or-cancelled-by-user/4652014

0 Prashant Shivhare 1 month ago in reply to Prashant Shivhare

TI__Guru* 80321 points

Prashant Shivhare said:
For SK-AM64B board, you would have to modify the keywriter application as discussed in the following FAQ

I just remember this FAQ alone is not enough. You would have to disable the eMMC in the sysconfig as well as discussed in the following thread

https://e2e.ti.com/support/processors-group/processors/f/processors-forum/1473209/processor-sdk-am64x-flashing-otp-keywriter-per-sd-card/5669823

Specifically, you need to do the following:

Integrate the IO Expander support for SK board in the SDK.
Disable the eMMC in the sysconfig.

If done correctly, you should be able to see the logs after booting the binary over picocom.

0 Brycen Hillukka 1 month ago in reply to Prashant Shivhare

Prodigy 100 points

Yes, I made the changes to board.c as well as mentioned in the FAQ. I am including the files I added/changed for reference.

board.c:

// {MCU+SDK_INSTALL_PATH}/source/security/sbl_keywriter/am64x-skb/r5fss0-0_nortos/board.c

#include <board/ioexp/ioexp_tca9538.h>
#include <kernel/dpl/CacheP.h>

/* TP89 VPP CORE on SK-AM64B */
#define EFUSE_VPP_PIN (4U) // IOExpander-P04

/* *
 * This function sets the VPP voltage for the SoC. 
 * VPP pin is controlled via IO Expander-P4 on SK-AM64B.
 * */
void keywriter_setVpp()
{
	int32_t status;

	TCA9538_Params TCA9538_IOexp_params = 
	{
		.i2cInstance = 0,  
		.i2cAddress = 0x70 
	}; 

	TCA9538_Config TCA9538_IOexp_config ; 

    status = TCA9538_open(&TCA9538_IOexp_config, &TCA9538_IOexp_params);

	/* set VPP core */
    if (status == SystemP_SUCCESS)
	{	
		status = TCA9538_config(&TCA9538_IOexp_config, EFUSE_VPP_PIN, TCA9538_MODE_OUTPUT);
	}

    if (status == SystemP_SUCCESS)
	{	
    	status = TCA9538_setOutput(&TCA9538_IOexp_config, EFUSE_VPP_PIN, TCA9538_OUT_STATE_HIGH);
	}

    TCA9538_close(&TCA9538_IOexp_config);
	
	DebugP_assertNoLog(status==SystemP_SUCCESS);
}

ioexp_tca9538.h:

// {MCU+SDK_INSTALL_PATH}/source/board/ioexp/ioexp_tca9538.h

/**
 *  \defgroup BOARD_IO_EXPANDER_TCA9538_MODULE APIs for TCA9538 IO Expander driver
 *  \ingroup BOARD_MODULE
 *
 *  This module contains APIs to program and use I2C based TCA9538 IO Expander
 *  module on the board.
 *
 *  @{
 */

#ifndef IO_EXP_TCA9538_H_
#define IO_EXP_TCA9538_H_

/* ========================================================================== */
/*                             Include Files                                  */
/* ========================================================================== */

#include <stdint.h>
#include <kernel/dpl/SystemP.h>
#include <kernel/dpl/SemaphoreP.h>
#include <drivers/i2c.h>

#ifdef __cplusplus
extern "C" {
#endif

/* ========================================================================== */
/*                           Macros & Typedefs                                */
/* ========================================================================== */

/**
 *  \anchor TCA9538_Mode
 *  \name IO pin mode - Input or Output
 *  @{
 */
/** \brief Configure IO pin as input */
#define TCA9538_MODE_INPUT              (0U)
/** \brief Configure IO pin as output */
#define TCA9538_MODE_OUTPUT             (1U)
/** @} */

/**
 *  \anchor TCA9538_OutState
 *  \name IO pin output state - HIGH or LOW
 *  @{
 */
/** \brief Configure IO pin output as LOW */
#define TCA9538_OUT_STATE_LOW           (0U)
/** \brief Configure IO pin output as HIGH */
#define TCA9538_OUT_STATE_HIGH          (1U)
/** @} */

/* ========================================================================== */
/*                         Structure Declarations                             */
/* ========================================================================== */

/**
 *  \brief Parameters passed during TCA9538_open()
 */
typedef struct TCA9538_Params_s
{
    uint32_t        i2cInstance;
    /**< Underlying peripheral driver instance that is used by the
     *   IO Expander driver incase of I2C controlled IO Expander */
    uint32_t        i2cAddress;
    /**< I2C address for IO expander */
} TCA9538_Params;

/**
 *  \brief IO Expander device attributes.
 */
typedef struct TCA9538_Attrs_s
{
    uint32_t        numIo;
    /**< Number of IO supported by device */
} TCA9538_Attrs;

/**
 *  \brief IO Expander driver configuration. This is the driver object used to
 *  store state variables
 */
typedef struct TCA9538_Config_s
{
    TCA9538_Params      params;
    /**< Parameters */
    TCA9538_Attrs       attrs;
    /**< Attributes */
    I2C_Handle          i2cHandle;
    /**< I2C driver handle */
    void               *lock;
    /**< Mutex to protect IO expander access. */
    SemaphoreP_Object   lockObj;
    /**< Mutex object. */
} TCA9538_Config;

/* ========================================================================== */
/*                          Function Declarations                             */
/* ========================================================================== */

/**
 *  \brief Open TCA9538 driver
 *
 *  Make sure the I2C driver is opened before calling this API.
 *
 *  \param config       [IN] Driver object. Caller need to allocate memory for this.
 *  \param params       [IN] Open parameters
 *
 * \return SystemP_SUCCESS on success, else failure
 */
int32_t TCA9538_open(TCA9538_Config *config, const TCA9538_Params *params);

/**
 *  \brief Close TCA9538 driver
 *
 *  \param config    [IN] TCA9538 driver config from \ref TCA9538_open
 */
void TCA9538_close(TCA9538_Config *config);

/**
 * \brief API to set a IO pin of TCA9538 as input or output
 *
 * \param config    [IN] TCA9538 driver config from \ref TCA9538_open
 * \param ioIndex   [IN] Index to the TCA9538 IO which needs to be set/reset.
 * \param mode      [IN] Refer \ref TCA9538_Mode
 *
 * \return SystemP_SUCCESS on success, else failure
 */
int32_t TCA9538_config(TCA9538_Config *config, uint32_t ioIndex, uint32_t mode);

/**
 * \brief API to set a IO pin of TCA9538 to either HIGH or LOW
 *
 * \param config    [IN] TCA9538 driver config from \ref TCA9538_open
 * \param ioIndex   [IN] Index to the TCA9538 IO which needs to be set/reset.
 * \param state     [IN] Refer \ref TCA9538_OutState
 *
 * \return SystemP_SUCCESS on success, else failure
 */
int32_t TCA9538_setOutput(TCA9538_Config *config, uint32_t ioIndex, uint32_t state);

/**
 * \brief Returns TCA9538 attributes
 *
 * \param config    [IN] TCA9538 driver config from \ref TCA9538_open
 * \param attrs     [IN/OUT] Structure where the attribute is returned
 *
 */
void TCA9538_getAttrs(TCA9538_Config *config, TCA9538_Attrs *attrs);

/**
 *  \brief Set default parameters in the \ref TCA9538_Params structure
 *
 *  Call this API to set defaults and then override the fields as needed
 *  before calling  \ref TCA9538_open.
 *
 *  \param params   [OUT] Initialized parameters
 */
void TCA9538_Params_init(TCA9538_Params *params);

/* ========================================================================== */
/*                       Static Function Definitions                          */
/* ========================================================================== */

/* None */

/* ========================================================================== */
/*                  Internal/Private Structure Declarations                   */
/* ========================================================================== */

/* None */

#ifdef __cplusplus
}
#endif

#endif /* #ifndef TCA9538_H_ */

/** @} */

ioexp_tca9538.c:

I just tried to use minicom with XMODEM and still received no logs.

I am now trying to disable eMMC in sysconfig by importing the project into CCS 12.5.0 but am getting a metadata error.

Thanks for all your help so far!

0 Brycen Hillukka 1 month ago in reply to Brycen Hillukka

Prodigy 100 points

Not sure why ioexp_tca9538.c didn't appear in my last message. It can be found below:

// {MCU+SDK_INSTALL_PATH}/source/board/ioexp/ioexp_tca9538.c

/* ========================================================================== */
/* Include Files */
/* ========================================================================== */

#include <board/ioexp/ioexp_tca9538.h>

/* ========================================================================== */
/* Macros & Typedefs */
/* ========================================================================== */

#define TCA9538_REG_INPUT_PORT (0x00U)
#define TCA9538_REG_OUTPUT_PORT (0x01U)
#define TCA9538_REG_POL_INV_PORT (0x02U)
#define TCA9538_REG_CONFIG_PORT (0x03U)

/* ========================================================================== */
/* Structure Declarations */
/* ========================================================================== */

/* None */

/* ========================================================================== */
/* Function Declarations */
/* ========================================================================== */

/* None */

/* ========================================================================== */
/* Global Variables */
/* ========================================================================== */

/* None */

/* ========================================================================== */
/* Function Definitions */
/* ========================================================================== */

int32_t TCA9538_open(TCA9538_Config *config, const TCA9538_Params *params)
{
int32_t status = SystemP_SUCCESS;

if((NULL == config) || (NULL == params))
{
status = SystemP_FAILURE;
}
else
{
config->params.i2cInstance = params->i2cInstance;
config->params.i2cAddress = params->i2cAddress;
config->lock = NULL;
config->i2cHandle = I2C_getHandle(config->params.i2cInstance);
if(NULL == config->i2cHandle)
{
status = SystemP_FAILURE;
}
}

if(status == SystemP_SUCCESS)
{
SemaphoreP_constructMutex(&config->lockObj);
config->lock = &config->lockObj;
TCA9538_getAttrs(config, &config->attrs);
}

return (status);
}

void TCA9538_close(TCA9538_Config *config)
{

if(NULL == config)
{
}
else
{
/* I2C Driver will be closed outside flash */
config->i2cHandle = NULL;
if(NULL != config->lock)
{
SemaphoreP_destruct(&config->lockObj);
config->lock = NULL;
}
}

return;
}

int32_t TCA9538_config(TCA9538_Config *config, uint32_t ioIndex, uint32_t mode)
{
int32_t status = SystemP_SUCCESS;
I2C_Transaction i2cTransaction;
uint32_t portPin, i2cAddress;
uint8_t buffer[2U] = {0};

if(NULL == config)
{
status = SystemP_FAILURE;
}
else
{
/* Validate input IO number */
if(ioIndex >= config->attrs.numIo)
{
status = SystemP_FAILURE;
}
}

if(status == SystemP_SUCCESS)
{
/* Each port contains 8 IOs */
portPin = ioIndex;
i2cAddress = config->params.i2cAddress;

SemaphoreP_pend(&config->lockObj, SystemP_WAIT_FOREVER);

/* Set config register address - needed for next read */
I2C_Transaction_init(&i2cTransaction);
buffer[0] = TCA9538_REG_CONFIG_PORT;
i2cTransaction.writeBuf = buffer;
i2cTransaction.writeCount = 1U;
i2cTransaction.targetAddress = i2cAddress;
status += I2C_transfer(config->i2cHandle, &i2cTransaction);

/* Read config register value */
I2C_Transaction_init(&i2cTransaction);
i2cTransaction.readBuf = buffer;
i2cTransaction.readCount = 1;
i2cTransaction.targetAddress = i2cAddress;
status += I2C_transfer(config->i2cHandle, &i2cTransaction);

/* Set output or input mode to particular IO pin - read/modify/write */
I2C_Transaction_init(&i2cTransaction);
if(TCA9538_MODE_INPUT == mode)
{
buffer[1] = buffer[0] | (0x01 << portPin);
}
else
{
buffer[1] = buffer[0] & ~(0x01 << portPin);
}
buffer[0] = TCA9538_REG_CONFIG_PORT;
i2cTransaction.writeBuf = buffer;
i2cTransaction.writeCount = 2;
i2cTransaction.targetAddress = i2cAddress;
status += I2C_transfer(config->i2cHandle, &i2cTransaction);

SemaphoreP_post(&config->lockObj);
}
return (status);
}

int32_t TCA9538_setOutput(TCA9538_Config *config, uint32_t ioIndex, uint32_t state)
{
int32_t status = SystemP_SUCCESS;
I2C_Transaction i2cTransaction;
uint32_t port, portPin, i2cAddress;
uint8_t buffer[2U] = {0};

if(NULL == config)
{
status = SystemP_FAILURE;
}
else
{
/* Validate input IO number */
if(ioIndex >= config->attrs.numIo)
{
status = SystemP_FAILURE;
}
}

if(status == SystemP_SUCCESS)
{
/* Each port contains 8 IOs */
port = ioIndex >> 3U; /* /8 gives port */
portPin = ioIndex & 0x07U; /* %8 gives pin within port */
i2cAddress = config->params.i2cAddress;

SemaphoreP_pend(&config->lockObj, SystemP_WAIT_FOREVER);

/* Set output prt register address - needed for next read */
I2C_Transaction_init(&i2cTransaction);
buffer[0] = TCA9538_REG_OUTPUT_PORT + port;
i2cTransaction.writeBuf = buffer;
i2cTransaction.writeCount = 1U;
i2cTransaction.targetAddress = i2cAddress;
status += I2C_transfer(config->i2cHandle, &i2cTransaction);

/* Set output or input mode to particular IO pin - read/modify/write */
I2C_Transaction_init(&i2cTransaction);
if(TCA9538_OUT_STATE_HIGH == state)
{
buffer[1] = buffer[0] | (0x01 << portPin);
}
else
{
buffer[1] = buffer[0] & ~(0x01 << portPin);
}
buffer[0] = TCA9538_REG_OUTPUT_PORT;
i2cTransaction.writeBuf = buffer;
i2cTransaction.writeCount = 2;
i2cTransaction.targetAddress = i2cAddress;
status += I2C_transfer(config->i2cHandle, &i2cTransaction);

SemaphoreP_post(&config->lockObj);
}

return (status);
}

void TCA9538_getAttrs(TCA9538_Config *config, TCA9538_Attrs *attrs)
{
if(NULL != attrs)
{
attrs->numIo = 8U;
}

return;
}

void TCA9538_Params_init(TCA9538_Params *params)
{
if(NULL != params)
{
params->i2cInstance = 0U;
params->i2cAddress = 0x70;
}

return;
}

0 Prashant Shivhare 1 month ago in reply to Brycen Hillukka

TI__Guru* 80321 points

Brycen Hillukka said:
I am now trying to disable eMMC in sysconfig by importing the project into CCS 12.5.0 but am getting a metadata error.

Don't import the project into CCS. It is supposed to be configured and built from CLI only.

Go to the keywriter's "ti-arm-clang" and launch the sysconfig with "make -s syscfg-gui" and do the necessary changes.

0 Brycen Hillukka 1 month ago in reply to Prashant Shivhare

Prodigy 100 points

Thanks for showing me how to do that.

I did receive logs on when I ran tiboot3 this time.

My SOCID also changed as expected. The device type now says HSS instead of HSSE, is this correct?

I will soon try to build my images for bootloader and Linux using the Yocto docker container. I am still confused on two things.

How can I tell Yocto to build my images with specific signature keys?

Also, how can I make the secure boot images work for SD card boot?

Thank you so much!

0 Prashant Shivhare 1 month ago in reply to Brycen Hillukka

TI__Guru* 80321 points

Brycen Hillukka said:
My SOCID also changed as expected. The device type now says HSS instead of HSSE, is this correct?

The SoC UID is not supposed to change. I think it's a copy paste error of the hex string from the UART console. There shouldn't be any CC characters at the start. If you see, the SoC UID is right shifted by one byte.

Brycen Hillukka said:
How can I tell Yocto to build my images with specific signature keys?

I see that you have programmed the TI dummy keys only so you don't have to do anything for now. Simply build the U-Boot as usual and replace the images in the SD card.

0 Brycen Hillukka 1 month ago in reply to Prashant Shivhare

Prodigy 100 points

Hello,

Yes, you were correct. After I removed the CC characters the device type was verified to be HS-SE:

I have been trying to securely boot Linux and have not been successful yet. I am unsure of where to look to begin troubleshooting. How can I verify I am using the correct keys for my Yocto builds? I also saw something in the documentation about needing a fitImage for Linux. If I need this how do I flash this to the SD card?

Below is the boot output I have received so far. After each boot attempt, two LEDs (LD2 and LD16) on the board start flashing.

The following boot output is from my initial attempt to securely boot after replacing tiboot3.bin with tiboot3-am64x_sr2-hs-evm.bin:

[    6.869146] devtmpfs: mounted

[    6.874119] Freeing unused kernel memory: 2752K

[    6.878788] Run /sbin/init as init process

[    7.084183] systemd[1]: System time before build time, advancing clock.

[    7.134031] NET: Registered PF_INET6 protocol family

[    7.140648] Segment Routing with IPv6

[    7.144430] In-situ OAM (IOAM) with IPv6

[    7.183905] systemd[1]: systemd 255.21^ running in system mode (+PAM -AUDIT -SELINUX -APPARMOR +IMA -SMACK +SECCOMP -GCRYPT -GNUTLS -OPENSSL +ACL +BLKID -CURL -ELFUTILS -FIDO2 -IDN2 -IDN -IPTC +KMOD -LIBCRYPTSETUP +LIBFDISK -PCRE2 -PWQUALITY -P11KIT -QRENCODE -TPM2 -BZIP2 -LZ4 -XZ -ZLIB +ZSTD -BPF_FRAMEWORK -XKBCOMMON +UTMP +SYSVINIT default-hierarchy=unified)

[    7.216081] systemd[1]: Detected architecture arm64.

 

Welcome to Arago!

 

[    7.232120] systemd[1]: Hostname set to <am64xx-evm>.

[    7.240397] systemd[1]: Initializing machine ID from random generator.

 

U-Boot SPL 2025.01-00767-g548607b56d64 (Feb 22 2026 - 22:00:00 +0000)

Resetting on cold boot to workaround ErrataID:i2331

Please resend tiboot3.bin in case of UART/DFU boot



resetting ...

After a reboot, this is the only boot output shown:

U-Boot SPL 2025.01-00767-g548607b56d64 (Feb 22 2026 - 22:00:00 +0000)

Resetting on cold boot to workaround ErrataID:i2331

Please resend tiboot3.bin in case of UART/DFU boot



resetting ...

After replacing tiboot3.bin with a fresh copy of tiboot3-am64x_sr2-hs-evm.bin, the boot output is now:

U-Boot SPL 2025.01-00767-g548607b56d64 (Feb 22 2026 - 22:00:00 +0000)

Resetting on cold boot to workaround ErrataID:i2331

Please resend tiboot3.bin in case of UART/DFU boot

resetting ...

 

U-Boot SPL 2025.01-00767-g548607b56d64 (Feb 22 2026 - 22:00:00 +0000)

SYSFW ABI: 4.0 (firmware rev 0x000b '11.2.5--v11.02.05 (Fancy Rat)')

EEPROM not available at 0x50, trying to read at 0x51

Set clock rates for '/a53@0', CPU: 1000MHz at Speed Grade 'S'

SPL initial stack usage: 13536 bytes

Trying to boot from MMC2

 

U-Boot SPL 2025.01-00767-g548607b56d64 (Feb 22 2026 - 22:00:00 +0000)

Resetting on cold boot to workaround ErrataID:i2331

Please resend tiboot3.bin in case of UART/DFU boot



resetting ...

I never made it to Linux successfully. What next steps do you recommend for me to get my Yocto builds working with secure boot? As I mentioned in my initial post, I am using the Docker container approach to build my Linux images. I am using the scarthgap configuration.

Thank you!

0 Prashant Shivhare 1 month ago in reply to Brycen Hillukka

TI__Guru* 80321 points

U-Boot SPL 2025.01-00767-g548607b56d64 (Feb 22 2026 - 22:00:00 +0000)

The timestamp is not recent in these boot logs. Please make sure the timestamp matches the time at which you have built U-Boot to make sure you are booting correct set of images.

Otherwise, I see you have programmed TI dummy keys so you may just flash the TI provided WIC image to the SD card and replace the default `tiboot3.bin` with `tiboot3-am64x_sr2-hs-evm.bin`. The board should boot to Linux successfully. Then, you could try booting your built images.

0 Brycen Hillukka 1 month ago in reply to Prashant Shivhare

Prodigy 100 points

Hello,

After rebuilding using bitbake -k tisdk-base-image, the timestamp did not update (I'm not sure why). I replaced tiboot3.bin with tiboot3-am64x_sr2-hs-evm.bin. Below is the boot output:

U-Boot SPL 2025.01-00767-g548607b56d64 (Feb 22 2026 - 22:00:00 +0000)        
Resetting on cold boot to workaround ErrataID:i2331                          
Please resend tiboot3.bin in case of UART/DFU boot                          
resetting ...                                                                

U-Boot SPL 2025.01-00767-g548607b56d64 (Feb 22 2026 - 22:00:00 +0000)
SYSFW ABI: 4.0 (firmware rev 0x000b '11.2.5--v11.02.05 (Fancy Rat)')            
EEPROM not available at 0x50, trying to read at 0x51                            
Set clock rates for '/a53@0', CPU: 1000MHz at Speed Grade 'S'                  
SPL initial stack usage: 13536 bytes                                            
Trying to boot from MMC2                                                        
Authentication passed                                                          
Authentication passed                                                          
Loading Environment from nowhere... OK                                          
Authentication passed                                                          
Authentication passed                                                          
Starting ATF on ARM64 core...                                                  
                                                                               
NOTICE:  BL31: v2.13.0(release):v2.13.0-259-ge0c4d3903b-dirty                  
NOTICE:  BL31: Built : 07:01:36, Jul  1 2025                                    
I/TC:                                                                          
I/TC: OP-TEE version: 4.7.0-47-ga9690ae39 (gcc version 13.4.0 (GCC)) #1 Thu Aug4
I/TC: WARNING: This OP-TEE configuration might be insecure!                    
I/TC: WARNING: Please check https://optee.readthedocs.io/en/latest/architecturel
I/TC: Primary CPU initializing                                                  
I/TC: GIC redistributor base address not provided                              
I/TC: Assuming default GIC group status and modifier                            
I/TC: SYSFW ABI: 4.0 (firmware rev 0x000b '11.2.5--v11.02.05 (Fancy Rat)')      
I/TC: Activated SA2UL device                                                    
I/TC: Enabled firewalls for SA2UL TRNG device                                  
I/TC: EIP76D TRNG initialized                                                  
I/TC: SA2UL Drivers initialized                                                
I/TC: Secure Board Configuration Software: Rev 1                                
I/TC: Secure Boot Keys: Count 2, Rev 1                                          
I/TC: HUK Initialized                                                          
I/TC: Primary CPU switching to normal world boot                                
                                                                               
U-Boot SPL 2025.01-00767-g548607b56d64 (Feb 22 2026 - 22:00:00 +0000)          
SYSFW ABI: 4.0 (firmware rev 0x000b '11.2.5--v11.02.05 (Fancy Rat)')            
Trying to boot from MMC2                                                        
Authentication passed                                                          
Authentication passed                                                          
                                                                               
                                                                               
U-Boot 2025.01-00767-g548607b56d64 (Feb 22 2026 - 22:00:00 +0000)              
                                                                               
SoC:   AM64X SR2.0 HS-SE                                                        
Model: Texas Instruments AM642 SK                                              
Board: AM64B-SKEVM rev A                                                        
DRAM:  2 GiB                                                                    
Core:  104 devices, 35 uclasses, devicetree: separate                          
WDT:   Started watchdog@e000000 with servicing every 1000ms (60s timeout)      
WDT:   Started watchdog@e010000 with servicing every 1000ms (60s timeout)      
MMC:   mmc@fa00000: 1                                                          
Loading Environment from nowhere... OK                                          
In:    serial@2800000                                                          
Out:   serial@2800000                                                          
Err:   serial@2800000                                                          
Failed to probe prueth driver                                                  
Net:   eth0: ethernet@8000000port@1, eth1: ethernet@8000000port@2              
Hit any key to stop autoboot:  2                                                
U-Boot SPL 2025.01-00767-g548607b56d64 (Feb 22 2026 - 22:00:00 +0000)          
Resetting on cold boot to workaround ErrataID:i2331                            
Please resend tiboot3.bin in case of UART/DFU boot                              
resetting ...

I also downloaded and tried to flash tisdk-default-image-am64xx-evm-11.02.08.02.rootfs.wic.xz to my SD card but kept receiving a "Something went wrong. If it is a compressed image, please check that the archive is not corrupted. The writer process ended unexpectedly" error message. I would rather not spend my time on the default image and just focus on getting my Yocto builds to work with secure boot.

I know that you keep saying I am using the TI dummy keys. I think I may have regenerated them at some point when I was trying to enable secure boot before I opened this forum. How can I verify that I am building with the correct keys? I would also like to be able to "replace" these keys to verify secure boot won't work with invalid keys.

Thanks again!

0 Prashant Shivhare 1 month ago in reply to Brycen Hillukka

TI__Guru* 80321 points

Brycen Hillukka said:
After rebuilding using bitbake -k tisdk-base-image, the timestamp did not update (I'm not sure why).

I don't know about Yocto so won't be able to clarify why this might be happening but you should definitely check the issue. Maybe, you are taking the built images from incorrect path or something.

Brycen Hillukka said:
I also downloaded and tried to flash tisdk-default-image-am64xx-evm-11.02.08.02.rootfs.wic.xz to my SD card but kept receiving a "Something went wrong. If it is a compressed image, please check that the archive is not corrupted.

If you are using the Balena Etcher then please see the following FAQ

https://e2e.ti.com/support/processors-group/processors/f/processors-forum/1423359/faq-am62a7-q1-balena-etcher-flash-error-workaround

I would still recommend to once give this a try just to have a default bootable setup. Once you have this, you can replace the U-Boot images and Kernel fitImage with yours incrementally.

Brycen Hillukka said:
How can I verify that I am building with the correct keys? I would also like to be able to "replace" these keys to verify secure boot won't work with invalid keys.

The keys that are used for signing are in the U-Boot source code at "arch/arm/mach-k3/keys".

For negative testing, you could replace these keys with any random ones or you could corrupt even a single byte in the images signed with the correct keys.

I would recommend the following path

Boot the default TI WIC image.
Replace U-Boot images with yours and check the timestamps.
Replace Kernel fitImage with yours.
Perform negative testing.

0 Brycen Hillukka 1 month ago in reply to Prashant Shivhare

Prodigy 100 points

Hello,

I downloaded balena etcher v1.7.9 and got the image flashed to the SD card. Same problem occurred with booting. I am wondering if it is because I may have selected to use secondary and backup keys instead of just the secondary?

I verified that the keys are the same using the compare command:

:~/ti/mcu_plus_sdk_am64x_10_00_00_20/source/security/sbl_keywriter/scripts/cert_gen/am64x$ cmp keys_devel/smpk.pem ${PATH_TO_TISDK}/tisdk/build/workspace/sources/u-boot-ti-staging/arch/arm/mach-k3/keys/custMpk.pem

Note that I am pretty sure I built the OTP keywriter tiboot3.bin using secondary and backup keys with the following command:

./gen_keywr_cert.sh -t tifek/ti_fek_public.pem --msv 0xC0FFE -b-def --bmek-def -s-def --smek-def --keycnt 2 --keyrev 1

I noticed that in arch/arm/mach-k3/keys that there is only one .pem file instead of 2. Is this my problem?

:~/tisdk/build$ ls workspace/sources/u-boot-ti-staging/arch/arm/mach-k3/keys
custMpk.crt  custMpk.key  custMpk.pem  ti-degenerate-key.pem

The boot output from when I flashed the OTP keywriter shows that I used the combined boot mode which makes me think this is the problem. Step 6 in section 5.1.1 of the OTP keywriter user guide also suggests this. How can I add the second one?

0 Prashant Shivhare 1 month ago in reply to Brycen Hillukka

TI__Guru* 80321 points

Brycen Hillukka said:
I am wondering if it is because I may have selected to use secondary and backup keys instead of just the secondary?

This is not the issue. It just means that you have programmed two sets of keys. However, there is only set of keys (SMPK/SMEK or BMPK/BMEK) active at a time based on the KEYREV value.

The following thread should help clarify the usage of the keys

https://e2e.ti.com/support/processors-group/processors/f/processors-forum/1351307/am6424-security-boot

Brycen Hillukka said:
I downloaded balena etcher v1.7.9 and got the image flashed to the SD card. Same problem occurred with booting.

Could you please share the boot logs with the default image?

0 Brycen Hillukka 1 month ago in reply to Prashant Shivhare

Prodigy 100 points

Here are the boot logs from the default image:

U-Boot SPL 2025.01-00767-g548607b56d64 (Feb 22 2026 - 22:00:00 +0000)
Resetting on cold boot to workaround ErrataID:i2331
Please resend tiboot3.bin in case of UART/DFU boot
resetting ...

U-Boot SPL 2025.01-00767-g548607b56d64 (Feb 22 2026 - 22:00:00 +0000)
SYSFW ABI: 4.0 (firmware rev 0x000b '11.2.5--v11.02.05 (Fancy Rat)')
EEPROM not available at 0x50, trying to read at 0x51
Set clock rates for '/a53@0', CPU: 1000MHz at Speed Grade 'S'
SPL initial stack usage: 13536 bytes
Trying to boot from MMC2
Authentication passed
Authentication passed
Loading Environment from nowhere... OK
Authentication passed
Authentication passed
Starting ATF on ARM64 core...

NOTICE:  BL31: v2.13.0(release):v2.13.0-259-ge0c4d3903b-dirty
NOTICE:  BL31: Built : 07:01:36, Jul  1 2025
I/TC:
I/TC: OP-TEE version: 4.7.0-47-ga9690ae39 (gcc version 13.4.0 (GCC)) #1 Thu Aug  7 15:25:10 UTC 2025 aarch64
I/TC: WARNING: This OP-TEE configuration might be insecure!
I/TC: WARNING: Please check https://optee.readthedocs.io/en/latest/architecture/porting_guidelines.html
I/TC: Primary CPU initializing
I/TC: GIC redistributor base address not provided
I/TC: Assuming default GIC group status and modifier
I/TC: SYSFW ABI: 4.0 (firmware rev 0x000b '11.2.5--v11.02.05 (Fancy Rat)')
I/TC: Activated SA2UL device
I/TC: Enabled firewalls for SA2UL TRNG device
I/TC: EIP76D TRNG initialized
I/TC: SA2UL Drivers initialized
I/TC: Secure Board Configuration Software: Rev 1
I/TC: Secure Boot Keys: Count 2, Rev 1
I/TC: HUK Initialized
I/TC: Primary CPU switching to normal world boot

U-Boot SPL 2025.01-00766-g7493977a537f (Dec 03 2025 - 15:20:36 +0000)
SYSFW ABI: 4.0 (firmware rev 0x000b '11.2.5--v11.02.05 (Fancy Rat)')
Trying to boot from MMC2
Authentication passed

U-Boot SPL 2025.01-00767-g548607b56d64 (Feb 22 2026 - 22:00:00 +0000)
Resetting on cold boot to workaround ErrataID:i2331
Please resend tiboot3.bin in case of UART/DFU boot
resetting ...

U-Boot SPL 2025.01-00767-g548607b56d64 (Feb 22 2026 - 22:00:00 +0000)
Resetting on cold boot to workaround ErrataID:i2331
Please resend tiboot3.bin in case of UART/DFU boot
resetting ...

U-Boot SPL 2025.01-00767-g548607b56d64 (Feb 22 2026 - 22:00:00 +0000)
Resetting on cold boot to workaround ErrataID:i2331
Please resend tiboot3.bin in case of UART/DFU boot
resetting ...

0 Prashant Shivhare 1 month ago in reply to Brycen Hillukka

TI__Guru* 80321 points

U-Boot SPL 2025.01-00766-g7493977a537f (Dec 03 2025 - 15:20:36 +0000)
SYSFW ABI: 4.0 (firmware rev 0x000b '11.2.5--v11.02.05 (Fancy Rat)')
Trying to boot from MMC2
Authentication passed

U-Boot SPL 2025.01-00767-g548607b56d64 (Feb 22 2026 - 22:00:00 +0000)
Resetting on cold boot to workaround ErrataID:i2331
Please resend tiboot3.bin in case of UART/DFU boot
resetting ...

Did a reset automatically happen after the "Authentication passed" logs? And then it keeps resetting?

0 Brycen Hillukka 1 month ago in reply to Prashant Shivhare

Prodigy 100 points

Yes, the reset happened automatically. It did the three resets and then stopped. After this point when I power cycle the board I don't get any boot output and both LEDs start blinking right at power on. Any ideas to what is happening? I don't understand why the boot output isn't consistent each time.

0 Prashant Shivhare 1 month ago in reply to Brycen Hillukka

TI__Guru* 80321 points

Brycen Hillukka said:
Any ideas to what is happening?

I am not sure but it doesn't look like the issue is caused by the security state (HSSE) of the device. I guess it could be the board itself or the SD card. Could you please try the following suggestions:

Try a different SD card.
Try a different bootmode preferably UART. In UART bootmode, you would have to send the `tiboot3.bin` using XMODEM protocol, `tispl.bin` and `u-boot.img` using YMODEM protocol. Please use the U-Boot images from WIC image flashed on the SD card.
https://software-dl.ti.com/processor-sdk-linux/esd/AM64X/11_02_08_02/exports/docs/linux/Foundational_Components/U-Boot/UG-UART.html

0 Brycen Hillukka 1 month ago in reply to Prashant Shivhare

Prodigy 100 points

Hello,

I tried another SD card and got similar boot output. I have included it below:

U-Boot SPL 2025.01-00766-g7493977a537f (Dec 03 2025 - 15:20:36 +0000)
Resetting on cold boot to workaround ErrataID:i2331
Please resend tiboot3.bin in case of UART/DFU boot
resetting ...

U-Boot SPL 2025.01-00766-g7493977a537f (Dec 03 2025 - 15:20:36 +0000)
SYSFW ABI: 4.0 (firmware rev 0x000b '11.2.5--v11.02.05 (Fancy Rat)')
EEPROM not available at 0x50, trying to read at 0x51
Set clock rates for '/a53@0', CPU: 1000MHz at Speed Grade 'S'
SPL initial stack usage: 13536 bytes
Trying to boot from MMC2
Authentication passed
Authentication passed
Loading Environment from nowhere... OK
Authentication passed
Authentication passed
Starting ATF on ARM64 core...

NOTICE:  BL31: v2.13.0(release):v2.13.0-259-ge0c4d3903b-dirty
NOTICE:  BL31: Built : 07:01:36, Jul  1 2025
I/TC:
I/TC: OP-TEE version: 4.7.0-47-ga9690ae39 (gcc version 13.4.0 (GCC)) #1 Thu Aug  7 15:25:10 UTC 2025 aarch64
I/TC: WARNING: This OP-TEE configuration might be insecure!
I/TC: WARNING: Please check https://optee.readthedocs.io/en/latest/architecture/porting_guidelines.html
I/TC: Primary CPU initializing
I/TC: GIC redistributor base address not provided
I/TC: Assuming default GIC group status and modifier
I/TC: SYSFW ABI: 4.0 (firmware rev 0x000b '11.2.5--v11.02.05 (Fancy Rat)')
I/TC: Activated SA2UL device
I/TC: Enabled firewalls for SA2UL TRNG device
I/TC: EIP76D TRNG initialized
I/TC: SA2UL Drivers initialized
I/TC: Secure Board Configuration Software: Rev 1
I/TC: Secure Boot Keys: Count 2, Rev 1
I/TC: HUK Initialized
I/TC: Primary CPU switching to normal world boot

U-Boot SPL 2025.01-00766-g7493977a537f (Dec 03 2025 - 15:20:36 +0000)
SYSFW ABI: 4.0 (firmware rev 0x000b '11.2.5--v11.02.05 (Fancy Rat)')
Trying to boot from MMC2

U-Boot SPL 2025.01-00766-g7493977a537f (Dec 03 2025 - 15:20:36 +0000)
Resetting on cold boot to workaround ErrataID:i2331
Please resend tiboot3.bin in case of UART/DFU boot
resetting ...

U-Boot SPL 2025.01-00766-g7493977a537f (Dec 03 2025 - 15:20:36 +0000)
Resetting on cold boot to workaround ErrataID:i2331
Please resend tiboot3.bin in case of UART/DFU boot
resetting ...

U-Boot SPL 2025.01-00766-g7493977a537f (Dec 03 2025 - 15:20:36 +0000)
Resetting on cold boot to workaround ErrataID:i2331
Please resend tiboot3.bin in case of UART/DFU boot
resetting ...

U-Boot SPL 2025.01-00766-g7493977a537f (Dec 03 2025 - 15:20:36 +0000)
Resetting on cold boot to workaround ErrataID:i2331
Please resend tiboot3.bin in case of UART/DFU boot
resetting ...

U-Boot SPL 2025.01-00766-g7493977a537f (Dec 03 2025 - 15:20:36 +0000)

U-Boot SPL 2025.01-00766-g7493977a537f (Dec 03 2025 - 15:20:36 +0000)

I then switched to UART bootmode to try to send over the bootloaders. The SOCID is infinitely printing. I am unable to transfer any files using XMODEM or YMODEM. What do you recommend I do next? Is my board recoverable?

02000000011a0000616d3634780000000000000048535345000002000000020002a6000001000200b018658ad99dc903c8c9bfb27b12751099920a042ad1dfea7b7ba57369f15546de285edde6a7b39a8bdc40a27b237f8fb1e57f245e80b929c1e28b024aa2ecc61f6002b07cd9b0b7c47d9ca8d1aae57b8e8784a12f636b2b760d7d98a18f189760dfd0f23e2b0cb10ec7edc7c6edac3d9bdfefe0eddc3fff7fe9ad875195527d90ad011b9a6baf38885bad40af8dc14d15586d3f3dc5e9c0ec197e971d3e56afC02000000011a0000616d3634780000000000000048535345000002000000020002a6000001000200b018658ad99dc903c8c9bfb27b12751099920a042ad1dfea7b7ba57369f15546de285edde6a7b39a8bdc40a27b237f8fb1e57f245e80b929c1e28b024aa2ecc61f6002b07cd9b0b7c47d9ca8d1aae57b8e8784a12f636b2b760d7d98a18f189760dfd0f23e2b0cb10ec7edc7c6edac3d9bdfefe0eddc3fff7fe9ad875195527d90ad011b9a6baf38885bad40af8dc14d15586d3f3dc5e9c0ec197e971d3e56afC02000000011a0000616d3634780000000000000048535345000002000000020002a6000001000200b018658ad99dc903c8c9bfb27b12751099920a042ad1dfea7b7ba57369f15546de285edde6a7b39a8bdc40a27b237f8fb1e57f245e80b929c1e28b024aa2ecc61f6002b07cd9b0b7c47d9ca8d1aae57b8e8784a12f636b2b760d7d98a18f189760dfd0f23e2b0cb10ec7edc7c6edac3d9bdfefe0eddc3fff7fe9ad875195527d90ad011b9a6baf38885bad40af8dc14d15586d3f3dc5e9c0ec197e971d3e56afC02000000011a0000616d3634780000000000000048535345000002000000020002a6000001000200b018658ad99dc903c8c9bfb27b12751099920a042ad1dfea7b7ba57369f15546de285edde6a7b39a8bdc40a27b237f8fb1e57f245e80b929c1e28b024aa2ecc61f6002b07cd9b0b7c47d9ca8d1aae57b8e8784a12f636b2b760d7d98a18f189760dfd0f23e2b0cb10ec7edc7c6edac3d9bdfefe0eddc3fff7fe9ad875195527d90ad011b9a6baf38885bad40af8dc14d15586d3f3dc5e9c0ec197e971d3e56afC02000000011a0000616d3634780000000000000048535345000002000000020002a6000001000200b018658ad99dc903c8c9bfb27b12751099920a042ad1dfea7b7ba57369f15546de285edde6a7b39a8bdc40a27b237f8fb1e57f245e80b929c1e28b024aa2ecc61f6002b07cd9b0b7c47d9ca8d1aae57b8e8784a12f636b2b760d7d98a18f189760dfd0f23e2b0cb10ec7edc7c6edac3d9bdfefe0eddc3fff7fe9ad875195527d90ad011b9a6baf38885bad40af8dc14d15586d3f3dc5e9c0ec197e971d3e56afC02000000011a0000616d3634780000000000000048535345000002000000020002a6000001000200b018658ad99dc903c8c9bfb27b12751099920a042ad1dfea7b7ba57369f15546de285edde6a7b39a8bdc40a27b237f8fb1e57f245e80b929c1e28b024aa2ecc61f6002b07cd9b0b7c47d9ca8d1aae57b8e8784a12f636b2b760d7d98a18f189760dfd0f23e2b0cb10ec7edc7c6edac3d9bdfefe0eddc3fff7fe9ad875195527d90ad011b9a6baf38885bad40af8dc14d15586d3f3dc5e9c0ec197e971d3e56afC02000000011a0000616d3634780000000000000048535345000002000000020002a6000001000200b018658ad99dc903c8c9bfb27b12751099920a042ad1dfea7b7ba57369f15546de285edde6a7b39a8bdc40a27b237f8fb1e57f245e80b929c1e28b024aa2ecc61f6002b07cd9b0b7c47d9ca8d1aae57b8e8784a12f636b2b760d7d98a18f189760dfd0f23e2b0cb10ec7edc7c6edac3d9bdfefe0eddc3fff7fe9ad875195527d90ad011b9a6baf38885bad40af8dc14d15586d3f3dc5e9c0ec197e971d3e56afC02000000011a0000616d3634780000000000000048535345000002000000020002a6000001000200b018658ad99dc903c8c9bfb27b12751099920a042ad1dfea7b7ba57369f15546de285edde6a7b39a8bdc40a27b237f8fb1e57f245e80b929c1e28b024aa2ecc61f6002b07cd9b0b7c47d9ca8d1aae57b8e8784a12f636b2b760d7d98a18f189760dfd0f23e2b0cb10ec7edc7c6edac3d9bdfefe0eddc3fff7fe9ad875195527d90ad011b9a6baf38885bad40af8dc14d15586d3f3dc5e9c0ec197e971d3e56afC02000000011a0000616d3634780000000000000048535345000002000000020002a6000001000200b018658ad99dc903c8c9bfb27b12751099920a042ad1dfea7b7ba57369f15546de285edde6a7b39a8bdc40a27b237f8fb1e57f245e80b929c1e28b024aa2ecc61f6002b07cd9b0b7c47d9ca8d1aae57b8e8784a12f636b2b760d7d98a18f189760dfd0f23e2b0cb10ec7edc7c6edac3d9bdfefe0eddc3fff7fe9ad875195527d90ad011b9a6baf38885bad40af8dc14d15586d3f3dc5e9c0ec197e971d3e56afC02000000011a0000616d3634780000000000000048535345000002000000020002a6000001000200b018658ad99dc903c8c9bfb27b12751099920a042ad1dfea7b7ba57369f15546de285edde6a7b39a8bdc40a27b237f8fb1e57f245e80b929c1e28b024aa2ecc61f6002b07cd9b0b7c47d9ca8d1aae57b8e8784a12f636b2b760d7d98a18f189760dfd0f23e2b0cb10ec7edc7c6edac3d9bdfefe0eddc3fff7fe9ad875195527d90ad011b9a6baf38885bad40af8dc14d15586d3f3dc5e9c0ec197e971d3e56afC02000000011a0000616d3634780000000000000048535345000002000000020002a6000001000200b018658ad99dc903c8c9bfb27b12751099920a042ad1dfea7b7ba57369f15546de285edde6a7b39a8bdc40a27b237f8fb1e57f245e80b929c1e28b024aa2ecc61f6002b07cd9b0b7c47d9ca8d1aae57b8e8784a12f636b2b760d7d98a18f189760dfd0f23e2b0cb10ec7edc7c6edac3d9bdfefe0eddc3fff7fe9ad875195527d90ad011b9a6baf38885bad40af8dc14d15586d3f3dc5e9c0ec197e971d3e56afC02000000011a0000616d3634780000000000000048535345000002000000020002a6000001000200b018658ad99dc903c8c9bfb27b12751099920a042ad1dfea7b7ba57369f15546de285edde6a7b39a8bdc40a27b237f8fb1e57f245e80b929c1e28b024aa2ecc61f6002b07cd9b0b7c47d9ca8d1aae57b8e8784a12f636b2b760d7d98a18f189760dfd0f23e2b0cb10ec7edc7c6edac3d9bdfefe0eddc3fff7fe9ad875195527d90ad011b9a6baf38885bad40af8dc14d15586d3f3dc5e9c0ec197e971d3e56afC02000000011a0000616d3634780000000000000048535345000002000000020002a6000001000200b018658ad99dc903c8c9bfb27b12751099920a042ad1dfea7b7ba57369f15546de285edde6a7b39a8bdc40a27b237f8fb1e57f245e80b929c1e28b024aa2ecc61f6002b07cd9b0b7c47d9ca8d1aae57b8e8784a12f636b2b760d7d98a18f189760dfd0f23e2b0cb10ec7edc7c6edac3d9bdfefe0eddc3fff7fe9ad875195527d90ad011b9a6baf38885bad40af8dc14d15586d3f3dc5e9c0ec197e971d3e56afC

I have a few more questions. I noticed at the beginning of a related thread that encrypted boot is not supported in MCU+SDK 10.00.00.20 (the version I used to build the OTP keywriter), but instead begins being supported in MCU+SDK 10.01.00.32. Is this a problem?

Also are tispl.bin and u-boot.img signed? I am assuming that tiboot3-am64x_sr2-hs-evm.bin is signed. I have only been changing tiboot3-am64x_sr2-hs-evm.bin to tiboot3.bin by renaming the file, I have not been replacing tispl.bin or u-boot.img.

Let me know what my next steps should be. I will order another SK-AM64B board if I have to, but would like to know the problem first and if there is a solution.

0 Prashant Shivhare 1 month ago in reply to Brycen Hillukka

TI__Guru* 80321 points

Brycen Hillukka said:
I then switched to UART bootmode to try to send over the bootloaders. The SOCID is infinitely printing.

This is not expected. The ROM would dump the SOCID again only after the 180s timeout if it did not receive any image.

Brycen Hillukka said:
I have a few more questions. I noticed at the beginning of a related thread that encrypted boot is not supported in MCU+SDK 10.00.00.20 (the version I used to build the OTP keywriter), but instead begins being supported in MCU+SDK 10.01.00.32. Is this a problem?

This is not the problem. The device is booting to A53 SPL in the SD card which means the keys are programmed correctly and images are signed correctly as well otherwise the device would not have booted anything at all.

I highly suspect something is wrong with the board itself that it's resetting automatically. It could maybe the power supply issue. Could you please create a separate thread describing the issue with the UART bootmode for it to be addressed by the hardware team.

If you procure another board, we could see if the same issue occurs.

Thanks,

Prashant

0 Brycen Hillukka 1 month ago in reply to Prashant Shivhare

Prodigy 100 points

I will order another board. Are there any specific instructions I should follow to guarantee I can get secure boot to work on this board? Also what is the power supply issue?

0 Prashant Shivhare 1 month ago in reply to Brycen Hillukka

TI__Guru* 80321 points

Brycen Hillukka said:
Are there any specific instructions I should follow to guarantee I can get secure boot to work on this board?

You already followed everything correctly on the current board. Not sure why the issue is occuring. It will have to be evaluated from the hardware perspective.

Brycen Hillukka said:
Also what is the power supply issue?

It's just a guess. I am not the hardware expert so can't really say. I will watch over the other thread you have created for the reset issue. In the meantime, you may procure another board and try the same steps.

0 Brycen Hillukka 1 month ago in reply to Prashant Shivhare

Prodigy 100 points

On the new board should I use the OTP keywriter I have already built or should I rebuild it from scratch? Also, does it matter which version of MCU+SDK I use? I am still confused by the thread I mentioned earlier.

Once the new board arrives I will start by trying to get the default image to work before I use my own.

0 Prashant Shivhare 1 month ago in reply to Brycen Hillukka

TI__Guru* 80321 points

Brycen Hillukka said:
Also, does it matter which version of MCU+SDK I use? I am still confused by the thread I mentioned earlier.

For OTP Keywriter, you are expected to use the MCU+ SDK version mentioned in the keywriter user guide. The encrypted boot support in the other thread has nothing to do with the keywriter.

0 Prashant Shivhare 1 month ago in reply to Brycen Hillukka

TI__Guru* 80321 points

Brycen Hillukka said:
Once the new board arrives I will start by trying to get the default image to work before I use my own.

Before converting the board, you should confirm if the default TI WIC image is booting. If it is booting, it would confirm you have a working setup. Then, convert the board to HSSE, replace the `tiboot3.bin` in the SD card, and boot again with the same setup.

0 Brycen Hillukka 1 month ago in reply to Prashant Shivhare

Prodigy 100 points

Okay, sounds good. My current board worked with my custom Yocto images. I have been developing on it for about a month. It quit working after I converted the board to HSSE.

0 Prashant Shivhare 1 month ago in reply to Brycen Hillukka

TI__Guru* 80321 points

I understand. The issue is completely unexpected from the secure boot perspective. I will wait for the results from the testing on the new board.

Thanks for following the suggestions!!

+1 Brycen Hillukka 22 days ago in reply to Prashant Shivhare

Prodigy 100 points

Hello,

I figured out the issue. My USB-C-to-USB-C cable that powers the SK-AM64B was damaged. After I changed this out, the board has booted properly on each boot. I have since been able to test that secure boot works correctly using negative testing.

Thank you so much for all of your help!

Processors

Processors forum

SK-AM64B: Enable Secure Boot