• State
  • Locked Locked
  • Replies 2 replies
  • Subscribers 97 subscribers
  • Views 1614 views
  • Users 0 members are here
Support feedback
Options
Options
Related

This thread has been locked.

If you have a related question, please click the "Ask a related question" button in the top right corner. The newly created question will be automatically linked to this question.

Unable to generate Secure Boot AIS file for OMAP-L138

Carl Miller
Intellectual 260 points
Other Parts Discussed in Thread: OMAP-L138

Hi. We had a prototype happily running on a development board utilizing a non-secure-boot OMAP-L138.  I have an AISgen configuration and resulting AIS file that boots it perfectly.


However, the first production boards are now back, and they've switched to a secure-boot variant of the OMAP-L138.  My AIS file no longer boots it.  A little googling told me a need a new utility to generate a new secure boot AIS file for this device.

So I've just obtained the SecureHexAIS_OMAP-L138.exe utility.  It fails to execute to completion.  Here's what I get....

/data/adi/OMAP-L138_Secure_FlashAndBootUtils_trunk/OMAP-L138_Secure/GNU/AISUtils/SecureHexAIS_OMAP-L138.exe -ini Debug_Boot_UART2.ini -otype binary -o Debug_Boot_UART2.ais
-----------------------------------------------------
   TI Secure AIS Hex File Generator for OMAP-L138
   (C) 2011, Texas Instruments, Inc.
   Ver. 1.25
-----------------------------------------------------


Creating boot image for a generic secure device.
INFO: Boot exit type has been selected as NONSECURE.
WARNING: Encrypted Key Header data is absent - generating plaintext version.
         The Customer Encryption Key will be transferred in plaintext! 
INFO: Current SHA algorithm is SHA256.
Begining the Secure AIS file generation.
AIS file being generated for bootmode: UART.
    Signature Hash: 52-D7-26-E1-E1-F3-E2-EF-0A-E0-E9-6C-E1-4E-59-E5-4F-19-C5-1B-3B-83-3B-00-C7-C2-14-E8-54-F0-5E-E8
    Signature Byte Count = 72
    Signature Hash: 9C-B8-D4-01-15-47-57-F2-1E-7E-4B-4B-5A-F0-44-B0-FE-E8-2E-E3-73-D0-43-45-82-27-75-AC-48-BC-10-38
    Signature Byte Count = 40
    Signature Hash: 35-6D-A7-4D-37-26-3E-38-AE-0B-0C-DA-91-73-68-63-4A-10-3C-3A-59-3B-0A-76-4F-88-63-53-4A-FC-F5-DF
    Signature Byte Count = 24
    Signature Hash: 93-5F-BE-84-73-07-3A-15-C1-A9-2F-7F-28-D7-83-84-AA-7F-90-73-68-5D-76-43-D6-46-78-9D-7F-30-A1-A5
    Signature Byte Count = 20
    Signature Hash: 40-87-AF-20-4C-8E-5D-31-D6-A0-A2-49-7B-45-90-6A-A2-D6-9E-BD-0A-06-3D-40-F9-BF-B9-FE-93-F5-93-17
    Signature Byte Count = 12
    Signature Hash: 09-79-C8-88-7C-52-0B-5A-7E-B4-A9-95-2A-C8-FA-17-99-49-E3-E3-F7-A9-60-3C-BC-F4-BB-38-1D-54-3D-48
    Signature Byte Count = 12
    Signature Hash: 65-B5-A3-AB-D8-47-F2-76-76-74-C1-12-28-5C-E4-99-09-BB-57-5A-97-CE-2F-B3-C9-E6-EA-35-61-D5-F9-D0
    Signature Byte Count = 12
    Signature Hash: 21-57-3A-E5-AA-AD-10-F5-45-C4-11-51-2B-D6-6D-89-83-E2-B8-ED-CE-BF-84-4B-EA-A0-B8-25-81-0B-63-4F
    Signature Byte Count = 20
    Signature Hash: 55-79-6F-C6-F9-09-6D-99-21-5F-B6-34-46-96-66-9E-EB-60-11-A1-DD-74-AB-89-F6-FE-B3-88-98-E3-2F-2D
    Signature Byte Count = 20
    Signature Hash: 19-7B-75-1A-86-B9-07-DF-F1-3C-E7-BE-92-29-3D-C4-9F-1A-CC-FC-CF-B2-46-08-92-16-AC-09-5E-66-6F-3D
    Signature Byte Count = 20
    Signature Hash: FF-23-EA-32-0C-5C-B3-85-82-E2-64-BF-46-76-06-BD-35-15-81-D7-36-AF-5D-9C-2B-93-86-EB-E2-A5-FF-C7
    Signature Byte Count = 20
    Signature Hash: 44-BA-AD-61-79-77-DC-E8-5E-17-C3-49-91-6F-9E-01-48-9D-10-AD-11-4B-41-56-72-1E-A6-F4-E6-35-3A-38
    Signature Byte Count = 16
    Signature Hash: 8A-DD-4B-C8-83-56-4A-0F-B3-DB-14-06-79-B5-6D-A3-44-7B-4B-E8-BB-1A-C1-90-EF-76-CC-0E-0B-8B-52-22
    Signature Byte Count = 16
    Signature Hash: D7-1D-EB-18-0F-32-8E-F9-C3-5B-12-FE-27-B9-FE-C9-59-43-7E-9F-7C-E9-87-BA-EE-EA-74-B0-CE-A7-D2-E3
    Signature Byte Count = 16
    Signature Hash: B8-13-64-A6-66-78-FC-FE-B8-FA-42-6F-65-63-06-E0-27-34-E0-A4-BE-59-02-9F-95-3D-45-94-8A-C2-66-C5
    Signature Byte Count = 16
    Signature Hash: 5D-7A-14-49-19-41-A0-56-09-FB-61-D6-1F-1C-B1-62-DC-FD-D9-58-94-29-81-21-C9-6D-F4-7E-8B-59-09-C0
    Signature Byte Count = 16
    Signature Hash: 12-59-5B-FB-12-5D-D8-72-2B-26-CF-4F-AF-9C-7E-CF-89-04-34-47-84-E1-C0-EE-E1-AF-45-7E-B9-4F-E0-D4
    Signature Byte Count = 12
Parsing the input object file, /carbon/TI/u-boot.
Encrypting section .text, since ALL was specified for encryptSections in ini file.
Encrypting section .rodata, since ALL was specified for encryptSections in ini file.
Encrypting section .rodata.str1.4, since ALL was specified for encryptSections in ini file.
Encrypting section .data, since ALL was specified for encryptSections in ini file.
Encrypting section .u_boot_cmd, since ALL was specified for encryptSections in ini file.
  at TI.AISLib.AISGen.SecureGenAIS (TI.AISLib.AISGen devAISGen, System.Collections.Generic.List`1 inputFileNames, TI.UtilLib.Ini.IniFile iniFile) [0x00000] in <filename unknown>:0
  at TIBootAndFlash.Program.Main (System.String[] args) [0x00000] in <filename unknown>:0
Object reference not set to an instance of an object
Unhandled Exception!!! Application will now exit.


I'd appreciate any thoughts on how to resolve this.  Thanks much!

  • 0
    Intellectual 260 points

    Found by trial and error that I could make it work by naming the u-boot binary file on the tool command line.

    I had originally had this section in the ini file:

    [INPUTFILE]
    FILENAME=/carbon/TI/u-boot
    USEENTRYPOINT=Yes
    ENCRYPT=Yes

    It would appear that SecureHexAIS_OMAP-L138.exe throws an exception while processing that ini file directive.  If instead, I comment out that section, and instead name /carbon/TI/u-boot on the command line to
    SecureHexAIS_OMAP-L138.exe, then it works, and I get a valid AIS file.

     

    I still don't have a booting OMAP part (the generated AIS file runs up through the "waiting for DONE", but never receives it), but at least I've made a step in the right direction, and I have some leads on where to look next.

     

  • 0 in reply to Carl Miller
    Intellectual 260 points

    Related question:

    Is there a command-line (non-GUI) equivalent for SecureHexAIS_OMAP-L138.exe?

     

    I had written a really nice expect script that called out to slh_OMAP-L138.exe for the initial serial-load of the part, and from there used minicom to issue commands to u-boot and then the Linux command line.  All told, it wrapped everything to take a board from completely virgin, all the way through code loaded, production tested, and ready to ship, into one command.  Just attach the board, start the script, go have a coffee, come back later to a pass or fail indicator.  I can't automate a GUI loader.  It's actually quite a bit less convenient to use because of this.


    A command-line version of the secure HexAIS serial loader that works just like s    lh_OMAP-L138.exe did would be a tremendous improvement in my production line workflow.