• State Resolved
  • Locked Locked
  • Replies 7 replies
  • Answers 1 answer
  • Subscribers 99 subscribers
  • Views 2142 views
  • Users 0 members are here
Support feedback
Options
Options
Related

This thread has been locked.

If you have a related question, please click the "Ask a related question" button in the top right corner. The newly created question will be automatically linked to this question.

SECDEVTOOL-OMAPL138C6748: How do I load an encrypted boot load module to RAM?

tien ngoc
Intellectual 345 points

Part Number: SECDEVTOOL-OMAPL138C6748
Other Parts Discussed in Thread: OMAPL138, OMAP-L138

Hi everyone,

I'm working on secure part OMAPL138/C6748 and having a problem in implementing a secondary boot loader (SBL).

As far as I know, to boot an AIS image using SBL, it must be created from an '.out' file via using LoadModGen_OMAP-L138.exe. Then, the SBL will load the AIS image into RAM and decrypt it with the secure kernel API SK_decryptMod(), finally the program counter will be assigned to the entry point of the decrypted module and the app can run from there.

My question is:

1. How do I detect the start of the boot load module (BLM) in NAND flash? It is weird that TI arranges the header of a BLM at the end of its pay load, and the MAGIC NUMBER (in the header, used to detect the exist of an image) will be change the value after the BLM is encrypted. 

---------------------------
|         Payload          |
---------------------------
|          Header           |
---------------------------
|        Signature         |
---------------------------

2. Suppose that somehow I can detect the BLM in NAND flash. How do I recall the load address and the entry point of the BLM, so that I know where in RAM I should load the program to and where I should put the program counter to start running the app?

Because there is no document on those problems, I tried to resolve it my way. I attached my custom header to the original BLM, so that it had new structure, like this

---------------------------
|       My_Header      |

---------------------------
|         Payload          |
---------------------------
|          Header           |
---------------------------
|        Signature         |
---------------------------

Where My_Header field consists of 4 attributes

. MY_MAGIC_NUMBER: a constant number defined by me to detect the start of the BLM

. BLMSize: Size of the BLM, including My_Header

. LoadAddress: Load address of the application  (I can have it from file '.cmd' in the CCS project of the application)

. EntryPoint: Entry point of the application  (I can have it from file '.map' in the CCS project of the application)

With this solution, I could successfully load the BLM from NAND to RAM, decrypted it using SK_decrypt() and put the program counter to the entry point. However, the application then didn't work!!! What was wrong?

Thanks.

  • 0
    TI__Guru 65405 points
    Hi Tien Ngoc,

    I've forwarded this to the software experts. Their feedback should be posted here.

    BR
    Tsvetolin Shulev
  • 0 in reply to Cvetolin Shulev-XID
    Intellectual 345 points
    Thank Tsvetolin Shulev
  • 0 in reply to tien ngoc
    TI__Guru** 116830 points
    Tien,

    Runtime loading of secure modules is not supported on Basic secure boot samples. This feature was added to the device boot ROM but is supported as this requires secure to non-secure transition post boot and we don`t have a good way to handle interrupts on DSP when device is in secure state.

    Kindly limit your usage and questions to basic secure booting on this device.

    Regards,
    Rahul
  • 0 in reply to Rahul Prabhu
    Intellectual 345 points

    Rahul,

    You mean basic secure boot device doesn't support a solution for loading and decrypting a secure load module?

    I don't think so. In fact, I already called SK_switchNonSec() to jump to the entry point after decrypting the module successfully (the SK_decryptMod() return SL_OK). But things didn't work.

    Here I attach part of my code, hope it will help.

    unsigned int entryPoint = 0;
static void (*appEntry)();

void boot_code(void)
{
    int i;
    for (i = 1; i < 10000; i++)
    {
	Log("xyz\t");
    }
}



int main(void)
{
    // CODE TO LOAD AND DECRYPT APP IMAGE
    // ...

    // 1. JUMP TO ENTRY POINT -----> DOES NOT WORK          (section 2. must be commented)
    appEntry = ((void)*(void))entryPoint;    // entryPoint is assigned in the above code section
    SK_switchNonSec((void*)(unsigned) appEntry);

    // 2. JUMP TO A LOCAL FUNTION -----> WORK                       (section 1. must be commented)
    SK_switchNonSec((void *) (unsigned) &boot_code);

    return 0;
}

    Hope you will give me more clear answers for the above questions. If we can't write a secure secondary boot on OMAPL138 E, we will have to reject TI chip for our product.

    Thank you,

     

  • 0 in reply to tien ngoc
    TI__Guru** 116830 points
    Tien,

    What I mentioned was that the BootROM implements the feature so it is available for customers who want to implement it on their products if they think this is safe for their use case but we don`t provide support for it beyond providing the wrapper code. Only supported feature for Basic secure devices is secure boot and JTAG lock down.

    To boot the device, we provide a reference examples that shows how to bind the boot image to device keys and reflash the image using a process described as binding. We also provide examples of secure kernel API usage for reference. If you don`t have these examples, I can share it via private messages.

    Regards,
    Rahul
  • 0 in reply to Rahul Prabhu
    TI__Guru** 116830 points
    I have shared the examples for your reference using E2E private messaging. Note to call secure APIs, you need to exit secure boot in SECUREWITHSK state (using INI file setting), decrypt the mode go to non-secure state using SK_swtichnonSecure before executing rest of the code.

    Hope this helps.

    Regards,
    Rahul
  • 0 in reply to Rahul Prabhu
    Intellectual 345 points
    Thank Rahul,

    I'm trying to boot an image from a secondary boot loader,