• State
  • Replies 0 replies
  • Subscribers 53 subscribers
  • Views 11 views
  • Users 0 members are here
Support feedback
Options
Options
Related

LP-AM261: LP-AM261: Secure Boot

Payal Deshmukh
Prodigy 10 points

Part Number: LP-AM261

Hello everyone,

I am currently working on the AM261x-LP platform and trying to enable and understand the secure boot flow on my system.

I have been referring to the official documentation: https://software-dl.ti.com/mcu-plus-sdk/esd/AM261X/latest/exports/docs/api_guide_am261x/SECURE_BOOT.html

Here is what I have done so far:

  1. I built the SBL image using the following make command:
    make -s -C examples/drivers/boot/sbl_ospi_multicore_elf/am261x-lp/r5fss0-0_nortos/ti-arm-clang all DEVICE=am261x DEVICE_TYPE=HS
    This produced the file: sbl_ospi_multicore_elf.Release.hs.tiimage 

    1. Similarly, I built the application image using the command:
      make -s -C examples/drivers/gpio/gpio_led_blink/am261x-lp/r5fss0-0_freertos/ti-arm-clang all DEVICE=am261x DEVICE_TYPE=HS
      This produced the file: gpio_led_blink.mcelf.hs 
  2. I successfully flashed (non-secure images) sbl_ospi_multicore_elf.tiimage and gpio_led_blink.mcelf. Both the OSPI bootloader and the application boot and print output on the serial console correctly.
  3. However, when I flash (secure images) sbl_ospi_multicore_elf.Release.hs.tiimage and gpio_led_blink.mcelf.hs, I do not see any output on the serial console.
  4. I have not converted the device to HS-SE device yet. Do I need to convert the device to HS-SE?
  5. Is there any way to test the secure boot without converting the device to HS-SE? (Secure boot on HS-FS / GP device).
  6. How to convert device to HS-SE type? I have requested for AM261X-TIFS-SDK, but not received yet.
  7. Is there any way, to test secure boot without burning the keys?

In one post on TI forum, I read about the trial run mode. Does this also need the burning of the keys? How to execute trial mode?

I have read about enabling secure boot and understand that when building the SBL and application using the make commands, the generated binaries (with the extension .hs) are already signed. From what I gather, these images use a TI-dummy key for signing by default. Is that correct? 

Could anyone please help me understand the process to test and verify secure boot process?

Also I want to understand the following topics:

  1. What is the difference between device type HS-FS and GP?
  2. When I build the example code or SBL without setting DEVICE_TYPE=HS, gpio_led_blink.mcelf and sbl_ospi_multicore_elf.tiimage are generated. Are these images unsigned? and thse images are generated for which device type HS_FS or GP?
  3. How to identify the device type (GP/HS-FS/HS-SE) and the generated imgage is for which device type?

Thanks,

Payal