• State Resolved
  • Locked Locked
  • Replies 12 replies
  • Subscribers 30 subscribers
  • Views 256 views
  • Users 0 members are here
Support feedback
Options
Options
Similar topics

This thread has been locked.

If you have a related question, please click the "Ask a related question" button in the top right corner. The newly created question will be automatically linked to this question.

AM2634: OTP Keywriter Build Failing to Boot from QSPI with MCU+ SDK 09.01

Dominic Rath
Mastermind 6975 points
Part Number: AM2634

Tool/software:

Dear TI Team,

we've encountered an issue while building the OTP Keywriter application using MCU+ SDK 09.01 on the AM263x device. The resulting build fails to boot from QSPI flash.

This problem appears to be specific to builds generated with SDK 09.01, and affects for example the NULL SBL, too. The pre-built NULL SBL boots just fine, but a NULL SBL built from the example sources fails to boot.

In contrast, we've observed that SBLs built with MCU+ SDK 09.02 can boot successfully from QSPI without any issues.

Comparing the `tiimage` files from both SDK versions, we found a difference in the embedded certificates:

 * **SDK 09.01 Builds (Failing):** The certificate includes the X509v3 extension "Subject Key Identifier"

* **SDK 09.02 Builds (Working):** The certificate does not include this extension.

Interestingly, pre-built SBLs shipped with MCU+ SDK 09.01 do *not* contain this extension in their certificates. This issue only arises when building the OTP Keywriter or NULL SBL from scratch using SDK 09.01.

The latest OTP keywriter for the AM26x is for version 09.01, so based on other replies on E2E that is the MCU+ SDK version that should be used.

What is the recommended approach to successfully build and boot the OTP Keywriter application using MCU+ SDK 09.01? Is there a workaround or configuration change to address this certificate-related discrepancy?

Best Regards,

Dominic

  • 0
    TI__Mastermind 34942 points

    Hi Dominic,

    Very interesting, I did not see this issue while using OTP Keywriter with SDK 9.1

    Which OpenSSL version are you using?

  • 0
    TI__Mastermind 34942 points
    Dominic Rath said:
    The latest OTP keywriter for the AM26x is for version 09.01, so based on other replies on E2E that is the MCU+ SDK version that should be used.

    The latest OTP Keywriter version is 10.0. Do you see the same in your secure resource folder? And yes it should be used with MCU PLUS SDK 10.0 version.

  • 0 in reply to Nilabh Anand
    Mastermind 6975 points

    Hello Nialbh,

    no, I don't see OTP keywriter version 10.0 for the AM26x.

    There's version 1.0 which says it is for 08.03, and there's version SR_11_09_01_00_05. We're using SR1.1 hardware so that's the version we've been using.

    It works, but only if we use MCU+ SDK 09.02 to generate the .tiimage. Everything we generate from MCU+ SDK 09.01, including just the null bootloader (but for that we have a newer SDK, so we don't care about this issue itself), wont boot from QSPI. We also tried booting those images from UART with the same issue.

    If threre's a newer OTP keywriter to go with MCU+ SDK 10.00 that could be a way forward. Can you figure out why I don't see this under AM263x restricted security content?

    Regards,

    Dominic

  • 0 in reply to Dominic Rath
    Mastermind 6975 points
    Nilabh Anand said:
    Which OpenSSL version are you using?

    I'm using OpenSSL 3.1.4 24 Oct 2023 (Library: OpenSSL 3.1.4 24 Oct 2023).

    My colleague who initially found this problem is using OpenSSL 3.2.2 4 Jun 2024 (Library: OpenSSL 3.2.2 4 Jun 2024).

    Regards,

    Dominic

  • 0 in reply to Dominic Rath
    Mastermind 6975 points

    This is how I build the NULL SBL with SDK 09.01 (easier to share than OTP):

    dra@TECHNOKRATUS MINGW64 /c/ti/mcu_plus_sdk_am263x_09_01_00_41
$ C:/ti/ccs1271/ccs/utils/bin/gmake -s -C examples/drivers/boot/sbl_null/am263x-cc/r5fss0-0_nortos/ti-arm-clang clean all
 Cleaning: am263x:r5fss0-0:nortos:ti-arm-clang sbl_null.release.out ...
Generating SysConfig files ...
Running script...
Validating...
info: /kernel/dpl/debug_log uartLog.baudRate: Actual Baudrate Possible: 115385 (0 % error)
Generating Code (example.syscfg)...
Writing C:\ti\mcu_plus_sdk_am263x_09_01_00_41\examples\drivers\boot\sbl_null\am263x-cc\r5fss0-0_nortos\ti-arm-clang\generated\ti_dpl_config.c...
Writing C:\ti\mcu_plus_sdk_am263x_09_01_00_41\examples\drivers\boot\sbl_null\am263x-cc\r5fss0-0_nortos\ti-arm-clang\generated\ti_dpl_config.h...
Writing C:\ti\mcu_plus_sdk_am263x_09_01_00_41\examples\drivers\boot\sbl_null\am263x-cc\r5fss0-0_nortos\ti-arm-clang\generated\ti_drivers_config.c...
Writing C:\ti\mcu_plus_sdk_am263x_09_01_00_41\examples\drivers\boot\sbl_null\am263x-cc\r5fss0-0_nortos\ti-arm-clang\generated\ti_drivers_config.h...
Writing C:\ti\mcu_plus_sdk_am263x_09_01_00_41\examples\drivers\boot\sbl_null\am263x-cc\r5fss0-0_nortos\ti-arm-clang\generated\ti_drivers_open_close.c...
Writing C:\ti\mcu_plus_sdk_am263x_09_01_00_41\examples\drivers\boot\sbl_null\am263x-cc\r5fss0-0_nortos\ti-arm-clang\generated\ti_drivers_open_close.h...
Writing C:\ti\mcu_plus_sdk_am263x_09_01_00_41\examples\drivers\boot\sbl_null\am263x-cc\r5fss0-0_nortos\ti-arm-clang\generated\ti_pinmux_config.c...
Writing C:\ti\mcu_plus_sdk_am263x_09_01_00_41\examples\drivers\boot\sbl_null\am263x-cc\r5fss0-0_nortos\ti-arm-clang\generated\ti_power_clock_config.c...
Writing C:\ti\mcu_plus_sdk_am263x_09_01_00_41\examples\drivers\boot\sbl_null\am263x-cc\r5fss0-0_nortos\ti-arm-clang\generated\ti_board_config.c...
Writing C:\ti\mcu_plus_sdk_am263x_09_01_00_41\examples\drivers\boot\sbl_null\am263x-cc\r5fss0-0_nortos\ti-arm-clang\generated\ti_board_config.h...
Writing C:\ti\mcu_plus_sdk_am263x_09_01_00_41\examples\drivers\boot\sbl_null\am263x-cc\r5fss0-0_nortos\ti-arm-clang\generated\ti_board_open_close.c...
Writing C:\ti\mcu_plus_sdk_am263x_09_01_00_41\examples\drivers\boot\sbl_null\am263x-cc\r5fss0-0_nortos\ti-arm-clang\generated\ti_board_open_close.h...
Writing C:\ti\mcu_plus_sdk_am263x_09_01_00_41\examples\drivers\boot\sbl_null\am263x-cc\r5fss0-0_nortos\ti-arm-clang\generated\ti_enet_config.c...
Writing C:\ti\mcu_plus_sdk_am263x_09_01_00_41\examples\drivers\boot\sbl_null\am263x-cc\r5fss0-0_nortos\ti-arm-clang\generated\ti_enet_config.h...
Writing C:\ti\mcu_plus_sdk_am263x_09_01_00_41\examples\drivers\boot\sbl_null\am263x-cc\r5fss0-0_nortos\ti-arm-clang\generated\ti_enet_open_close.c...
Writing C:\ti\mcu_plus_sdk_am263x_09_01_00_41\examples\drivers\boot\sbl_null\am263x-cc\r5fss0-0_nortos\ti-arm-clang\generated\ti_enet_open_close.h...
Writing C:\ti\mcu_plus_sdk_am263x_09_01_00_41\examples\drivers\boot\sbl_null\am263x-cc\r5fss0-0_nortos\ti-arm-clang\generated\ti_enet_soc.c...
Writing C:\ti\mcu_plus_sdk_am263x_09_01_00_41\examples\drivers\boot\sbl_null\am263x-cc\r5fss0-0_nortos\ti-arm-clang\generated\ti_enet_lwipif.c...
Writing C:\ti\mcu_plus_sdk_am263x_09_01_00_41\examples\drivers\boot\sbl_null\am263x-cc\r5fss0-0_nortos\ti-arm-clang\generated\ti_enet_lwipif.h...
Writing C:\ti\mcu_plus_sdk_am263x_09_01_00_41\examples\drivers\boot\sbl_null\am263x-cc\r5fss0-0_nortos\ti-arm-clang\generated\linker.cmd...
 Compiling: am263x:r5fss0-0:nortos:ti-arm-clang sbl_null.release.out: ../main.c
 Compiling: am263x:r5fss0-0:nortos:ti-arm-clang sbl_null.release.out: generated/ti_drivers_config.c
 Compiling: am263x:r5fss0-0:nortos:ti-arm-clang sbl_null.release.out: generated/ti_drivers_open_close.c
 Compiling: am263x:r5fss0-0:nortos:ti-arm-clang sbl_null.release.out: generated/ti_board_config.c
 Compiling: am263x:r5fss0-0:nortos:ti-arm-clang sbl_null.release.out: generated/ti_board_open_close.c
 Compiling: am263x:r5fss0-0:nortos:ti-arm-clang sbl_null.release.out: generated/ti_dpl_config.c
 Compiling: am263x:r5fss0-0:nortos:ti-arm-clang sbl_null.release.out: generated/ti_pinmux_config.c
 Compiling: am263x:r5fss0-0:nortos:ti-arm-clang sbl_null.release.out: generated/ti_power_clock_config.c
 .
 Linking: am263x:r5fss0-0:nortos:ti-arm-clang sbl_null.release.out ...
 Linking: am263x:r5fss0-0:nortos:ti-arm-clang sbl_null.release.out Done !!!
 .
 Boot image: am263x:r5fss0-0:nortos:ti-arm-clang C:/ti/mcu_plus_sdk_am263x_09_01_00_41/examples/drivers/boot/sbl_null/am263x-cc/r5fss0-0_nortos/ti-arm-clang/sbl_null.release.tiimage ...
 Boot image: am263x:r5fss0-0:nortos:ti-arm-clang C:/ti/mcu_plus_sdk_am263x_09_01_00_41/examples/drivers/boot/sbl_null/am263x-cc/r5fss0-0_nortos/ti-arm-clang/sbl_null.release.tiimage Done !!!

    This is the resulting file that wont boot on our SR 1.1 AM263x control card:

    sbl_null.release.zip

    Regards,

    Dominic

  • 0 in reply to Dominic Rath
    TI__Mastermind 34942 points

    Hi Dominic, Few problems I see here:

    1. 

    Dominic Rath said:
    I'm using OpenSSL 3.1.4 24 Oct 2023 (Library: OpenSSL 3.1.4 24 Oct 2023).

    Open SSL version should be 1.1.1., as that is what we support currently for OTP-Keywriter. This is pending on us to upgrade OTP keywriter to support Openssl version 3

    Dominic Rath said:

    * **SDK 09.01 Builds (Failing):** The certificate includes the X509v3 extension "Subject Key Identifier"

    * **SDK 09.02 Builds (Working):** The certificate does not include this extension.

    And I am assuming this might be the reason for the difference as MCU PLUS SDK 9.1 support open ssl 1.1.1.

    Whereas SDK 9.2 got upgraded to support open ssl v3

    ...

  • 0 in reply to Nilabh Anand
    Mastermind 6975 points

    Hello Nilabh,

    OpenSSL 1.1.1 was discontinued, I'm not sure if we're able to switch back to an outdated version.

    Do you know how we can get access to OTP keywriter version 10.00?

    Regards,

    Dominic

  • 0 in reply to Dominic Rath
    TI__Mastermind 34942 points
    Dominic Rath said:
    OpenSSL 1.1.1 was discontinued, I'm not sure if we're able to switch back to an outdated version.

    I know dominic, apologies for this. I can share the open ssl 1.1.1 version if you want to test this

  • 0 in reply to Nilabh Anand
    TI__Mastermind 34942 points

    WIP_AM263x_OTP_Keywriter_Steps.pdf

    Also please refer to this on detailed steps for OTP Keywriter provisioning.Let me know if you have any other questions.

  • 0 in reply to Nilabh Anand
    Mastermind 6975 points

    Hello Nilabh,

    initially you mentioned an OTP keywriter version 10.00. Should that already be available, or is it planned in a reasonable timeframe (e.g. next 1-2 months)? If a new keywriter became available I suppose that would be good enough.

    Maintaining an OpenSSL 1.1.1 installation to generate the keywriter and a 3.x installation "for aynthing else" (e.g. application signing) is not a long-term option. We found a way to sign the OTP keywriter generated with 9.1 using scripts from 9.2. As a workaround that is good enough, now I'm looking for a clean solution going forward.

    Regards,

    Dominic

  • 0 in reply to Dominic Rath
    TI__Mastermind 34942 points

    Hi Dominic,

    We are planning to release a updated OTP Keywriter in next month with OpenSSL update.

  • +1 in reply to Dominic Rath
    TI__Mastermind 34942 points
    Dominic Rath said:
    initially you mentioned an OTP keywriter version 10.00. Should that already be available, or is it planned in a reasonable timeframe (e.g. next 1-2

    My bad this is a planned release. I will keep you posted on the update.