• State Resolved
  • Locked Locked
  • Replies 4 replies
  • Answers 1 answer
  • Subscribers 100 subscribers
  • Views 174 views
  • Users 0 members are here
Support feedback
Options
Options
Similar topics

This thread has been locked.

If you have a related question, please click the "Ask a related question" button in the top right corner. The newly created question will be automatically linked to this question.

PROCESSOR-SDK-AM62X: Generate Signed and encrypted boot binaries using processor SDK

Muhammad Fahad Jabbar
Prodigy 10 points
Part Number: PROCESSOR-SDK-AM62X

Tool/software:

I am currently trying to generate signed and encryprted boot images (tiboot3.bin tispl.bin and u-boot.img), using TI processor SDK ti-processor-sdk-linux-am62xx-evm-09.02.01.10. I have already placed my key at board/ti/keys location. this include only custMpk.pem and custMpk.crt latter one generated with "openssl req -batch -new -x509 -key keys/custMpk.pem -out keys/custMpk.crt"

It seems the out files tiboot3.bin tispl.bin and u-boot.img are still unsigned. what steps are needed to sign the binaries properly?

secondly, how do I encrypt the binaries? If I have fused the encryption key in the target is it necessary to encrypt the binaries or can I still skip the encryption?

  • 0
    TI__Guru 65525 points
    Muhammad Fahad Jabbar said:
    It seems the out files tiboot3.bin tispl.bin and u-boot.img are still unsigned. what steps are needed to sign the binaries properly?

    One option to build and sign u-boot binary is running "make u-boot" from the top level SDK folder after Linux SDK is installed. The generated and signed binary are under "SDK_installation/board-support/u-boot-build/".

    Muhammad Fahad Jabbar said:
    secondly, how do I encrypt the binaries? If I have fused the encryption key in the target is it necessary to encrypt the binaries or can I still skip the encryption?

    Binary encryption/decryption is optional in secure boot flow, and Linux SDK currently supports integrity check only via signature verification, but not binary encryption/decryption.
    Best,
    -Hong

  • 0 in reply to Hong Guan64
    Prodigy 10 points

    Thanks for your reply Hong, may be it was not clear from my question. I did make again u-boot with "make u-boot" from the top level SDK folder.

    So maybe I list all of my steps.

    I fused target with by generating 4 keywriter binaries and fusing in an incremental order. Generation of certifcates done with the following commands, followed by generating and running separate keywriter binaries

    ./gen_keywr_cert.sh --msv 0xC0FFE -t tifek/ti_fek_public.pem

    ./gen_keywr_cert.sh -t tifek/ti_fek_public.pem --bmpk keys/bmpk.pem  --bmek keys/bmek.key

    ./gen_keywr_cert.sh -t tifek/ti_fek_public.pem -a keys/aes256.key --smpk keys/smpk.pem --smek keys/smek.key

    ./gen_keywr_cert.sh -t tifek/ti_fek_public.pem --keycnt 2 --keyrev 1

    after running the keywriter successfully with the last certificate which includes keyrev 1 device was now in HS-SE state.

    I would now have to run a signed boot loaders, as this is our custom board, we use dfu mode for flashing. For this I need to first generate dfu bootloaders

    For that I made changes in the ti-processor-sdk-linux-am62xx-evm-09.02.01.10/Rules.make

    #PLATFORM?=am62xx-evm

    PLATFORM=am62xx-lp-evm-dfu

     

    ifeq ($(PLATFORM),am62xx-lp-evm-dfu)
        UBOOT_MACHINE=am62x_lpsk_a53_defconfig
        UBOOT_MACHINE_R5=am62x_lpsk_r5_usbdfu_defconfig
        MKIMAGE_DTB_FILE=a53/arch/arm/dts/k3-am62-lp-sk.dtb
    endif

    so now am62x_lpsk_r5_usbdfu_defconfig is used for building tiboot3.

    I made a symlink am62xx-lp-evm-dfu -> am62xx-lp-evm in ti-processor-sdk-linux-am62xx-evm-09.02.01.10/board-support/prebuilt-images as with the dfu defconfig it was required as I saw some errors (not sure if its right thing to do)

    Finally I placed my keys custMpk.pem and custMpk.crt in board/ti/keys location and ran "make u-boot" from the top level SDK folder

    then I used following files for flashing target

    ti-processor-sdk-linux-am62xx-evm-09.02.01.10/board-support/u-boot-build/r5/tiboot3-am62x-hs-evm.bin

    ti-processor-sdk-linux-am62xx-evm-09.02.01.10/board-support/u-boot-build/a53/u-boot.img

    ti-processor-sdk-linux-am62xx-evm-09.02.01.10/board-support/u-boot-build/a53/tispl.bin

    For flashing, I put the target in dfu mode using boot pins and ran following

    dfu-util -R -a bootloader -D tiboot3-am62x-hs-evm.bin-> no logs at the serial port output probably authentication failed

    dfu-util -R -a tispl.bin -D tispl.bin -> No DFU capable USB device available error as I think the first binary authentication is not passed

    So I am stuck at this point now. I hope this helps you to find what I am doing wrong.

  • +1 in reply to Muhammad Fahad Jabbar
    Prodigy 10 points

    I have figured out one stupid mistake, my device tree and defconfig are wrong. I need to adapt it for my board.

    since I am using my custom board how do I generate the binaries in "ti-processor-sdk-linux-am62xx-evm-09.02.01.10/board-support/prebuilt-images" for my custom board?

    Even though device tree and defconfig are not fully adapted, still main_uart0 related configs are the same as in am62xx-lp-evm, so I should get some output at main_uart0 after running dfu tiboot3-am62x-hs-evm.bin on my target.

  • 0 in reply to Muhammad Fahad Jabbar
    Prodigy 10 points

    I am able boot now as mentioned in previous comment my configurations were wrong for our custom board. Thanks lot for your support.