SPRADG2 January   2024 AM67 , AM67A , AM68 , AM68A , AM69 , AM69A , DRA821U , DRA821U-Q1 , DRA829J , DRA829J-Q1 , DRA829V , DRA829V-Q1 , TDA4AEN-Q1 , TDA4AH-Q1 , TDA4AL-Q1 , TDA4AP-Q1 , TDA4APE-Q1 , TDA4VE-Q1 , TDA4VEN-Q1 , TDA4VH-Q1 , TDA4VL-Q1 , TDA4VM , TDA4VM-Q1 , TDA4VP-Q1 , TDA4VPE-Q1

 

  1.   1
  2.   Abstract
  3.   Trademarks
  4. 1Introduction
  5. 2Device Type and Key Information Provided
    1. 2.1 Get Other Key Information via MCU UART
  6. 3HS Device Return
    1. 3.1 CRP Script Tool
    2. 3.2 Generate and Signs the WIR Certificate Binary (override.bin) Standalone
    3. 3.3 Generate the Binaries for Bench Test Standalone
  7. 4Summary
  8. 5References

3.3 Generate the Binaries for Bench Test Standalone

This is mandatory for all Jacinto7 HS device return Bench tests. TI may need to log into the HLOS system to run more tests for further analysis. More signed binary are needed to unlock the device. The reason is that for Bench testing, TI needs to enter the HLOS (like Linux) to obtain more log information, so more signed binaries is needed. The following introduction is mainly for SPL boot mode.

  1. Generate signed cfg files.

    TI will prepare board-cfg.bin; sec-cfg.bin; rm-cfg.bin; pm-cfg.bin (location in /ti-processor-sdk-linux-j7-evm-xx_xx_xx_xx/board-support/k3-image-gen-2021.01a/out/soc/j721e/evm) to you, and request that you sign these files by secure-binary-image.sh. Then, return the signed image. Use the following command to generate the binary signed:

    /ti-processor-sdk-linux-j7-evm-07_03_00_05/board-support/core-secdev-k3/scripts/secure-binary-image.sh
out/soc/j721e/evm/board-cfg.bin out/soc/j721e/evm/board-cfg.bin-signed
  2. Generate the signed sysfw.bin-hs.

    Sign the sysfw inner certificate with custMpk.pem by ./gen_x509_cert.sh, This is different between the HS and HS-Prime device. You only need to chose one way to generate.

    1. For HS device:

      TI will prepare the ti-fs-firmware-j721e_sr1_1-hs-enc.bin and ti-fs-firmware-j721e_sr1_1-hs-cert.bin for customer sign.

      ./gen_x509_cert.sh -d -c m3 -b /home/chris/J7/J721e/86/hs/board-support/prebuilt-images/ti-fs-firmware-
 j721e_sr1_1-hs-cert.bin -o ti-fs-firmware-j721e_sr1_1-hs-certs.bin -l 0x40000 -k /home/chris/J7/J721e/86/hs/board-
 support/core-secdev-k3/keys/custMpk.pem -r 1

      You need to generate sysfw.bin-hs by cat command.

      cat ti-fs-firmware-j721e_sr1_1-hs-certs.bin /home/chris/J7/J721e/86/hs/board-support/prebuilt-images/ti-fs-
firmware-j721e_sr1_1-hs-enc.bin > out/soc/j721e/evm/sysfw.bin-hs
    2. For HS-Prime device:

      TI will prepare only ti-fs-firmware-j721e-hs.bin for customer sign.

      ./gen_x509_cert.sh -d -c m3 -b /home/chris/J7/J721e/86/hs/board-support/prebuilt-images/ ti-fs-firmware-j721e-hs.bin -o out/soc/j721e/evm/sysfw.bin-hs -l 0x40000 -k /home/chris/J7/J721e/86/hs/board-support/core-secdev-k3/keys/custMpk.pem -r 1

      Customer will only need sign this binary only. No more cat command need be executed.

  3. Generate its file by script gen_its.sh and finally return the sysfw.itb.

    This is mandatory for all type HS device. Use the command below to generate the its file first.

    ./gen_its.sh j721e_sr1_1 hs evm out/soc/j721e/evm/sysfw.bin-hs out/soc/j721e/evm/board-cfg.bin-signed
out/soc/j721e/evm/pm-cfg.bin-signed out/soc/j721e/evm/rm-cfg.bin-signed out/soc/j721e/evm/sec-cfg.bin-signed >
out/soc/j721e/evm/sysfw-j721e_sr1_1-evm.its

    Use this command mkimage to generate sysfw-j721e_sr1_1-evm.itb and rename to sysfw.itb.

    mkimage -f out/soc/j721e/evm/sysfw-j721e_sr1_1-evm.its -r sysfw-j721e_sr1_1-evm.itb
move out/soc/j721e/evm/sysfw-j721e_sr1_1-evm.itb out/soc/j721e/evm/sysfw.itb
  4. Generate tiboot3.bin for SPL boot.

    You need the patch below to U-boot first, and regenerate the u-boot-spl.bin. This patch skips the need to sign subsequent kernel or app files.

    diff --git a/arch/arm/mach-k3/security.c b/arch/arm/mach-k3/security.c
index 092588f4b5..c55d1da689 100644
--- a/arch/arm/mach-k3/security.c
+++ b/arch/arm/mach-k3/security.c
@@ -53,6 +53,14 @@ void ti_secure_image_post_process(void **p_image, size_t *p_size)
 	if (!image_size)
 		return;
 +    if (get_device_type() == K3_DEVICE_TYPE_HS_SE &&
+	    !ti_secure_cert_detected(*p_image)) {
+		printf("Warning: Did not detect image signing certificate. "
+		       "Skipping authentication to prevent boot failure for CRP. "
+		       "This will fail on Security Enforcing(HS-SE) devices\n");
+		return;
+	}
+
 	if (get_device_type() == K3_DEVICE_TYPE_GP) {
 		if (ti_secure_cert_detected(*p_image)) {
 			printf("Warning: Detected image signing certificate on GP device. "

    Use k3_gen_x509_cert.sh to generate tiboot3.bin.

    u-boot-2021.01+gitAUTOINC+62a9e51344-g62a9e51344/tools/k3_gen_x509_cert.sh -c 16 -b s -o tiboot3.bin -l
0x41c00000 -r 1 -k /home/chris/J7/J721e/86/l/board-support/core-secdev-k3/keys/custMpk.pem

    You need to provide the tiboot3.bin and sysfw.bin to TI only.