SPRAD04 January   2022 TDA4VH-Q1 , TDA4VM , TDA4VM-Q1

 

  1.   Trademarks
  2. 1Introduction
  3. 2TIDK Device Verification
    1. 2.1 Sign and Encrypt Second BootLoader (SBL)
    2. 2.2 Sign and Encrypt System Image
  4. 3Keys Programming
    1. 3.1 Install Keywriter
    2. 3.2 Keys Generation
    3. 3.3 Build Keywriter Application
    4. 3.4 Program Keys in HS-FS Device
  5. 4Key Programming Verification
  6. 5Building and Booting on HS Devices Using Linux SDK
  7. 6Summary

2.1 Sign and Encrypt Second BootLoader (SBL)

The SBL (Second BootLoader) is loaded by MCU R5F ROM and authenticated by DMSC. The MCU R5F runs this code and starts the boot flow for other cores. Follow below command to build the signed SBL for HS device.

# cd ~/ti-processor-sdk-rtos-j721e-evm-07_01_00_11/pdk_jacinto_07_01_00_45/packages/ti/build
# make -j BOARD=j721e_evm CORE=mcu1_0 BUILD_PROFILE=release sbl_mmcsd_img_hs
#ls ${PSDKRA_PATH}/pdk/packages/ti/boot/sbl/binary/j721e_evm_hs/mmcsd/bin/sbl_mmcsd_img_mcu1_0_release.tiimage

The default makefile only sign the SBL but does not encrypt that, apply below patch and rebuild the SBL_HS to get the sign and encrypt SBL image.

diff --git a/packages/ti/build/makerules/common.mk b/packages/ti/build/makerules/common.mk
index f56e069..e9ec0d9 100644
--- a/packages/ti/build/makerules/common.mk
+++ b/packages/ti/build/makerules/common.mk
@@ -635,7 +635,7 @@ else ifeq ($(SOC),$(filter $(SOC), am65xx am64x j721e j7200))
        $(CHMOD) a+x $(SBL_CERT_GEN)
 endif
-       $(SBL_CERT_GEN) -b $(SBL_BIN_PATH) -o $(SBL_TIIMAGE_PATH) -c R5 -l $(SBL_RUN_ADDRESS) -k $($(APP_NAME)_SBL_CERT_KEY) -d DEBUG -j DBG_FULL_ENABLE -m $(SBL_MCU_STARTUP_MODE)
+       $(SBL_CERT_GEN) -b $(SBL_BIN_PATH) -o $(SBL_TIIMAGE_PATH) -c R5 -l $(SBL_RUN_ADDRESS) -k $($(APP_NAME)_SBL_CERT_KEY)  -y ENCRYPT -e $(SBL_ENCRYPT_KEY_HS) -d DEBUG -j DBG_FULL_ENABLE -m $(SBL_MCU_STARTUP_MODE)
diff --git a/packages/ti/build/makerules/platform.mk b/packages/ti/build/makerules/platform.mk
index cc6b905..381f1dd 100644
--- a/packages/ti/build/makerules/platform.mk
+++ b/packages/ti/build/makerules/platform.mk
@@ -200,7 +200,7 @@ endif
export SBL_CERT_KEY=$(ROOTDIR)/ti/build/makerules/rom_degenerateKey.pem
-
+export SBL_ENCRYPT_KEY_HS=~/TIDummyKey/smek.txt

The previous makefile and compile command will generate the GP SBL binary first, then use TI dummy key to sign and encrypt it. Also, during building the SBL_HS, it will also sign the board configuration, security configuration, RM (Resource Management) and PM (Power Management), then integrate it into SBL. So, the finally SBL can be authenticate and decrypt by HS-SE-TIDK device.

Before starting the encryption of the binary, there is a known bug in SDK8.0 and previous SDK versions. Apply the following patch first then encrypt the binary.

diff --git a/packages/ti/build/makerules/x509CertificateGen.sh b/packages/ti/build/makerules/x509CertificateGen.sh
index 20fe23b..4c906e5 100755
--- a/packages/ti/build/makerules/x509CertificateGen.sh
+++ b/packages/ti/build/makerules/x509CertificateGen.sh
@@ -116,7 +116,7 @@ image_encrypt() {
        truncate -s %16 enc_tmp.bin
        xxd -r -p $ENC_RS enc_rs.bin
        cat enc_tmp.bin  enc_rs.bin > enc_bin_rs.bin
-       ENC_BIN=$CERT_SIGN"-ENC-"$BIN
+       ENC_BIN=$BIN"-ENC-"$CERT_SIGN
        echo "$ENC_BIN"
        if [ "$IMG_ENC" == "ENCRYPT" ];then