SPRADG2 January 2024 TDA4VM , TDA4VM-Q1
This is mandatory for all Jacinto7 HS device return Bench tests. TI may need to log into the HLOS system to run more tests for further analysis. More signed binary are needed to unlock the device. The reason is that for Bench testing, TI needs to enter the HLOS (like Linux) to obtain more log information, so more signed binaries is needed. The following introduction is mainly for SPL boot mode.
TI will prepare board-cfg.bin; sec-cfg.bin; rm-cfg.bin; pm-cfg.bin (location in /ti-processor-sdk-linux-j7-evm-xx_xx_xx_xx/board-support/k3-image-gen-2021.01a/out/soc/j721e/evm) to you, and request that you sign these files by secure-binary-image.sh. Then, return the signed image. Use the following command to generate the binary signed:
/ti-processor-sdk-linux-j7-evm-07_03_00_05/board-support/core-secdev-k3/scripts/secure-binary-image.sh
out/soc/j721e/evm/board-cfg.bin out/soc/j721e/evm/board-cfg.bin-signedSign the sysfw inner certificate with custMpk.pem by ./gen_x509_cert.sh, This is different between the HS and HS-Prime device. You only need to chose one way to generate.
TI will prepare the ti-fs-firmware-j721e_sr1_1-hs-enc.bin and ti-fs-firmware-j721e_sr1_1-hs-cert.bin for customer sign.
./gen_x509_cert.sh -d -c m3 -b /home/chris/J7/J721e/86/hs/board-support/prebuilt-images/ti-fs-firmware-
j721e_sr1_1-hs-cert.bin -o ti-fs-firmware-j721e_sr1_1-hs-certs.bin -l 0x40000 -k /home/chris/J7/J721e/86/hs/board-
support/core-secdev-k3/keys/custMpk.pem -r 1You need to generate sysfw.bin-hs by cat command.
cat ti-fs-firmware-j721e_sr1_1-hs-certs.bin /home/chris/J7/J721e/86/hs/board-support/prebuilt-images/ti-fs-
firmware-j721e_sr1_1-hs-enc.bin > out/soc/j721e/evm/sysfw.bin-hsTI will prepare only ti-fs-firmware-j721e-hs.bin for customer sign.
./gen_x509_cert.sh -d -c m3 -b /home/chris/J7/J721e/86/hs/board-support/prebuilt-images/ ti-fs-firmware-j721e-hs.bin -o out/soc/j721e/evm/sysfw.bin-hs -l 0x40000 -k /home/chris/J7/J721e/86/hs/board-support/core-secdev-k3/keys/custMpk.pem -r 1Customer will only need sign this binary only. No more cat command need be executed.
This is mandatory for all type HS device. Use the command below to generate the its file first.
./gen_its.sh j721e_sr1_1 hs evm out/soc/j721e/evm/sysfw.bin-hs out/soc/j721e/evm/board-cfg.bin-signed
out/soc/j721e/evm/pm-cfg.bin-signed out/soc/j721e/evm/rm-cfg.bin-signed out/soc/j721e/evm/sec-cfg.bin-signed >
out/soc/j721e/evm/sysfw-j721e_sr1_1-evm.itsUse this command mkimage to generate sysfw-j721e_sr1_1-evm.itb and rename to sysfw.itb.
mkimage -f out/soc/j721e/evm/sysfw-j721e_sr1_1-evm.its -r sysfw-j721e_sr1_1-evm.itb
move out/soc/j721e/evm/sysfw-j721e_sr1_1-evm.itb out/soc/j721e/evm/sysfw.itbYou need the patch below to U-boot first, and regenerate the u-boot-spl.bin. This patch skips the need to sign subsequent kernel or app files.
diff --git a/arch/arm/mach-k3/security.c b/arch/arm/mach-k3/security.c
index 092588f4b5..c55d1da689 100644
--- a/arch/arm/mach-k3/security.c
+++ b/arch/arm/mach-k3/security.c
@@ -53,6 +53,14 @@ void ti_secure_image_post_process(void **p_image, size_t *p_size)
if (!image_size)
return;
+ if (get_device_type() == K3_DEVICE_TYPE_HS_SE &&
+ !ti_secure_cert_detected(*p_image)) {
+ printf("Warning: Did not detect image signing certificate. "
+ "Skipping authentication to prevent boot failure for CRP. "
+ "This will fail on Security Enforcing(HS-SE) devices\n");
+ return;
+ }
+
if (get_device_type() == K3_DEVICE_TYPE_GP) {
if (ti_secure_cert_detected(*p_image)) {
printf("Warning: Detected image signing certificate on GP device. "Use k3_gen_x509_cert.sh to generate tiboot3.bin.
u-boot-2021.01+gitAUTOINC+62a9e51344-g62a9e51344/tools/k3_gen_x509_cert.sh -c 16 -b s -o tiboot3.bin -l
0x41c00000 -r 1 -k /home/chris/J7/J721e/86/l/board-support/core-secdev-k3/keys/custMpk.pemYou need to provide the tiboot3.bin and sysfw.bin to TI only.