SPRUJC1 April   2024

 

  1.   1
  2.   Abstract
  3.   Trademarks
  4. 1Introduction
    1. 1.1 Unlocking JTAG With Jacinto7 Security Enabled Devices
  5. 2Steps to Unlock JTAG for HSM Core With TRACE32
    1. 2.1 Modifying the SCI Client Default Security Board Configuration
      1. 2.1.1 PROCESSOR-SDK-RTOS
      2. 2.1.2 PROCESSOR-SDK-LINUX
    2. 2.2 Building the SCI Client Security Board Configuration
      1. 2.2.1 PROCESSOR-SDK-RTOS
      2. 2.2.2 PROCESSOR-SDK-LINUX
    3. 2.3 Modifying the Secondary Bootloader’s x509 Certificate
      1. 2.3.1 Windows Build Environment
      2. 2.3.2 Ubuntu Build Environment
    4. 2.4 Building the Secondary Bootloader
    5. 2.5 Verifying Secondary Bootloader and TIFS is Executing
    6. 2.6 Creating a Downloadable x509 Certificate With a Debug Extension
    7. 2.7 Execution of TRACE32 Unlock Script
    8. 2.8 Attaching to HSM Core With TRACE32

2.6 Creating a Downloadable x509 Certificate With a Debug Extension

Now it is necessary to create a downloadable x509 certificate which contains an appropriately configured debug extension. An x509 configuration template does exist online and it's corresponding hyperlink is located at the end of this section. A x509 configuration template does exist online located in the following link: TISCI User Guide - X509 Configuration Template.

For reference, an x509 certificate’s fields have been explicitly configured for the unlocking of the HSM below:

[ req ]
distinguished_name   = req_distinguished_name
x509_extensions      = v3_ca
prompt               = no
dirstring_type       = nobmp

[ req_distinguished_name ]
C                    = US
ST                   = SC
L                    = Dallas
O                    = Texas Instruments., Inc.
OU                   = PBU
CN                   = Albert
emailAddress         = Albert@ti.com

[ v3_ca ]
basicConstraints = CA:true
1.3.6.1.4.1.294.1.3=ASN1:SEQUENCE:swrv
1.3.6.1.4.1.294.1.8=ASN1:SEQUENCE:debug

[ swrv ]
swrv= INTEGER:0

[ debug ]
debugUID  = FORMAT:HEX,OCT:0000
debugType = INTEGER:5
coreDbgEn = INTEGER:0x010206070809
coreDbgSecEn = INTEGER:0x202180

After creating the “cert.txt” file with the appropriate x509 field for JTAG unlock as described above it is now necessary to execute the following OpenSSL signing script:

openssl req -new -x509 -key  k3_dev_mpk.pem -nodes -outform der -out cert.bin -config cert.txt -sha512
Note: Signing the x509 certificate with OpenSSL must be done with “k3_dev_mpk.pem” key for J7 HS-DK devices. The “k3_dev_mpk.pem” key is located in the following directory: <pdk_path>/packages/ti/build/makerules.