After generating the keys to be programmed into the SoC, perform the following command to generate the x509 certificate.

# cd ${PSDKRA_PATH}/pdk/packages/ti/boot/sbl/example/k3MulticoreApp/keywriter/scripts
# ./gen_keywr_cert.sh -s keys/smpk.pem --smek keys/smek.key -t keys/tifekpub.pem -a keys/aes256.key

You can find the generated certificate in the folder: x509cert/final_certificate.bin. Perform the following command to compile the keywriter source code and append the x509 certificate to the keywriter application.

# cd ${PSDKRA_PATH}/pdk/packages/ti/build
# make keywriter_img -j8

The TIFS in GP silicon and HS-FS silicon are different, because the TI production key is already programmed to HS-FS silicon in the TI factory, but it is empty in the GP device. However, while building the Keywriter application, the keywriter.mk in PDK will load the HS-FS TIFS binary and convert it to array forms, which can load by the keywriter application source code. All of these steps are executed automatically while compiling the keywriter source code, so no extra operation required.

The generated keywriter application is in folder:
${PSDKRA_PATH}/pdk/packages/ti/boot/sbl/example/k3MulticoreApp/binary/keywriter_img_j721e_release.bin