• 状态 Resolved
  • 已锁定 已锁定
  • 回复 3 回复
  • 订户 0 订户
  • 视图 276 视图
  • 用户 0 会员在此处
选项
选项
相关

This thread has been locked.

If you have a related question, please click the "Ask a related question" button in the top right corner. The newly created question will be automatically linked to this question.

[参考译文] AM625:AM625 签名的 Kernal 和 DTB 身份验证

admin
Guru**** 2680875 points
请注意,本文内容源自机器翻译,可能存在语法或其它翻译错误,仅供参考。如需获取准确内容,请参阅链接中的英语原文或自行翻译。

https://e2e.ti.com/support/processors-group/processors/f/processors-forum/1593528/am625-am625-signed-kernal-and-dtb-authentication

器件型号: AM625

尊敬的 TI

我正在使用“ti-processor-sdk-linux-am62xx-evm-09.02.01.09"并“并验证安全启动。

我可以将 HSFS 器件更改为 HSSE、并成功使用签名的引导加载程序和 fitImage 进行引导。

但我不太确定它是否也通过了基内尔和 DTB 签名的认证。

下面的日志是引导标识的一部分,当它加载适合的映像,但我找不到任何“验证通过“消息。 

8408726 bytes read in 105 ms (76.4 MiB/s)
name_fit_config=conf-ti_k3-am625-sk.dtb
## Loading kernel from FIT Image at 90000000 ...
   Using 'conf-ti_k3-am625-sk.dtb' configuration
   Verifying Hash Integrity ... sha512,rsa4096:custMpk+ OK
   Trying 'kernel-1' kernel subimage
     Description:  Linux kernel
     Type:         Kernel Image
     Compression:  gzip compressed
     Data Start:   0x900000f4
     Data Size:    8216626 Bytes = 7.8 MiB
     Architecture: AArch64
     OS:           Linux
     Load Address: 0x81000000
     Entry Point:  0x81000000
     Hash algo:    sha512
     Hash value:   c1014b2ff3bfe7d7285c4963a710a6a0357476583da55eaedfe5dec8e719dd895092935b0f8a38a29a45ee763fe8cd17eb4dca5dc9cf65a69127e707f215b785
   Verifying Hash Integrity ... sha512+ OK
## Loading fdt from FIT Image at 90000000 ...
   Using 'conf-ti_k3-am625-sk.dtb' configuration
   Verifying Hash Integrity ... sha512,rsa4096:custMpk+ OK
   Trying 'fdt-ti_k3-am625-sk.dtb' fdt subimage
     Description:  Flattened Device Tree blob
     Type:         Flat Device Tree
     Compression:  uncompressed
     Data Start:   0x907e5230
     Data Size:    59546 Bytes = 58.2 KiB
     Architecture: AArch64
     Load Address: 0x83000000
     Hash algo:    sha512
     Hash value:   f05cc2def183826a0634e6ab99feb93a1ce63835ff8ba604c83493d9ac3f8498a75cdeb41b76342fda8f7f6cd7a6dd824eaa109021245420331b6fbea214c2c2
   Verifying Hash Integrity ... sha512+ OK
   Loading fdt from 0x907e5230 to 0x83000000
   Booting using the fdt blob at 0x83000000
Working FDT set to 83000000
   Uncompressing Kernel Image
   Loading Device Tree to 000000008ffee000, end 000000008ffff899 ... OK
Working FDT set to 8ffee000
Starting kernel ...

您能否告诉我 内核 映像是否包含签名、并在该日志中进行了检查?

如果没有检查签名、您能指导我如何对内核和 dtb 文件签名吗?

它是否与“AM62x_Secure_sdk_v1.pdf"中“中提到的 TI_SECURE_DEV_PKG (core-secdev-k3) 相关?

BR

杰斯

  • 0
    TI__Guru**** 2680875 points
    请注意,本文内容源自机器翻译,可能存在语法或其它翻译错误,仅供参考。如需获取准确内容,请参阅链接中的英语原文或自行翻译。

    是的、日志显示了 u-boot 正确与否验证了内核/dtb。

    u-boot 中发生了变化、从 SDK 9.x 开始正确验证内核时基故障映像、其中使用了支持已签名配置的通用 u-boot 时基故障签名验证、而不是 TIFS TISCI API 来验证内核时基故障映像。 Rational 正在使用 ROM/TIFS 验证 u-boot 二进制文件、以建立 SoC 级 ROT 安全启动、从而可以将通用的 u-boot FIT 签名验证流程用于安全启动链的其余部分...

    有关详细信息、请参阅这个早期的 e2e。
    问题:AM6412:为安全启动签名内核适配映像 

    此致、
    - Hong

  • 0
    TI__Guru**** 2680875 points
    请注意,本文内容源自机器翻译,可能存在语法或其它翻译错误,仅供参考。如需获取准确内容,请参阅链接中的英语原文或自行翻译。

    你好 Hong

    那么我们是否无需再考虑 SDK 9 中的 TI_SECURE_DEV_PKG (core-secdev-k3)?

    我是否认为所有安全功能都能使用默认密钥正常工作?

    仅供参考、我还在内核验证之前添加了引导日志 

    U-Boot SPL 2023.04-ti-gf9b966c67473 (Mar 19 2024 - 20:31:40 +0000)
SYSFW ABI: 3.1 (firmware rev 0x0009 '9.2.7--v09.02.07 (Kool Koala)')
SPL initial stack usage: 13408 bytes
Trying to boot from MMC2
Authentication passed
Authentication passed
Authentication passed
Authentication passed
Authentication passed
Starting ATF on ARM64 core...

NOTICE:  BL31: v2.10.0(release):v2.10.0-367-g00f1ec6b87-dirty
NOTICE:  BL31: Built : 16:09:05, Feb  9 2024

U-Boot SPL 2023.04-dirty (Dec 02 2025 - 14:59:28 +0900)
SYSFW ABI: 3.1 (firmware rev 0x0009 '9.2.7--v09.02.07 (Kool Koala)')
SPL initial stack usage: 1856 bytes
Trying to boot from MMC2
Authentication passed
Authentication passed


U-Boot 2023.04-dirty (Dec 02 2025 - 14:59:28 +0900)

SoC:   AM62X SR1.0 HS-SE
Model: Texas Instruments AM625 SK
EEPROM not available at 80, trying to read at 81
Board: AM62B-SKEVM-P1 rev A
DRAM:  2 GiB
Core:  72 devices, 32 uclasses, devicetree: separate
MMC:   mmc@fa10000: 0, mmc@fa00000: 1
Loading Environment from nowhere... OK
In:    serial
Out:   serial
Err:   serial
Net:   eth0: ethernet@8000000port@1
Hit any key to stop autoboot:  0
switch to partitions #0, OK
mmc1 is current device










SD/MMC found on device 1
Failed to load 'boot.scr'
574 bytes read in 16 ms (34.2 KiB/s)
Loaded env from uEnv.txt
Importing environment from mmc1 ...
## Error: "main_cpsw0_qsgmii_phyinit" not defined
8408726 bytes read in 106 ms (75.7 MiB/s)
name_fit_config=conf-ti_k3-am625-sk.dtb
## Loading kernel from FIT Image at 90000000 ...
   Using 'conf-ti_k3-am625-sk.dtb' configuration
   Verifying Hash Integrity ... sha512,rsa4096:custMpk+ OK
   Trying 'kernel-1' kernel subimage
     Description:  Linux kernel
     Type:         Kernel Image
     Compression:  gzip compressed
     Data Start:   0x900000f4
     Data Size:    8216626 Bytes = 7.8 MiB
     Architecture: AArch64
     OS:           Linux
     Load Address: 0x81000000
     Entry Point:  0x81000000
     Hash algo:    sha512
     Hash value:   c1014b2ff3bfe7d7285c4963a710a6a0357476583da55eaedfe5dec8e719dd895092935b0f8a38a29a45ee763fe8cd17eb4dca5dc9cf65a69127e707f215b785
   Verifying Hash Integrity ... sha512+ OK
## Loading fdt from FIT Image at 90000000 ...
   Using 'conf-ti_k3-am625-sk.dtb' configuration
   Verifying Hash Integrity ... sha512,rsa4096:custMpk+ OK
   Trying 'fdt-ti_k3-am625-sk.dtb' fdt subimage
     Description:  Flattened Device Tree blob
     Type:         Flat Device Tree
     Compression:  uncompressed
     Data Start:   0x907e5230
     Data Size:    59546 Bytes = 58.2 KiB
     Architecture: AArch64
     Load Address: 0x83000000
     Hash algo:    sha512
     Hash value:   f05cc2def183826a0634e6ab99feb93a1ce63835ff8ba604c83493d9ac3f8498a75cdeb41b76342fda8f7f6cd7a6dd824eaa109021245420331b6fbea214c2c2
   Verifying Hash Integrity ... sha512+ OK
   Loading fdt from 0x907e5230 to 0x83000000
   Booting using the fdt blob at 0x83000000
Working FDT set to 83000000
   Uncompressing Kernel Image
   Loading Device Tree to 000000008ffee000, end 000000008ffff899 ... OK
Working FDT set to 8ffee000

Starting kernel ...

    BR

    杰斯

  • 0
    TI__Guru**** 2680875 points
    请注意,本文内容源自机器翻译,可能存在语法或其它翻译错误,仅供参考。如需获取准确内容,请参阅链接中的英语原文或自行翻译。
    那么我们是否不再需要考虑 SDK 9 中的 TI_SECURE_DEV_PKG (core-secdev-k3)?

    https://software-dl.ti.com/processor-sdk-linux/esd/AM62X/11_01_05_03/exports/docs/linux/Foundational_Components_Migration_Guide.html#k3-image-gen
    “9.0 SDK 中不再使用 k3-image-gen。 现在使用 Binman 将映像打包在 u-boot 源中...“

    [引述 userid=“606047" url="“ url="~“~/support/processors-group/processors/f/processors-forum/1593528/am625-am625-signed-kernal-and-dtb-authentication/6140318

    我是否认为所有安全功能都能使用默认密钥正常工作?

    仅供参考、我还在内核验证之前添加了引导日志

    [/报价]

    是、日志显示安全启动正常工作。
    此致、
    - Hong