Hi Ti
I follow AM64X_AM243X_OTP_Keywriter_User_Guide_08.02.pdf verify signature.
After write tiboo3.bin(Build by gen_keywr_cert.sh) , I can get info as following:
I think the SoC had work on SE type. But I use the tiboot3.bin(Build by U-boot) has sign image to boot DUT, it has no massage. My verify steps as following:
keywriter:
1. run: mcu_plus_sdk_am64x_08_04_00_17-linux-x64-installer.run , otp_keywriter_am64x_am243x_08.04-linux-installer.run , sysconfig-1.13.0_2553-setup.run , CCS12.1.0.00007_web_linux-x64/ccs_setup_12.1.0.00007.run
2. cd ~/mcu_plus_sdk_am64x_08_04_00_17/source/security/tifs/sbl_keywriter/scripts/cert_gen/
3. ./gen_keywr_cert.sh -g && cp -a keys/* keys_devel/am64x/
4. ./gen_keywr_cert.sh -t tifek/am64x/ti_fek_public.pem --msv 0xC0FFE -b keys_devel/am64x/bmpk.pem --bmek keys_devel/am64x/bmek.key -s keys_devel/am64x/smpk.pem --smek keys_devel/am64x/smek.key --keycnt 1 --keyrev 1
5. python3 ../../../../../../tools/bin2c/bin2c.py ../x509cert/final_certificate.bin keycert.h KEYCERT
6. cp keycert.h ../x509cert/
7. cd ~/ti/mcu_plus_sdk_am64x_08_04_00_17/source/security/tifs/sbl_keywriter/am64x-evm/r5fss0-0_nortos/ti-arm-clang && make -sj clean PROFILE=debug && make -sj PROFILE=debug
8. Switch DUT to "UART BOOT MODE" and Use "Tera Term" write the tiboot3.bin
9. I can get 02000000011a0000616d3634780000000000000048535345000002000000020002a6000001000200b018658ad99dc903c8c9bfb27b12751099920a042ad1dfea7b7ba57369f15546de285edde6a7b39a8bdc40a27b237f8fb1e57f245e80b929c1e28b024aa2ecc623da28ddd59a7e2899a02c21cfcebf536c2d474e59ba0b770807365be63e8c28efcbeb841d0dbd6867aa9b96661d3bc402d18570c81462dd7c2e643bc934a6c19cad200a569aca739adeef2239029e33b0d9898fbaff27f6beba954edb0284c4C02000000011a0000616d3634780000000000000048535345000002000000020002a6000001000200b018658ad99dc903c8c9bfb27b12751099920a042ad1dfea7b7ba57369f15546de285edde6a7b39a8bdc40a27b237f8fb1e57f245e80b929c1e28b024aa2ecc623da28ddd59a7e2899a02c21cfcebf536c2d474e59ba0b770807365be63e8c28efcbeb841d0dbd6867aa9b96661d3bc402d18570c81462dd7c2e643bc934a6c19cad200a569aca739adeef2239029e33b0d9898fbaff27f6beba954edb0284c4
10. python ./tools/boot/socid_parser/uart_boot_socid.py ./source/security/tifs/sbl_keywriter/tools/socid.txt (Can read the boot massage)
-----------------------
SoC ID Header Info:
-----------------------
NumBlocks : [2]
-----------------------
SoC ID Public ROM Info:
-----------------------
SubBlockId : 1
SubBlockSize : 26
DeviceName : am64x
DeviceType : HSSE
DMSC ROM Version : [0, 2, 0, 0]
R5 ROM Version : [0, 2, 0, 0]
-----------------------
SoC ID Secure ROM Info:
-----------------------
Sec SubBlockId : 2
Sec SubBlockSize : 166
Sec Prime : 0
Sec Key Revision : 1
Sec Key Count : 2
Sec TI MPK Hash : b018658ad99dc903c8c9bfb27b12751099920a042ad1dfea7b7ba57369f15546de285edde6a7b39a8bdc40a27b237f8fb1e57f245e80b929c1e28b024aa2ecc6
Sec Cust MPK Hash : 23da28ddd59a7e2899a02c21cfcebf536c2d474e59ba0b770807365be63e8c28efcbeb841d0dbd6867aa9b96661d3bc402d18570c81462dd7c2e643bc934a6c1
Sec Unique ID : 9cad200a569aca739adeef2239029e33b0d9898fbaff27f6beba954edb0284c4
Q1: How to get "Cust MPK Hash" by openssl?? openssl dgst -sha512 smpk.pem??
Q2: Sign my tiboot3.bin, tispl, uboot.img by the private key smpk.pem at keys_devel/am64x/ ??