TI AM62X Secure Boot 流程簡述

By Toradex秦海

1). 簡介

嵌入式設(shè)備對于網(wǎng)絡(luò)安全的要求越來越高，而 Secure boot就是其中重要的一部分。 TI AM62X 處理器基于行業(yè)標(biāo)準(zhǔn) X.509 認(rèn)證來提供 Secure boot 啟動過程中的 Chain of Trust； X.509 認(rèn)證是基于公共密鑰加密 (Public Key Cryptography) 和數(shù)字簽名 (Digital Signature) 技術(shù)來實現(xiàn) Secure boot 的。AM62X 處理器涉及 Security 的架構(gòu)框圖如下。

AM62X 處理器啟動流程圖參考如下。本文就基于 TI AM625 處理器平臺簡單介紹其 Secure Boot 的部署流程。

本文所演示的平臺來自于 Toradex Verdin AM62 嵌入式平臺，主要介紹基本的 Chain of Trust，也就是 U-boot和Linux Kernel/DTB 兩個層級的加密和驗證啟動，后面 Rootfs 以及 Application 層面暫不涉及。

2. 準(zhǔn)備

a). Verdin AM62 ARM核心版配合Dahlia 載板，并連接調(diào)試串口用于測試。

b). 參考這里下載 Toradex Yocto Linux BSP6 Reference Image 用于后續(xù)測試，目前最新的是 6.7.0 版本。

3). 生成 Customer Key Set 文件

a). TI AM62 處理器有如下三種設(shè)備類型，其中 GP (General Purpose) 類型的處理器是不具備支持 Secure Boot 功能的，只有 HS (High Security) 類型的處理器是支持的，然后其還細(xì)分為兩個狀態(tài)，HS-FS (Field Securable) 和 HS-SE (Security Enforced)，具體的說明請見如下。TI AM62X HS 類型處理器出廠配置為 HS-FS 狀態(tài)，且都已經(jīng)預(yù)先寫入了 TI Dummy Key 在設(shè)備中。

b). 由于將 HS 設(shè)備從 HS-FS 狀態(tài)配置為 HS-SE 狀態(tài)是不可逆的，因此本文為了方便演示流程僅僅使用 TI 預(yù)置的 Dummy Key 在 HS-FS 狀態(tài)下進行 Signed Image Authentication 流程演示，但會將 Customer key 的生成和燒錄流程進行說明。

c). 通過下面命令生成 Customer Root Key Set (SMPK) 和 Customer Back-up Key Set (BMPK)文件，用于后續(xù)的 Boot Image 簽名以及燒錄 Image 生成。

--------------------------------

### key name should not be changed ###

$ export Customer_KEYS_DIR=<DIR to store keys>

$ export SMPK_NAME=custMpk

$ export BMPK_NAME=backMpk

### Create the SMPK key pair and certificate using RSA 4096 ###

$ cd $Customer_KEYS_DIR

$ openssl genrsa -F4 -out ${SMPK_NAME}.key 4096

$ cp ${SMPK_NAME}.key ${SMPK_NAME}.pem

$ openssl req -batch -new -x509 -key ${SMPK_NAME}.key -out ${SMPK_NAME}.crt

### Create the BMPK key pair and certificate using RSA 4096 ###

$ openssl genrsa -F4 -out ${BMPK_NAME}.key 4096

$ cp ${BMPK_NAME}.key ${BMPK_NAME}.pem

$ openssl req -batch -new -x509 -key ${BMPK_NAME}.key -out ${BMPK_NAME}.crt

### Remove write access to the keys and certificates ###

$ chmod a-w *

--------------------------------

4). Boot Image 編譯和簽名

a). 參考這里說明下載 Toradex Yocto Linux BSP 6.x.y 版本包含 U-boot在內(nèi)的編譯 Boot Images 所需要的全部源代碼

--------------------------------

### Get the U-Boot source code for Yocto Linux BSP 6.x.y ###

$ git clone -b toradex_ti-u-boot-2023.04 https://git.toradex.cn/u-boot-toradex.git

$ export UBOOT_DIR=$(pwd)/u-boot-toradex

### Get the binary-only System Firmware (SYSFW) ###

$ git clone git://git.ti.com/k3-image-gen/k3-image-gen.git

$ export K3_DIR=$(pwd)/k3-image-gen

### Get the TI Linux Firmware ###

$ git clone -b ti-linux-firmware git://git.ti.com/processor-firmware/ti-linux-firmware.git

$ export TI_LINUX_FW_DIR=$(pwd)/ti-linux-firmware

### Get the ARM Trusted Firmware (ATF/TF-A) ###

$ git clone https://github.com/ARM-software/arm-trusted-firmware.git

$ export TFA_DIR=$(pwd)/arm-trusted-firmware

### Get the OP-TEE image source code ###

$ git clone https://github.com/OP-TEE/optee_os.git

$ export OPTEE_DIR=$(pwd)/optee_os

### Get the K3 Security development package:###

$ git clone https://git.ti.com/git/security-development-tools/core-secdev-k3.git -b master

$ export CORE_SECDEV_K3_DIR=$(pwd)/core-secdev-k3

--------------------------------

b). Customer Key Set 需要部署在 K3 Security development package 和 U-Boot source code 如下位置，默認(rèn)部署的是 TI Dummy Key，本文因為都是基于 TI Dummy Key 進行測試，因此不做替換修改。

./ K3 Security development package

--------------------------------

$ cd $CORE_SECDEV_K3_DIR/keys

$ ls

custMpk.crt  custMpk.key  custMpk.pem  swrv.txt  ti-degenerate-key.pem

$ md5sum custMpk.key

bd90ee9fe69667315eeee32bc7a01b39  custMpk.key

$ md5sum custMpk.pem

bd90ee9fe69667315eeee32bc7a01b39  custMpk.pem

$ md5sum custMpk.crt

f2a1562c002fc38319bf82471b0661a3  custMpk.crt

### replace TI Dummy Key with Customer Key if needed ###

$ cp $Customer_KEYS_DIR/* $CORE_SECDEV_K3_DIR/keys

--------------------------------

./ U-Boot source code

--------------------------------

$ cd $UBOOT_DIR/board/ti/keys/

$ ls

custMpk.crt  custMpk.key  custMpk.pem  swrv.txt  ti-degenerate-key.pem

$ md5sum custMpk.key

bd90ee9fe69667315eeee32bc7a01b39  custMpk.key

$ md5sum custMpk.pem

bd90ee9fe69667315eeee32bc7a01b39  custMpk.pem

$ md5sum custMpk.crt

f2a1562c002fc38319bf82471b0661a3  custMpk.crt

### replace TI Dummy Key with Customer Key if needed ###

$ cp $Customer_KEYS_DIR/* $CORE_SECDEV_K3_DIR/keys

--------------------------------

c). 參考這里配置交叉編譯 toolchain，注意由于不同的固件需要對應(yīng) 32bit 或者 64bit toolchain 編譯器，因此這里兩種 toolchain 都需要配置，配置完成后參考如下命令 export 32bit/64bit toolchain 相應(yīng)的環(huán)境變量。

--------------------------------

### 64bit toolchain env ###

$ export ARCH=arm64

$ export DTC_FLAGS="-@"

$ export PATH=~/gcc-linaro-aarch64/bin/:$PATH

$ export CROSS_COMPILE=aarch64-none-linux-gnu-

### 32bit toolchain env ###

$ export PATH=~/gcc-linaro-arm/bin/:$PATH

--------------------------------

d). 參考這里對 Boot Images 進行編譯

./ Build ARM Trusted Firmware (ATF/TF-A)

--------------------------------

$ cd $TFA_DIR

$ export ARCH=arm64 CROSS_COMPILE=aarch64-none-linux-gnu-

$ unset TFA_EXTRA_ARGS

$ make PLAT=k3 SPD=opteed $TFA_EXTRA_ARGS TARGET_BOARD=lite

--------------------------------

./ Build OP-TEE Image

--------------------------------

$ cd $OPTEE_DIR

$ export OPTEE_EXTRA_ARGS="CFG_WITH_SOFTWARE_PRNG=y"

$ export ARCH=arm

$ export CROSS_COMPILE=arm-none-linux-gnueabihf-

$ export CROSS_COMPILE64=aarch64-none-linux-gnu-

$ make PLATFORM=k3-am62x CFG_ARM64_core=y $OPTEE_EXTRA_ARGS

--------------------------------

./ Build U-Boot for R5

--------------------------------

### Step-1 under U-boot directory ###

$ cd $UBOOT_DIR

$ make ARCH=arm CROSS_COMPILE=arm-none-linux-gnueabihf- verdin-am62_r5_defconfig

$ make ARCH=arm CROSS_COMPILE=arm-none-linux-gnueabihf- BINMAN_INDIRS=$TI_LINUX_FW_DIR

### Step-2 under System Firmware directory ###

$ cd $K3_DIR

$ make SOC=am62x SOC_TYPE="hs-fs" TI_SECURE_DEV_PKG=$CORE_SECDEV_K3_DIR SBL=$UBOOT_DIR/spl/u-boot-spl.bin SYSFW_DIR=$TI_LINUX_FW_DIR/ti-sysfw

$ cp tiboot3-am62x-hs-fs-evm.bin ../tiboot3-am62x-hs-fs-verdin.bin

--------------------------------

// 對應(yīng)不同的 SOC_TYPE 選項，會生成不同的 Binary Image，其對應(yīng)關(guān)系參考如下兩個表格，在出廠默認(rèn)的 HS-FS SoC Type 下，需要編譯HS-FS 對應(yīng)的固件；而一旦通過 TI OTP Keywriter 工具將 Customer Key 寫入 eFUSE 并將設(shè)備配置為 HS-SE 狀態(tài)后，就需要編譯  HS-SE SOC Type 對應(yīng)的固件才能正常啟動了。

./ Build U-Boot for A53

--------------------------------

### Default configuration ###

$ cd $UBOOT_DIR

$ export ARCH=arm64 CROSS_COMPILE=aarch64-none-linux-gnu-

$ make verdin-am62_a53_defconfig

### Customized configuration to force FIT image to be authenticated ###

$ make menuconfig

CONFIG_FIT_SIGNATURE_ENFORCE=y

### Compile ###

$ make BINMAN_INDIRS=$TI_LINUX_FW_DIR \

       BL31=$TFA_DIR/build/k3/lite/release/bl31.bin \

       TEE=$OPTEE_DIR/out/arm-plat-k3/core/tee-raw.bin

$ cp tispl.bin ../

$ cp u-boot.img ../

--------------------------------

5). 簽名Linux kernel FIT Image 

a). 此步驟為可選步驟，如果不需要強制 FIT Image Authentication 則在上面 4.d Build U-Boot for A53 步驟中可以不使能 CONFIG_FIT_SIGNATURE_ENFORCE 配置，然后跳過此章節(jié)直接進行 BSP Image 修改部署章節(jié)即可。

b). 解壓 Toradex Ycoto Linux BSP6 Image，獲得 LInux Kernel/DTB/DTBO 等文件

--------------------------------

### uncompress BSP Image package ###

$ tar xvf Verdin-AM62_Reference-Minimal-Image-Tezi_6.7.0+build.13.tar

$ cd Verdin-AM62_Reference-Minimal-Image-Tezi_6.7.0+build.13/

### uncompress boot filesystem ###

$ mkdir bootfs/

$ tar Jxf Reference-Minimal-Image-verdin-am62.bootfs.tar.xz -C bootfs/

### copy kernel/dtb/dtbo image fit image work folder ###

$ export FIT_IMAGE_DIR=<fit_image_work_folder>

$ cd bootfs/

$ cp -r * $FIT_IMAGE_DIR

--------------------------------

c). 修改 FIT Image 描述文件，一個示例說明部分如下，需要根據(jù)你實際存放 Linux Kernel/DTB/DTBO 文件的位置來修改文件 “data” 參數(shù)本文使用的完整描述文件模板請從這里下載。

./ fitImage-its--6.1.83+git0+0a32d33d5f-r0-verdin-am62-20240701094251.its

--------------------------------

/dts-v1/;

/ {

        description = "Kernel fitImage for TDX Wayland with XWayland/6.1.83+gitAUTOINC+0a32d33d5f/verdin-am62";

        #address-cells = <1>;

        images {

                kernel-1 {

                        description = "Linux kernel";

                        data = /incbin/("$FIT_IMAGE_DIR/Image.gz");

                        type = "kernel";

                        arch = "arm64";

                        os = "linux";

                        compression = "gzip";

                        load = <0x80200000>;

                        entry = <0x80200000>;

                        hash-1 {

                                algo = "sha512";

                        };

                };

                fdt-ti_k3-am625-verdin-nonwifi-dahlia.dtb {

                        description = "Flattened Device Tree blob";

                        data = /incbin/("$FIT_IMAGE_DIR/k3-am625-verdin-nonwifi-dahlia.dtb");

                        type = "flat_dt";

                        arch = "arm64";

                        compression = "none";

                        load = <0x83000000>;

                        hash-1 {

                                algo = "sha512";

                        };

                };

...

...

--------------------------------

d). 生成 FIT Image

./ 由于在生成 FIT Image 的時候需要同時將 Public Key 信息嵌入到 u-boot.dtb，因此這里需要找到 U-Boot 默認(rèn)的 dtb 文件。根據(jù) U-Boot 編譯 default configuration 來確認(rèn)默認(rèn)的 dtb 文件即為 "arch/arm/dts/k3-am625-verdin-wifi-dev.dtb"

--------------------------------

$ vi $UBOOT_DIR/configs/verdin-am62_a53_defconfig

...

CONFIG_DEFAULT_DEVICE_TREE="k3-am625-verdin-wifi-dev"

...

--------------------------------

./ 在 FIT Image work folder 通過下面命令生成簽名的 FIT Image

--------------------------------

$ mkimage -f fitImage-its--6.1.83+git0+0a32d33d5f-r0-verdin-am62-20240701094251.its -k $UBOOT_DIR/board/ti/keys -K $UBOOT_DIR/arch/arm/dts/k3-am625-verdin-wifi-dev.dtb -r fitImage

--------------------------------

e). 根據(jù) 4.d Build U-Boot for A53 步驟，不修改任何 configuration的情況下，重新編譯 U-Boot Image

--------------------------------

$ cd $UBOOT_DIR

### Compile ###

$ make BINMAN_INDIRS=$TI_LINUX_FW_DIR \

       BL31=$TFA_DIR/build/k3/lite/release/bl31.bin \

       TEE=$OPTEE_DIR/out/arm-plat-k3/core/tee-raw.bin

$ cp tispl.bin ../

$ cp u-boot.img ../

--------------------------------

6). 修改和部署 Yocto Linux BSP

a). 使用 4.d Build U-Boot for R5 步驟生成的 “tiboot3-am62x-hs-fs-verdin.bin” 文件和 5.e 步驟重新編譯生成的 “tispl.bin” 和 “u-boot.img” 文件修改 Yocto Linux BSP 對應(yīng)的 Boot Images 文件

--------------------------------

$ cd Verdin-AM62_Reference-Minimal-Image-Tezi_6.7.0+build.13/

$ rm tiboot3-am62x-hs-fs-verdin.bin tispl.bin u-boot.img

$ cp .../tiboot3-am62x-hs-fs-verdin.bin .

$ cp .../tispl.bin .

$ cp .../u-boot.img .

--------------------------------

b). 將 5.d 步驟生成的 FIT Image 部署到剛才解壓的Ycoto Linux BSP6 bootfs中，并重新創(chuàng)建bootfs 壓縮包

--------------------------------

### copy FIT image to bsp rootfs folder ###

$ cp $$FIT_IMAGE_DIR/fitImage .../Verdin-AM62_Reference-Minimal-Image-Tezi_6.7.0+build.13/bootfs/

### remove default Linux kernel/dtb/dtbo files ###

$ cd .../Verdin-AM62_Reference-Minimal-Image-Tezi_6.7.0+build.13/bootfs/

$ rm -rf Image.gz k3-am625-verdin-* overlays

### check bootfs files ###

$ tree -L 1

.

├── boot.scr

├── fitImage

└── overlays.txt

### compress new bootfs package ###

$ tar Jcf ../Reference-Minimal-Image-verdin-am62.bootfs.tar.xz *

### clear bootfs

$ cd ..

$ rm -rf bootfs/

--------------------------------

c). 修改BSP package中的 “u-boot-initial-env-sd” 文件，增加如下環(huán)境變量用于使能 U-Boot 加載 FIT Image 來啟動

--------------------------------

--- a/u-boot-initial-env-sd 2024-07-01 18:00:22.000000000 +0800

+++ b/u-boot-initial-env-sd 2024-09-12 16:35:02.000000000 +0800

@@ -30,6 +30,7 @@

 kernel_addr_r=0x88200000

 kernel_comp_addr_r=0x80200000

 kernel_comp_size=0x08000000

+kernel_image=fitImage

 load_efi_dtb=load ${devtype} ${devnum}:${distro_bootpart} ${fdt_addr_r} ${prefix}${efi_fdtfile}

 loadaddr=0x88200000

 mmc_boot=if mmc dev ${devnum}; then devtype=mmc; run scan_dev_for_boot_part; fi

--------------------------------

d). 需要注意的是由于Kernel階段的Secure Boot相關(guān)認(rèn)證和加載都是基于U-Boot 環(huán)境變量來實現(xiàn)的， 因此如果要讓這個啟動機制更加安全可靠，則要讓U-Boot保持在上述安全啟動路徑，而不能通過其他啟動介質(zhì)或者腳本來啟動而繞開 Secure Boot，比如 Toradex U-Boot默認(rèn)是使能 Distro Boot 功能的，可以自動掃描外設(shè)介質(zhì)的啟動腳本，那么這個功能就需要關(guān)閉掉，類似這樣的 U-Boot 定制化和啟動路徑固化可以參考如下文章，本文不做進一步介紹。

https://developer.toradex.cn/torizon/security/u-boot-hardening-for-secure-boot/

e). 如果你的 Linux BSP Image 是通過 Yocto Project 編譯生成，那么如下是一個 Toradex Security Meta Layer，你可以直接將其集成到你的 Yocto Project 編譯環(huán)境中，然后按照說明配置后直接生成簽名甚至加密好的 BSP Image。

https://github.com/toradex/meta-toradex-security 

7). 部署測試

a). 參考這里將上述制作完成數(shù)字簽名的 BSP Image通過 Toradex Easy Installer 更新到 Verdin AM62 模塊。因為本文測試基于 TI 已經(jīng)預(yù)先燒寫到 SoC 的 dummy key，所以可以直接啟動測試，如果是使用 Customized Key，則還需要參考后續(xù) eFuse 燒寫操作將 Customized Key 燒寫到 SoC 才能正確驗證并啟動。

./ 啟動后查看啟動log，可以看到 Boot Images 和 Linux FIT Image (Kernel Image/DTB/DTBO) Secure Boot驗證簽名成功并最終完整啟動

--------------------------------

U-Boot SPL 2023.04-28170-gc997b1b09fb (Sep 10 2024 - 17:41:33 +0800)

SYSFW ABI: 4.0 (firmware rev 0x000a '10.0.8--v10.00.08 (Fiery Fox)')

Changed A53 CPU frequency to 1250000000Hz (T grade) in DT

SPL initial stack usage: 13472 bytes

Trying to boot from MMC1

Authentication passed          // ATF authentication

Authentication passed          // TEE authentication

Authentication passed          // DM-FW authentication

Loading Environment from nowhere... OK

init_env from device 9 not supported!

Authentication passed          // A53 SPL authentication

Authentication passed          // A53 SPL DTB authentication

Starting ATF on ARM64 core...

NOTICE:  BL31: v2.11.0(release):v2.10.0-1555-g8e9bdc5b1

NOTICE:  BL31: Built : 17:04:05, Aug 30 2024

...

U-Boot SPL 2023.04-28170-gc997b1b09fb (Sep 12 2024 - 16:56:27 +0800)

SYSFW ABI: 4.0 (firmware rev 0x000a '10.0.8--v10.00.08 (Fiery Fox)')

SPL initial stack usage: 1904 bytes

Trying to boot from MMC1

Authentication passed          // A53 u-boot authentication

Authentication passed          // A53 u-boot DTB authentication

U-Boot 2023.04-28170-gc997b1b09fb (Sep 12 2024 - 16:56:27 +0800)

SoC:   AM62X SR1.0 HS-FS

DRAM:  1 GiB

Core:  143 devices, 31 uclasses, devicetree: separate

...

Found U-Boot script /boot.scr

6003 bytes read in 10 ms (585.9 KiB/s)

## Executing script at 90280000

82 bytes read in 9 ms (8.8 KiB/s)

8918270 bytes read in 78 ms (109 MiB/s)

Bootargs: root=PARTUUID=33e36968-02 ro rootwait console=tty1 console=ttyS2,115200 consol0

## Loading kernel from FIT Image at 90300000 ...

   Using 'conf-ti_k3-am625-verdin-wifi-dev.dtb' configuration

   Verifying Hash Integrity ... sha512,rsa4096:custMpk+ OK          // Kernel Image authentication

   Trying 'kernel-1' kernel subimage

     Description:  Linux kernel

     Type:         Kernel Image

     Compression:  gzip compressed

     Data Start:   0x90300108

     Data Size:    8305029 Bytes = 7.9 MiB

     Architecture: AArch64

     OS:           Linux

     Load Address: 0x80200000

     Entry Point:  0x80200000

     Hash algo:    sha512

     Hash value:   1eae3ec7c7d250d709d07f8af174e8de9c2293a9a61683f1f1a4f5981e96dc9ab090cc

   Verifying Hash Integrity ... sha512+ OK

## Loading fdt from FIT Image at 90300000 ...

   Using 'conf-ti_k3-am625-verdin-wifi-dev.dtb' configuration

   Verifying Hash Integrity ... sha512,rsa4096:custMpk+ OK          // Kernel DTB authentication

   Trying 'fdt-ti_k3-am625-verdin-wifi-dev.dtb' fdt subimage

     ...

   Verifying Hash Integrity ... sha512+ OK

   Loading fdt from 0x90b40bd0 to 0x83000000

## Loading fdt from FIT Image at 90300000 ...

   Using 'conf-verdin-am62_dsi-to-hdmi_overlay.dtbo' configuration

   Verifying Hash Integrity ... sha512,rsa4096:custMpk+ OK          // DTBO authentication

   Trying 'fdt-verdin-am62_dsi-to-hdmi_overlay.dtbo' fdt subimage

     ...

   Verifying Hash Integrity ... sha512+ OK

## Loading fdt from FIT Image at 90300000 ...

   Using 'conf-verdin-am62_spidev_overlay.dtbo' configuration

   Verifying Hash Integrity ... sha512,rsa4096:custMpk+ OK          // DTBO authentication

   Trying 'fdt-verdin-am62_spidev_overlay.dtbo' fdt subimage

     ...

   Verifying Hash Integrity ... sha512+ OK

   Booting using the fdt blob at 0x83000000

Working FDT set to 83000000

   Uncompressing Kernel Image

   Loading Device Tree to 0000000098ec8000, end 0000000098edc6b5 ... OK

Working FDT set to 98ec8000

Starting kernel ...

[    0.000000] Booting Linux on physical CPU 0x0000000000 [0x410fd034]

[    0.000000] Linux version 6.1.83-6.7.0+git.0a32d33d5fb7 (oe-user@oe-host) (aarch64-td4

[    0.000000] Machine model: Toradex Verdin AM62 WB on Verdin Development Board

...

--------------------------------

b). AM62x SoC eFuse 燒寫以及將設(shè)備從 HS-FS 轉(zhuǎn)換為 HS-SE 狀態(tài)

./ eFuse 燒寫流程詳細(xì)燒寫流程可以參考這里。

./ 首先下載安裝最新 TI MCU+ SDK，以及對應(yīng)版本的 CCS 和 sysconfig 工具到 Linux 開發(fā)主機 <MCU_PLUS_SDK_INSTALL_DIR> (推薦為 ${HOME}/ti/ ) 目錄，詳細(xì)過程參考上面的文章鏈接。

./ 安裝 TI OTP Keywriter 工具軟件和使用指南，這些是 secure 資料，需要在 TI 網(wǎng)站上面注冊申請通過后才能獲取。安裝路徑為 <MCU_PLUS_SDK_INSTALL_DIR>/mcu_plus_sdk_am62x_10_00_00_14/source/security。OTP Keywriter 的詳細(xì)使用指南文檔是 AM62X_OTP_Keywriter_User_Guide。

--------------------------------

$ tree -L 2 ~/ti/mcu_plus_sdk_am62x_10_00_00_14/source/security/

/home/simon/ti/mcu_plus_sdk_am62x_10_00_00_14/source/security/

├── sbl_keywriter

│   ├── am62x-sk

│   ├── boardcfgs

│   ├── keywr_bin

│   ├── manifest

│   ├── scripts

│   └── tools

├── uninstall

└── uninstall.dat

--------------------------------

./ 生成 X.509 Certificate

// Keywriter 預(yù)置 TI dummy key，因此如果是基于 TI dummy key set 進行生成，則命令如下。注意 “--keyrev” 參數(shù)，只要這個參數(shù)被燒寫到了 eFuse 上面，那么這個設(shè)備就立即轉(zhuǎn)化為 HS-SE 狀態(tài)，所有 secure boot 限制將都生效，設(shè)備也無法再次刷寫其他 key 信息，因此此過程可以分步或者一次進行，前期測試階段建議分步，先燒寫 key，進行驗證通過后，再進行 keyrev 燒寫，將設(shè)備變更為 HS-SE 狀態(tài)。

--------------------------------

### Generate X.509 certificate ###

### Option-1, step by step

$ cd <MCU_PLUS_SDK_INSTALL_DIR>/mcu_plus_sdk_am62x_10_00_00_14/source/security/sbl_keywriter/scripts/cert_gen/am62x

## Generate certificate for programming MSV(Model Specific Value) and TI dummy key sets, but not turn device into HS-SE

$ ./gen_keywr_cert.sh -t tifek/ti_fek_public.pem --msv 0xC0FFE -b-def --bmek-def -s-def --smek-def --keycnt 2

## Generates certificate for setting the program key revision to 1

./gen_keywr_cert.sh -t tifek/ti_fek_public.pem --keyrev 1

### Option-2, one-shot

## programming MSV, key sets, and turn device into HS-SE in one shot command

$ ./gen_keywr_cert.sh -t tifek/ti_fek_public.pem --msv 0xC0FFE -b-def --bmek-def -s-def --smek-def --keycnt 2 --keyrev 1

### Convert certificate binary to .h format ###

$ cd <MCU_PLUS_SDK_INSTALL_DIR>/mcu_plus_sdk_am62x_10_00_00_14/source/security/sbl_keywriter/scripts/x509cert

$ python3 ../../../../../tools/bin2c/bin2c.py final_certificate.bin keycert.h KEYCERT 2024

--------------------------------

// 如果是基于 customized key set，則要將相關(guān)命令修改如下：

--------------------------------

### Copy customized key set for keywriter ###

$ cd <MCU_PLUS_SDK_INSTALL_DIR>/mcu_plus_sdk_am62x_10_00_00_14/source/security/sbl_keywriter/scripts/cert_gen/am62x

$ cp $Customer_KEYS_DIR/custMpk.key keys_devel/smek.key

$ cp $Customer_KEYS_DIR/custMpk.pem keys_devel/smpk.pem

$ cp $Customer_KEYS_DIR/backMpk.key keys_devel/bmek.key

$ cp $Customer_KEYS_DIR/backMpk.pem keys_devel/bmpk.pem

### Generate X.509 certificate ###

### Option-1, step by step

$ cd <MCU_PLUS_SDK_INSTALL_DIR>/mcu_plus_sdk_am62x_10_00_00_14/source/security/sbl_keywriter/scripts/cert_gen/am62x

## Generate certificate for programming MSV(Model Specific Value) and TI dummy key sets, but not turn device into HS-SE

$ ./gen_keywr_cert.sh -t tifek/ti_fek_public.pem --msv 0xC0FFE -b keys_devel/bmpk.pem --bmek keys_devel/bmek.key -s keys_devel/smpk.pem --smek keys_devel/smek.key --keycnt 2

## Generates certificate for setting the program key revision to 1

./gen_keywr_cert.sh -t tifek/ti_fek_public.pem --keyrev 1

### Option-2, one-shot

## programming MSV, key sets, and turn device into HS-SE in one shot command

$ ./gen_keywr_cert.sh -t tifek/ti_fek_public.pem --msv 0xC0FFE -b keys_devel/bmpk.pem --bmek keys_devel/bmek.key -s keys_devel/smpk.pem --smek keys_devel/smek.key --keycnt 2 --keyrev 1

### Convert certificate binary to .h format ###

$ cd <MCU_PLUS_SDK_INSTALL_DIR>/mcu_plus_sdk_am62x_10_00_00_14/source/security/sbl_keywriter/scripts/x509cert

$ python3 ../../../../../tools/bin2c/bin2c.py final_certificate.bin keycert.h KEYCERT 2024

--------------------------------

./ 生成 keywriter binary - tiboot3.bin

--------------------------------

### create compiler soft link ###

$ cd <MCU_PLUS_SDK_INSTALL_DIR>

$ ln -s ccs1271/ccs/tools/compiler/ti-cgt-armllvm_3.2.2.LTS ti-cgt-armllvm_3.2.2.LTS

### Generate binary ###

$ cd <MCU_PLUS_SDK_INSTALL_DIR>/mcu_plus_sdk_am62x_10_00_00_14/source/security/sbl_keywriter/am62x-sk/r5fss0-0_nortos/ti-arm-clang

$ make -sj clean PROFILE=debug

$ make -sj PROFILE=debug

--------------------------------

./ 將 tiboot3.bin 通過 USB DFU 模式加載運行起來，具體的命令可以參考這里，只是需要注意的是由于燒寫 eFuse 的過程中還需要 AM62X SoC VPP 管腳上拉到 1.8V 同時具備至少 400mA 瞬態(tài)電流負(fù)載能力，因此需要在載板上面部署相應(yīng)的硬件設(shè)計，以保證僅在燒寫 eFuse 的時候拉高 VPP 管腳同時提供足夠的瞬變電流，而在其他任何時候 VPP 管腳都是拉低的狀態(tài)。參考如下 TI AM62 SK 開發(fā)板設(shè)計，如圖一布置了一個單獨的 LDO 電源芯片(TLV75518PDQNR) 來給 VPP 管腳提供 400mA/1.8V 供電，正式由于極高的瞬變電流負(fù)載需求，load switch 或者 DC/DC 電源是不建議使用的；而 LDO 的開關(guān)則通過 VPP_LDO_EN 信號來控制。如圖二，則是 AM62X SoC 通過 I2C 總線連接了一個 GPIO Expander 芯片來擴展 GPIO 管腳提供 VPP_LDO_EN 信號控制。

// 對于 IO Expander VPP_LDO_EN GPIO 管腳的控制軟件代碼請參考 MCU+ SDK 如下文件，你也可以根據(jù)你的實際載板設(shè)計來相應(yīng)修改適配。

<MCU_PLUS_SDK_INSTALL_DIR>/mcu_plus_sdk_am62x_10_00_00_14/source/security/sbl_keywriter/am62x-sk/r5fss0-0_nortos/board.c

8). 總結(jié)

本文基于 TI AM62X 處理器簡單演示了 Secure Boot 流程，涉及 Boot Images 和 Linux Kernel/DTB ，至于 Rootfs 的加密，則需要配置類似 Squashfs 只讀文件系統(tǒng)配合 Initramfs RAM Disk 鏡像進行加解密掛載啟動，可以結(jié)合參考如下兩篇文章和相關(guān) meta-toradex-security layer 數(shù)據(jù)參考，本文不做具體測試。

./ 嵌入式 ARM 平臺使用dm-crypt加密磁盤分區(qū)

./ 使用Squashfs和Overlayfs提高嵌入式Linux文件系統(tǒng)可靠性

./ https://github.com/toradex/meta-toradex-security