博客專欄

EEPW首頁(yè) > 博客 > TI AM62X Secure Boot 流程簡(jiǎn)述

TI AM62X Secure Boot 流程簡(jiǎn)述

發(fā)布人:toradex 時(shí)間:2024-09-18 來(lái)源:工程師 發(fā)布文章

By Toradex秦海

1). 簡(jiǎn)介

嵌入式設(shè)備對(duì)于網(wǎng)絡(luò)安全的要求越來(lái)越高,而 Secure boot就是其中重要的一部分。 TI AM62X 處理器基于行業(yè)標(biāo)準(zhǔn) X.509 認(rèn)證來(lái)提供 Secure boot 啟動(dòng)過(guò)程中的 Chain of Trust; X.509 認(rèn)證是基于公共密鑰加密 (Public Key Cryptography) 和數(shù)字簽名 (Digital Signature) 技術(shù)來(lái)實(shí)現(xiàn) Secure boot 的。AM62X 處理器涉及 Security 的架構(gòu)框圖如下。

TI AM62X Secure Boot 流程簡(jiǎn)述305.png 

 

AM62X 處理器啟動(dòng)流程圖參考如下。本文就基于 TI AM625 處理器平臺(tái)簡(jiǎn)單介紹其 Secure Boot 的部署流程。

TI AM62X Secure Boot 流程簡(jiǎn)述372.png 

本文所演示的平臺(tái)來(lái)自于 Toradex Verdin AM62 嵌入式平臺(tái),主要介紹基本的 Chain of Trust,也就是 U-bootLinux Kernel/DTB 兩個(gè)層級(jí)的加密和驗(yàn)證啟動(dòng),后面 Rootfs 以及 Application 層面暫不涉及。

 

 

2. 準(zhǔn)備

a). Verdin AM62 ARM核心版配合Dahlia 載板,并連接調(diào)試串口用于測(cè)試。

b). 參考這里下載 Toradex Yocto Linux BSP6 Reference Image 用于后續(xù)測(cè)試,目前最新的是 6.7.0 版本。

 

 

3). 生成 Customer Key Set 文件

a). TI AM62 處理器有如下三種設(shè)備類型,其中 GP (General Purpose) 類型的處理器是不具備支持 Secure Boot 功能的,只有 HS (High Security) 類型的處理器是支持的,然后其還細(xì)分為兩個(gè)狀態(tài),HS-FS (Field Securable) HS-SE (Security Enforced),具體的說(shuō)明請(qǐng)見(jiàn)如下。TI AM62X HS 類型處理器出廠配置為 HS-FS 狀態(tài),且都已經(jīng)預(yù)先寫(xiě)入了 TI Dummy Key 在設(shè)備中。

TI AM62X Secure Boot 流程簡(jiǎn)述1252.png 

 

b). 由于將 HS 設(shè)備從 HS-FS 狀態(tài)配置為 HS-SE 狀態(tài)是不可逆的,因此本文為了方便演示流程僅僅使用 TI 預(yù)置的 Dummy Key HS-FS 狀態(tài)下進(jìn)行 Signed Image Authentication 流程演示,但會(huì)將 Customer key 的生成和燒錄流程進(jìn)行說(shuō)明。

TI AM62X Secure Boot 流程簡(jiǎn)述1408.png 

 

c). 通過(guò)下面命令生成 Customer Root Key Set (SMPK) Customer Back-up Key Set (BMPK)文件,用于后續(xù)的 Boot Image 簽名以及燒錄 Image 生成。

--------------------------------

### key name should not be changed ###

$ export Customer_KEYS_DIR=<DIR to store keys>

$ export SMPK_NAME=custMpk

$ export BMPK_NAME=backMpk

 

### Create the SMPK key pair and certificate using RSA 4096 ###

$ cd $Customer_KEYS_DIR

$ openssl genrsa -F4 -out ${SMPK_NAME}.key 4096

$ cp ${SMPK_NAME}.key ${SMPK_NAME}.pem

$ openssl req -batch -new -x509 -key ${SMPK_NAME}.key -out ${SMPK_NAME}.crt

 

### Create the BMPK key pair and certificate using RSA 4096 ###

$ openssl genrsa -F4 -out ${BMPK_NAME}.key 4096

$ cp ${BMPK_NAME}.key ${BMPK_NAME}.pem

$ openssl req -batch -new -x509 -key ${BMPK_NAME}.key -out ${BMPK_NAME}.crt

 

### Remove write access to the keys and certificates ###

$ chmod a-w *

--------------------------------

 

 

4). Boot Image 編譯和簽名

a). 參考這里說(shuō)明下載 Toradex Yocto Linux BSP 6.x.y 版本包含 U-boot在內(nèi)的編譯 Boot Images 所需要的全部源代碼

--------------------------------

### Get the U-Boot source code for Yocto Linux BSP 6.x.y ###

$ git clone -b toradex_ti-u-boot-2023.04 https://git.toradex.cn/u-boot-toradex.git

$ export UBOOT_DIR=$(pwd)/u-boot-toradex

 

### Get the binary-only System Firmware (SYSFW) ###

$ git clone git://git.ti.com/k3-image-gen/k3-image-gen.git

$ export K3_DIR=$(pwd)/k3-image-gen

 

### Get the TI Linux Firmware ###

$ git clone -b ti-linux-firmware git://git.ti.com/processor-firmware/ti-linux-firmware.git

$ export TI_LINUX_FW_DIR=$(pwd)/ti-linux-firmware

 

### Get the ARM Trusted Firmware (ATF/TF-A) ###

$ git clone https://github.com/ARM-software/arm-trusted-firmware.git

$ export TFA_DIR=$(pwd)/arm-trusted-firmware

 

### Get the OP-TEE image source code ###

$ git clone https://github.com/OP-TEE/optee_os.git

$ export OPTEE_DIR=$(pwd)/optee_os

 

### Get the K3 Security development package:###

$ git clone https://git.ti.com/git/security-development-tools/core-secdev-k3.git -b master

$ export CORE_SECDEV_K3_DIR=$(pwd)/core-secdev-k3

--------------------------------

 

b). Customer Key Set 需要部署在 K3 Security development package  U-Boot source code 如下位置,默認(rèn)部署的是 TI Dummy Key,本文因?yàn)槎际腔?TI Dummy Key 進(jìn)行測(cè)試,因此不做替換修改。

./ K3 Security development package

--------------------------------

$ cd $CORE_SECDEV_K3_DIR/keys

$ ls

custMpk.crt  custMpk.key  custMpk.pem  swrv.txt  ti-degenerate-key.pem

$ md5sum custMpk.key

bd90ee9fe69667315eeee32bc7a01b39  custMpk.key

$ md5sum custMpk.pem

bd90ee9fe69667315eeee32bc7a01b39  custMpk.pem

$ md5sum custMpk.crt

f2a1562c002fc38319bf82471b0661a3  custMpk.crt

 

### replace TI Dummy Key with Customer Key if needed ###

$ cp $Customer_KEYS_DIR/* $CORE_SECDEV_K3_DIR/keys

--------------------------------

 

./ U-Boot source code

--------------------------------

$ cd $UBOOT_DIR/board/ti/keys/

$ ls

custMpk.crt  custMpk.key  custMpk.pem  swrv.txt  ti-degenerate-key.pem

$ md5sum custMpk.key

bd90ee9fe69667315eeee32bc7a01b39  custMpk.key

$ md5sum custMpk.pem

bd90ee9fe69667315eeee32bc7a01b39  custMpk.pem

$ md5sum custMpk.crt

f2a1562c002fc38319bf82471b0661a3  custMpk.crt

 

### replace TI Dummy Key with Customer Key if needed ###

$ cp $Customer_KEYS_DIR/* $CORE_SECDEV_K3_DIR/keys

--------------------------------

 

c). 參考這里配置交叉編譯 toolchain,注意由于不同的固件需要對(duì)應(yīng) 32bit 或者 64bit toolchain 編譯器,因此這里兩種 toolchain 都需要配置,配置完成后參考如下命令 export 32bit/64bit toolchain 相應(yīng)的環(huán)境變量。

--------------------------------

### 64bit toolchain env ###

$ export ARCH=arm64

$ export DTC_FLAGS="-@"

$ export PATH=~/gcc-linaro-aarch64/bin/:$PATH

$ export CROSS_COMPILE=aarch64-none-linux-gnu-

### 32bit toolchain env ###

$ export PATH=~/gcc-linaro-arm/bin/:$PATH

--------------------------------

 

d). 參考這里對(duì) Boot Images 進(jìn)行編譯

./ Build ARM Trusted Firmware (ATF/TF-A)

--------------------------------

$ cd $TFA_DIR

$ export ARCH=arm64 CROSS_COMPILE=aarch64-none-linux-gnu-

$ unset TFA_EXTRA_ARGS

$ make PLAT=k3 SPD=opteed $TFA_EXTRA_ARGS TARGET_BOARD=lite

--------------------------------

 

./ Build OP-TEE Image

--------------------------------

$ cd $OPTEE_DIR

$ export OPTEE_EXTRA_ARGS="CFG_WITH_SOFTWARE_PRNG=y"

$ export ARCH=arm

$ export CROSS_COMPILE=arm-none-linux-gnueabihf-

$ export CROSS_COMPILE64=aarch64-none-linux-gnu-

$ make PLATFORM=k3-am62x CFG_ARM64_core=y $OPTEE_EXTRA_ARGS

--------------------------------

 

./ Build U-Boot for R5

--------------------------------

### Step-1 under U-boot directory ###

$ cd $UBOOT_DIR

$ make ARCH=arm CROSS_COMPILE=arm-none-linux-gnueabihf- verdin-am62_r5_defconfig

$ make ARCH=arm CROSS_COMPILE=arm-none-linux-gnueabihf- BINMAN_INDIRS=$TI_LINUX_FW_DIR

### Step-2 under System Firmware directory ###

$ cd $K3_DIR

$ make SOC=am62x SOC_TYPE="hs-fs" TI_SECURE_DEV_PKG=$CORE_SECDEV_K3_DIR SBL=$UBOOT_DIR/spl/u-boot-spl.bin SYSFW_DIR=$TI_LINUX_FW_DIR/ti-sysfw

$ cp tiboot3-am62x-hs-fs-evm.bin ../tiboot3-am62x-hs-fs-verdin.bin

--------------------------------

 

// 對(duì)應(yīng)不同的 SOC_TYPE 選項(xiàng),會(huì)生成不同的 Binary Image,其對(duì)應(yīng)關(guān)系參考如下兩個(gè)表格,在出廠默認(rèn)的 HS-FS SoC Type 下,需要編譯HS-FS 對(duì)應(yīng)的固件;而一旦通過(guò) TI OTP Keywriter 工具將 Customer Key 寫(xiě)入 eFUSE 并將設(shè)備配置為 HS-SE 狀態(tài)后,就需要編譯  HS-SE SOC Type 對(duì)應(yīng)的固件才能正常啟動(dòng)了。

TI AM62X Secure Boot 流程簡(jiǎn)述6833.png 

 

./ Build U-Boot for A53

--------------------------------

### Default configuration ###

$ cd $UBOOT_DIR

$ export ARCH=arm64 CROSS_COMPILE=aarch64-none-linux-gnu-

$ make verdin-am62_a53_defconfig

### Customized configuration to force FIT image to be authenticated ###

$ make menuconfig

CONFIG_FIT_SIGNATURE_ENFORCE=y

### Compile ###

$ make BINMAN_INDIRS=$TI_LINUX_FW_DIR \

       BL31=$TFA_DIR/build/k3/lite/release/bl31.bin \

       TEE=$OPTEE_DIR/out/arm-plat-k3/core/tee-raw.bin

$ cp tispl.bin ../

$ cp u-boot.img ../

--------------------------------

 

 

5). 簽名Linux kernel FIT Image 

a). 此步驟為可選步驟,如果不需要強(qiáng)制 FIT Image Authentication 則在上面 4.d Build U-Boot for A53 步驟中可以不使能 CONFIG_FIT_SIGNATURE_ENFORCE 配置,然后跳過(guò)此章節(jié)直接進(jìn)行 BSP Image 修改部署章節(jié)即可。

 

b). 解壓 Toradex Ycoto Linux BSP6 Image,獲得 LInux Kernel/DTB/DTBO 等文件

--------------------------------

### uncompress BSP Image package ###

$ tar xvf Verdin-AM62_Reference-Minimal-Image-Tezi_6.7.0+build.13.tar

$ cd Verdin-AM62_Reference-Minimal-Image-Tezi_6.7.0+build.13/

### uncompress boot filesystem ###

$ mkdir bootfs/

$ tar Jxf Reference-Minimal-Image-verdin-am62.bootfs.tar.xz -C bootfs/

### copy kernel/dtb/dtbo image fit image work folder ###

$ export FIT_IMAGE_DIR=<fit_image_work_folder>

$ cd bootfs/

$ cp -r * $FIT_IMAGE_DIR

--------------------------------

 

c). 修改 FIT Image 描述文件,一個(gè)示例說(shuō)明部分如下,需要根據(jù)你實(shí)際存放 Linux Kernel/DTB/DTBO 文件的位置來(lái)修改文件 data 參數(shù)本文使用的完整描述文件模板請(qǐng)從這里下載

./ fitImage-its--6.1.83+git0+0a32d33d5f-r0-verdin-am62-20240701094251.its

--------------------------------

/dts-v1/;

 

/ {

        description = "Kernel fitImage for TDX Wayland with XWayland/6.1.83+gitAUTOINC+0a32d33d5f/verdin-am62";

        #address-cells = <1>;

 

        images {

                kernel-1 {

                        description = "Linux kernel";

                        data = /incbin/("$FIT_IMAGE_DIR/Image.gz");

                        type = "kernel";

                        arch = "arm64";

                        os = "linux";

                        compression = "gzip";

                        load = <0x80200000>;

                        entry = <0x80200000>;

                        hash-1 {

                                algo = "sha512";

                        };

                };

                fdt-ti_k3-am625-verdin-nonwifi-dahlia.dtb {

                        description = "Flattened Device Tree blob";

                        data = /incbin/("$FIT_IMAGE_DIR/k3-am625-verdin-nonwifi-dahlia.dtb");

                        type = "flat_dt";

                        arch = "arm64";

                        compression = "none";

                        load = <0x83000000>;

                        hash-1 {

                                algo = "sha512";

                        };

                };

...

...

--------------------------------

 

d). 生成 FIT Image

./ 由于在生成 FIT Image 的時(shí)候需要同時(shí)將 Public Key 信息嵌入到 u-boot.dtb,因此這里需要找到 U-Boot 默認(rèn)的 dtb 文件。根據(jù) U-Boot 編譯 default configuration 來(lái)確認(rèn)默認(rèn)的 dtb 文件即為 "arch/arm/dts/k3-am625-verdin-wifi-dev.dtb"

--------------------------------

$ vi $UBOOT_DIR/configs/verdin-am62_a53_defconfig

...

CONFIG_DEFAULT_DEVICE_TREE="k3-am625-verdin-wifi-dev"

...

--------------------------------

 

./ FIT Image work folder 通過(guò)下面命令生成簽名的 FIT Image

--------------------------------

$ mkimage -f fitImage-its--6.1.83+git0+0a32d33d5f-r0-verdin-am62-20240701094251.its -k $UBOOT_DIR/board/ti/keys -K $UBOOT_DIR/arch/arm/dts/k3-am625-verdin-wifi-dev.dtb -r fitImage

--------------------------------

 

e). 根據(jù) 4.d Build U-Boot for A53 步驟,不修改任何 configuration的情況下,重新編譯 U-Boot Image

--------------------------------

$ cd $UBOOT_DIR

### Compile ###

$ make BINMAN_INDIRS=$TI_LINUX_FW_DIR \

       BL31=$TFA_DIR/build/k3/lite/release/bl31.bin \

       TEE=$OPTEE_DIR/out/arm-plat-k3/core/tee-raw.bin

$ cp tispl.bin ../

$ cp u-boot.img ../

--------------------------------

 

 

6). 修改和部署 Yocto Linux BSP

a). 使用 4.d Build U-Boot for R5 步驟生成的 tiboot3-am62x-hs-fs-verdin.bin 文件和 5.e 步驟重新編譯生成的 tispl.bin  u-boot.img 文件修改 Yocto Linux BSP 對(duì)應(yīng)的 Boot Images 文件

--------------------------------

$ cd Verdin-AM62_Reference-Minimal-Image-Tezi_6.7.0+build.13/

$ rm tiboot3-am62x-hs-fs-verdin.bin tispl.bin u-boot.img

$ cp .../tiboot3-am62x-hs-fs-verdin.bin .

$ cp .../tispl.bin .

$ cp .../u-boot.img .

--------------------------------

 

b). 5.d 步驟生成的 FIT Image 部署到剛才解壓的Ycoto Linux BSP6 bootfs中,并重新創(chuàng)建bootfs 壓縮包

--------------------------------

### copy FIT image to bsp rootfs folder ###

$ cp $$FIT_IMAGE_DIR/fitImage .../Verdin-AM62_Reference-Minimal-Image-Tezi_6.7.0+build.13/bootfs/

### remove default Linux kernel/dtb/dtbo files ###

$ cd .../Verdin-AM62_Reference-Minimal-Image-Tezi_6.7.0+build.13/bootfs/

$ rm -rf Image.gz k3-am625-verdin-* overlays

### check bootfs files ###

$ tree -L 1

.

├── boot.scr

├── fitImage

└── overlays.txt

### compress new bootfs package ###

$ tar Jcf ../Reference-Minimal-Image-verdin-am62.bootfs.tar.xz *

### clear bootfs

$ cd ..

$ rm -rf bootfs/

--------------------------------

 

c). 修改BSP package中的 “u-boot-initial-env-sd” 文件,增加如下環(huán)境變量用于使能 U-Boot 加載 FIT Image 來(lái)啟動(dòng)

--------------------------------

--- a/u-boot-initial-env-sd 2024-07-01 18:00:22.000000000 +0800

+++ b/u-boot-initial-env-sd 2024-09-12 16:35:02.000000000 +0800

@@ -30,6 +30,7 @@

 kernel_addr_r=0x88200000

 kernel_comp_addr_r=0x80200000

 kernel_comp_size=0x08000000

+kernel_image=fitImage

 load_efi_dtb=load ${devtype} ${devnum}:${distro_bootpart} ${fdt_addr_r} ${prefix}${efi_fdtfile}

 loadaddr=0x88200000

 mmc_boot=if mmc dev ${devnum}; then devtype=mmc; run scan_dev_for_boot_part; fi

--------------------------------

 

d). 需要注意的是由于Kernel階段的Secure Boot相關(guān)認(rèn)證和加載都是基于U-Boot 環(huán)境變量來(lái)實(shí)現(xiàn)的, 因此如果要讓這個(gè)啟動(dòng)機(jī)制更加安全可靠,則要讓U-Boot保持在上述安全啟動(dòng)路徑,而不能通過(guò)其他啟動(dòng)介質(zhì)或者腳本來(lái)啟動(dòng)而繞開(kāi) Secure Boot,比如 Toradex U-Boot默認(rèn)是使能 Distro Boot 功能的,可以自動(dòng)掃描外設(shè)介質(zhì)的啟動(dòng)腳本,那么這個(gè)功能就需要關(guān)閉掉,類似這樣的 U-Boot 定制化和啟動(dòng)路徑固化可以參考如下文章,本文不做進(jìn)一步介紹。

https://developer.toradex.cn/torizon/security/u-boot-hardening-for-secure-boot/

 

e). 如果你的 Linux BSP Image 是通過(guò) Yocto Project 編譯生成,那么如下是一個(gè) Toradex Security Meta Layer,你可以直接將其集成到你的 Yocto Project 編譯環(huán)境中,然后按照說(shuō)明配置后直接生成簽名甚至加密好的 BSP Image。

https://github.com/toradex/meta-toradex-security 

 

 

7). 部署測(cè)試

a). 參考這里將上述制作完成數(shù)字簽名的 BSP Image通過(guò) Toradex Easy Installer 更新到 Verdin AM62 模塊。因?yàn)楸疚臏y(cè)試基于 TI 已經(jīng)預(yù)先燒寫(xiě)到 SoC dummy key,所以可以直接啟動(dòng)測(cè)試,如果是使用 Customized Key,則還需要參考后續(xù) eFuse 燒寫(xiě)操作將 Customized Key 燒寫(xiě)到 SoC 才能正確驗(yàn)證并啟動(dòng)。

./ 啟動(dòng)后查看啟動(dòng)log,可以看到 Boot Images Linux FIT Image (Kernel Image/DTB/DTBO) Secure Boot驗(yàn)證簽名成功并最終完整啟動(dòng)

--------------------------------

U-Boot SPL 2023.04-28170-gc997b1b09fb (Sep 10 2024 - 17:41:33 +0800)

SYSFW ABI: 4.0 (firmware rev 0x000a '10.0.8--v10.00.08 (Fiery Fox)')

Changed A53 CPU frequency to 1250000000Hz (T grade) in DT

SPL initial stack usage: 13472 bytes

Trying to boot from MMC1

Authentication passed          // ATF authentication

Authentication passed          // TEE authentication

Authentication passed          // DM-FW authentication

Loading Environment from nowhere... OK

init_env from device 9 not supported!

Authentication passed          // A53 SPL authentication

Authentication passed          // A53 SPL DTB authentication

Starting ATF on ARM64 core...

 

NOTICE:  BL31: v2.11.0(release):v2.10.0-1555-g8e9bdc5b1

NOTICE:  BL31: Built : 17:04:05, Aug 30 2024

...

U-Boot SPL 2023.04-28170-gc997b1b09fb (Sep 12 2024 - 16:56:27 +0800)

SYSFW ABI: 4.0 (firmware rev 0x000a '10.0.8--v10.00.08 (Fiery Fox)')

SPL initial stack usage: 1904 bytes

Trying to boot from MMC1

Authentication passed          // A53 u-boot authentication

Authentication passed          // A53 u-boot DTB authentication

 

 

U-Boot 2023.04-28170-gc997b1b09fb (Sep 12 2024 - 16:56:27 +0800)

 

SoC:   AM62X SR1.0 HS-FS

DRAM:  1 GiB

Core:  143 devices, 31 uclasses, devicetree: separate

...

Found U-Boot script /boot.scr

6003 bytes read in 10 ms (585.9 KiB/s)

## Executing script at 90280000

82 bytes read in 9 ms (8.8 KiB/s)

8918270 bytes read in 78 ms (109 MiB/s)

Bootargs: root=PARTUUID=33e36968-02 ro rootwait console=tty1 console=ttyS2,115200 consol0

## Loading kernel from FIT Image at 90300000 ...

   Using 'conf-ti_k3-am625-verdin-wifi-dev.dtb' configuration

   Verifying Hash Integrity ... sha512,rsa4096:custMpk+ OK          // Kernel Image authentication

   Trying 'kernel-1' kernel subimage

     Description:  Linux kernel

     Type:         Kernel Image

     Compression:  gzip compressed

     Data Start:   0x90300108

     Data Size:    8305029 Bytes = 7.9 MiB

     Architecture: AArch64

     OS:           Linux

     Load Address: 0x80200000

     Entry Point:  0x80200000

     Hash algo:    sha512

     Hash value:   1eae3ec7c7d250d709d07f8af174e8de9c2293a9a61683f1f1a4f5981e96dc9ab090cc

   Verifying Hash Integrity ... sha512+ OK

## Loading fdt from FIT Image at 90300000 ...

   Using 'conf-ti_k3-am625-verdin-wifi-dev.dtb' configuration

   Verifying Hash Integrity ... sha512,rsa4096:custMpk+ OK          // Kernel DTB authentication

   Trying 'fdt-ti_k3-am625-verdin-wifi-dev.dtb' fdt subimage

     ...

   Verifying Hash Integrity ... sha512+ OK

   Loading fdt from 0x90b40bd0 to 0x83000000

## Loading fdt from FIT Image at 90300000 ...

   Using 'conf-verdin-am62_dsi-to-hdmi_overlay.dtbo' configuration

   Verifying Hash Integrity ... sha512,rsa4096:custMpk+ OK          // DTBO authentication

   Trying 'fdt-verdin-am62_dsi-to-hdmi_overlay.dtbo' fdt subimage

     ...

   Verifying Hash Integrity ... sha512+ OK

## Loading fdt from FIT Image at 90300000 ...

   Using 'conf-verdin-am62_spidev_overlay.dtbo' configuration

   Verifying Hash Integrity ... sha512,rsa4096:custMpk+ OK          // DTBO authentication

   Trying 'fdt-verdin-am62_spidev_overlay.dtbo' fdt subimage

     ...

   Verifying Hash Integrity ... sha512+ OK

   Booting using the fdt blob at 0x83000000

Working FDT set to 83000000

   Uncompressing Kernel Image

   Loading Device Tree to 0000000098ec8000, end 0000000098edc6b5 ... OK

Working FDT set to 98ec8000

 

Starting kernel ...

 

[    0.000000] Booting Linux on physical CPU 0x0000000000 [0x410fd034]

[    0.000000] Linux version 6.1.83-6.7.0+git.0a32d33d5fb7 (oe-user@oe-host) (aarch64-td4

[    0.000000] Machine model: Toradex Verdin AM62 WB on Verdin Development Board

...

--------------------------------

 

b). AM62x SoC eFuse 燒寫(xiě)以及將設(shè)備從 HS-FS 轉(zhuǎn)換為 HS-SE 狀態(tài)

./ eFuse 燒寫(xiě)流程詳細(xì)燒寫(xiě)流程可以參考這里。

 

./ 首先下載安裝最新 TI MCU+ SDK,以及對(duì)應(yīng)版本的 CCS sysconfig 工具到 Linux 開(kāi)發(fā)主機(jī) <MCU_PLUS_SDK_INSTALL_DIR> (推薦為 ${HOME}/ti/ ) 目錄,詳細(xì)過(guò)程參考上面的文章鏈接。

 

./ 安裝 TI OTP Keywriter 工具軟件和使用指南,這些是 secure 資料,需要在 TI 網(wǎng)站上面注冊(cè)申請(qǐng)通過(guò)后才能獲取。安裝路徑為 <MCU_PLUS_SDK_INSTALL_DIR>/mcu_plus_sdk_am62x_10_00_00_14/source/security。OTP Keywriter 的詳細(xì)使用指南文檔是 AM62X_OTP_Keywriter_User_Guide

--------------------------------

$ tree -L 2 ~/ti/mcu_plus_sdk_am62x_10_00_00_14/source/security/

/home/simon/ti/mcu_plus_sdk_am62x_10_00_00_14/source/security/

├── sbl_keywriter

   ├── am62x-sk

   ├── boardcfgs

   ├── keywr_bin

   ├── manifest

   ├── scripts

   └── tools

├── uninstall

└── uninstall.dat

--------------------------------

 

./ 生成 X.509 Certificate

// Keywriter 預(yù)置 TI dummy key,因此如果是基于 TI dummy key set 進(jìn)行生成,則命令如下。注意 --keyrev 參數(shù),只要這個(gè)參數(shù)被燒寫(xiě)到了 eFuse 上面,那么這個(gè)設(shè)備就立即轉(zhuǎn)化為 HS-SE 狀態(tài),所有 secure boot 限制將都生效,設(shè)備也無(wú)法再次刷寫(xiě)其他 key 信息,因此此過(guò)程可以分步或者一次進(jìn)行,前期測(cè)試階段建議分步,先燒寫(xiě) key,進(jìn)行驗(yàn)證通過(guò)后,再進(jìn)行 keyrev 燒寫(xiě),將設(shè)備變更為 HS-SE 狀態(tài)。

--------------------------------

### Generate X.509 certificate ###

### Option-1, step by step

$ cd <MCU_PLUS_SDK_INSTALL_DIR>/mcu_plus_sdk_am62x_10_00_00_14/source/security/sbl_keywriter/scripts/cert_gen/am62x

## Generate certificate for programming MSV(Model Specific Value) and TI dummy key sets, but not turn device into HS-SE

$ ./gen_keywr_cert.sh -t tifek/ti_fek_public.pem --msv 0xC0FFE -b-def --bmek-def -s-def --smek-def --keycnt 2

## Generates certificate for setting the program key revision to 1

./gen_keywr_cert.sh -t tifek/ti_fek_public.pem --keyrev 1

 

### Option-2, one-shot

## programming MSV, key sets, and turn device into HS-SE in one shot command

$ ./gen_keywr_cert.sh -t tifek/ti_fek_public.pem --msv 0xC0FFE -b-def --bmek-def -s-def --smek-def --keycnt 2 --keyrev 1

 

### Convert certificate binary to .h format ###

$ cd <MCU_PLUS_SDK_INSTALL_DIR>/mcu_plus_sdk_am62x_10_00_00_14/source/security/sbl_keywriter/scripts/x509cert

$ python3 ../../../../../tools/bin2c/bin2c.py final_certificate.bin keycert.h KEYCERT 2024

--------------------------------

 

// 如果是基于 customized key set,則要將相關(guān)命令修改如下:

--------------------------------

### Copy customized key set for keywriter ###

$ cd <MCU_PLUS_SDK_INSTALL_DIR>/mcu_plus_sdk_am62x_10_00_00_14/source/security/sbl_keywriter/scripts/cert_gen/am62x

$ cp $Customer_KEYS_DIR/custMpk.key keys_devel/smek.key

$ cp $Customer_KEYS_DIR/custMpk.pem keys_devel/smpk.pem

$ cp $Customer_KEYS_DIR/backMpk.key keys_devel/bmek.key

$ cp $Customer_KEYS_DIR/backMpk.pem keys_devel/bmpk.pem

 

### Generate X.509 certificate ###

### Option-1, step by step

$ cd <MCU_PLUS_SDK_INSTALL_DIR>/mcu_plus_sdk_am62x_10_00_00_14/source/security/sbl_keywriter/scripts/cert_gen/am62x

## Generate certificate for programming MSV(Model Specific Value) and TI dummy key sets, but not turn device into HS-SE

$ ./gen_keywr_cert.sh -t tifek/ti_fek_public.pem --msv 0xC0FFE -b keys_devel/bmpk.pem --bmek keys_devel/bmek.key -s keys_devel/smpk.pem --smek keys_devel/smek.key --keycnt 2

## Generates certificate for setting the program key revision to 1

./gen_keywr_cert.sh -t tifek/ti_fek_public.pem --keyrev 1

 

### Option-2, one-shot

## programming MSV, key sets, and turn device into HS-SE in one shot command

$ ./gen_keywr_cert.sh -t tifek/ti_fek_public.pem --msv 0xC0FFE -b keys_devel/bmpk.pem --bmek keys_devel/bmek.key -s keys_devel/smpk.pem --smek keys_devel/smek.key --keycnt 2 --keyrev 1

 

### Convert certificate binary to .h format ###

$ cd <MCU_PLUS_SDK_INSTALL_DIR>/mcu_plus_sdk_am62x_10_00_00_14/source/security/sbl_keywriter/scripts/x509cert

$ python3 ../../../../../tools/bin2c/bin2c.py final_certificate.bin keycert.h KEYCERT 2024

--------------------------------

 

./ 生成 keywriter binary - tiboot3.bin

--------------------------------

### create compiler soft link ###

$ cd <MCU_PLUS_SDK_INSTALL_DIR>

$ ln -s ccs1271/ccs/tools/compiler/ti-cgt-armllvm_3.2.2.LTS ti-cgt-armllvm_3.2.2.LTS

### Generate binary ###

$ cd <MCU_PLUS_SDK_INSTALL_DIR>/mcu_plus_sdk_am62x_10_00_00_14/source/security/sbl_keywriter/am62x-sk/r5fss0-0_nortos/ti-arm-clang

$ make -sj clean PROFILE=debug

$ make -sj PROFILE=debug

--------------------------------

 

./ tiboot3.bin 通過(guò) USB DFU 模式加載運(yùn)行起來(lái),具體的命令可以參考這里,只是需要注意的是由于燒寫(xiě) eFuse 的過(guò)程中還需要 AM62X SoC VPP 管腳上拉到 1.8V 同時(shí)具備至少 400mA 瞬態(tài)電流負(fù)載能力,因此需要在載板上面部署相應(yīng)的硬件設(shè)計(jì),以保證僅在燒寫(xiě) eFuse 的時(shí)候拉高 VPP 管腳同時(shí)提供足夠的瞬變電流,而在其他任何時(shí)候 VPP 管腳都是拉低的狀態(tài)。參考如下 TI AM62 SK 開(kāi)發(fā)板設(shè)計(jì),如圖一布置了一個(gè)單獨(dú)的 LDO 電源芯片(TLV75518PDQNR) 來(lái)給 VPP 管腳提供 400mA/1.8V 供電,正式由于極高的瞬變電流負(fù)載需求,load switch 或者 DC/DC 電源是不建議使用的;而 LDO 的開(kāi)關(guān)則通過(guò) VPP_LDO_EN 信號(hào)來(lái)控制。如圖二,則是 AM62X SoC 通過(guò) I2C 總線連接了一個(gè) GPIO Expander 芯片來(lái)擴(kuò)展 GPIO 管腳提供 VPP_LDO_EN 信號(hào)控制。

TI AM62X Secure Boot 流程簡(jiǎn)述22358.png 

TI AM62X Secure Boot 流程簡(jiǎn)述22360.png 

 

// 對(duì)于 IO Expander VPP_LDO_EN GPIO 管腳的控制軟件代碼請(qǐng)參考 MCU+ SDK 如下文件,你也可以根據(jù)你的實(shí)際載板設(shè)計(jì)來(lái)相應(yīng)修改適配。

<MCU_PLUS_SDK_INSTALL_DIR>/mcu_plus_sdk_am62x_10_00_00_14/source/security/sbl_keywriter/am62x-sk/r5fss0-0_nortos/board.c

 

 

8). 總結(jié)

本文基于 TI AM62X 處理器簡(jiǎn)單演示了 Secure Boot 流程,涉及 Boot Images Linux Kernel/DTB ,至于 Rootfs 的加密,則需要配置類似 Squashfs 只讀文件系統(tǒng)配合 Initramfs RAM Disk 鏡像進(jìn)行加解密掛載啟動(dòng),可以結(jié)合參考如下兩篇文章和相關(guān) meta-toradex-security layer 數(shù)據(jù)參考,本文不做具體測(cè)試。

./ 嵌入式 ARM 平臺(tái)使用dm-crypt加密磁盤分區(qū)

./ 使用SquashfsOverlayfs提高嵌入式Linux文件系統(tǒng)可靠性

./ https://github.com/toradex/meta-toradex-security 


*博客內(nèi)容為網(wǎng)友個(gè)人發(fā)布,僅代表博主個(gè)人觀點(diǎn),如有侵權(quán)請(qǐng)聯(lián)系工作人員刪除。



關(guān)鍵詞: ARM Linux Secureboot TI AM62 Toradex Verdin

相關(guān)推薦

技術(shù)專區(qū)

關(guān)閉