You are on page 1of 5

# # Copyright (c) Sigma Designs, Inc. 2013. All rights reserved.

# # This document will guide you through the steps required to load OTP tokens # for your device. # # # =========================== # OTP Map # (OEM related objects shown) # =========================== # # OTP Objects # __________________________ # | | . . . . . . . | # |--------|-----------------| # | 0x0fff | OEM-ID | (Configured by OEM at production) # |--------|-----------------| # | | . . . . . . . | # |--------|-----------------| # | 0x0109 | Sigma Facsimile | (Configured when shipped from Sigma) # | | RK Hash | # |--------|-----------------| # | 0x0110 | OEM RK Hash | (Configured by OEM at production. Replaces # |--------|-----------------| Sigma Facsimlile RK when provisioned) # | | . . . . . . . | # |--------|-----------------| # | | DRM Keys | # | 0x1051 | Derivation Data | (Configured by OEM at production. Used # | | (locked) | for offline DRM Keys serialization) # |--------|-----------------| # | | DRM Keys | (Configured by OEM at production. Used as # | 0x1052 | Derivation Data | an index to the actual DRM Keys in an # | | Reference | offline database secured by the OEM) # |--------|-----------------| # | | . . . . . . . | # # IMPORTANT: Before proceeding please customize your toolchain and # baseline search path in the setup helper file: setup.env # (look for "CUSTOMIZE"). # OEMID token: # -----------# Fill and send the request form (SMP8672 use FR-CR8910-A03.pdf, # SMP8674 use FR-CR8656-B03.pdf) for OEMID, certificate type 7. # # You'll need your PGP fingerprint. If you already generated a PGP key pair # using GnuPG, then it's easy. If not, then follow the steps at: # http://www.madboa.com/geek/gpg-quickstart/ # gpg --fingerprint # The PGP fingerprint will be listed (sample below). Copy to the form. Key fingerprint = EC60 B429 8B5D DXYZ 1F03 849A 2D18 8B97 DEAD BEEF # You may be asked for your PGP public key... gpg --armor --output pubkeypgp.txt --export 'Your Name' # If you don't remember 'Your Name', it's the "uid" part that's # not the email address. gpg --list-keys

# Prepare the RSA 2048bit private/public key pair. Copy and paste the public # key(pubkey.txt) inside the order form and save the private key(pvtkey.pem). # # NOTE: the PGP items are for securing communications between the OEM # and Sigma Designs DRMLA. The RSA public key below is used by Sigma # Designs to secure the related items inside the OEMID package # for the sole use of the concerned OEM. # openssl genrsa -aes128 -f4 -out pvtkey.pem 2048 openssl rsa -pubout < pvtkey.pem > pubkey.txt # save the private/public keys in "oemid_keys" folder. mkdir oemid_keys mv pvtkey.pem pubkey.txt oemid_keys/. # # If you entered a passphrase during the rsa key generation, # make a version without passphrase prompting for rsa private key... openssl rsa -in pvtkey.pem -out pvtkey_nopass.pem # # OEMID package released by Sigma (sample for 8674/8656): # oemidtoken2_0000000c_2012-12-21_8910_prod_01a7.tar.gz # # extract to same base folder as in mknandflash.txt and create # symbolic link. tar xzf oemidtoken2_0000000c_2012-12-21_8910_prod_01a7.tar.gz ln -s oemidtoken2_0000000c_2012-12-21_8910_prod_01a7 oemid_pkg # # Preset HOST PC environment with toolchain and CPU_key_xload3.env. source setup.env pushd oemid_pkg # Use the copy_cert_prv_key.bash script to copy the Certificate # Private Key,i.e. "pvtkey.pem" to the "oemid_pkg" folder with the # internal name format. ./copy_cert_prv_key.bash ../oemid_keys/pvtkey_nopass.pem # Install all the necessary certificates, config to its place # inside CPU_KEYS package. ./install.bash # For OEM production, just create the generalized OEMID record,i.e. it # will not be limited to a certain chip serial number. serialize_xtoken2.bash --certid 0x1a7 --serial 00000000000000000000000000000000 # The OEMID token will be created: # oemidtoken2_0000000c_2012-12-21.00000000000000000000000000000000.01a7.xload3 # # To create for a single chip, serialize the OEMID. # serialize_xtoken2.bash --certid <certid> --serial <%0128x:serial> # On the target board, after booting to Linux and "fw_reload"... mem=$(xkc xpalloc 0x1000) xkc xload 0xffff oemidtoken2_0000000c_2012-12-21.0000000000000000000000000000000 0.01a7.xload3 $mem xkc xpfree $mem # # Some common error messages with xkc operation:

# # # # # # # # # # # # # # # # # # # # #

1. xkc: xload fails with status=209 --> Check if the ID is correct for the signed certificate inside /cpu_keys/signed_items/config/signing/cert_<id num>.conf: CFG_CERT=$XLOAD3_SIGNED_CERTS/cert_<id num>_signed.bin 2. xkc: xload fails with status=16 --> the OTP already has OEMID token loaded; can not be overwritten. OEMID can only be loaded once. 3. xkc: xload fails with status=216 --> Wrong serial number 4. xkc: xload fails with status=202 --> Record size mismatch IP-Token: --------Fill and send the request form (SMP8672 use FR-CR8910-A03.pdf, SMP8674 use FR-CR8656-B03.pdf) for IP-Token, certificate type 7. The IP-Token will be restricted for use with the OEM's OEM-ID, i.e. OEM-ID restriction. You can use the same PGP fingerprint and RSA public key that was used for the OEM-ID order above. NOTE: We will re-use the private/public keys in "oemid_keys" folder.

# # IP-token package released by Sigma (sample for 8672/8910): # iptoken4_000000d0_SMP8672A30_2012-12-18_8910_prod_01a6.tar.gz # extract to same base folder as the OEM-ID package and create # symbolic link. tar xzf iptoken4_000000d0_SMP8672A30_2012-12-18_8910_prod_01a6.tar.gz ln -s iptoken4_000000d0_SMP8672A30_2012-12-18_8910_prod_01a6 iptoken_pkg # # Preset HOST PC environment with toolchain and CPU_key_xload3.env. source setup.env pushd iptoken_pkg # Use the copy_cert_prv_key.bash script to copy the Certificate # Private Key,i.e. "pvtkey.pem" to the "iptoken_pkg" folder with the # internal name format. ./copy_cert_prv_key.bash ../oemid_keys/pvtkey_no_pass.pem # Install all the necessary certificates, config to its place # inside CPU_KEYS package. ./install.bash # For OEM production, just create the generalized IP-token record,i.e. it # will not be limited to a certain chip serial number. serialize_xtoken2.bash --certid 0x1a6 --serial 00000000000000000000000000000000 # The IP-token will be created: # iptoken4_000000d0_2012-12-21.00000000000000000000000000000000.01a6.xload3 # # To create for a single chip, serialize the IP-token. # serialize_xtoken2.bash --certid <certid> --serial <%0128x:serial> # # DRM Keys installation # --------------------# # =============== # Nand-Flash Map

================== related zxenv keys

# (Boot Partition) # =============== ================== # a.cs0_pblk_parts = 0x5 # 0x0 ______________ a.cs0_pblk_part1_offset ___ # | PhyBlock0 | a.cs0_pblk_part1_size ^ # 0x20000|--------------| a.cs0_pblk_part1_name | # | (backup) | | # 0x40000|--------------| | # | ezboot | | # 0x80000|--------------| | # | (backup) | | # 0xc0000|--------------| | # | zxenv | | # 0xe0000|--------------| # | (backup) | Virtual Zone 1 # 0x100000|--------------| ('-v' option) # | | z.boot0 | # | Yamon | z.boot0_in_virtualzone | # | (xload3) | | # | | | # 0x140000|--------------| z.drm_keys_offset | # | IP-token | z.drm_keys_size | # | + | z.drm_keys_in_virtualzone | # | DRM keys | | # | (romfs) | | # 0x160000|--------------| | # |(spare blocks)| v # 0x200000|==============| a.cs0_pblk_part2_offset === # | . . . . . . | # # In the following example, we will generate the DRM keys partition(ROMFS) # for installation on nand-flash. Using ezboot version *0xc9 or newer* will # automatically load the IP-token and various DRM keys during stage1 boot. # # NOTE: The ezboot assumes that the following zxenv keys are set... # z.drm_keys_offset=0x140000 # z.drm_keys_size=0x20000 # z.drm_keys_in_virtualzone=1 # # We will install an IP-token and an HDCP key in this example. # (must be xload3 format) # 1. iptoken4_0000002e_SMP8672A30_2012-06-06.6187ac81ccaf02092eecf779aa730848.00 dc.xload3 # 2. hdcpkeys_0_8910_prod_PhuongTest-bd-239_6187ac81ccaf02092eecf779aa730848.008 6.xload3 # # Just create the directory to store IP-token and DRM keys, then # generate the ROMFS image to store on nand-flash # source setup.env mkdir drmkeys/ cp iptoken4_0000002e_SMP8672A30_2012-06-06.6187ac81ccaf02092eecf779aa730848.00dc .xload3 drmkeys/. cp hdcpkeys_0_8910_prod_PhuongTest-bd-239_6187ac81ccaf02092eecf779aa730848.0086. xload3 drmkeys/. genromfs -d drmkeys/ -f drmkeys.romfs -V DRMKEYS # For OEMs, they can include this image as part of their prodution flash image. # # In the following steps we will manually write this ROMFS image on

# the target board via YAMON. We'll show 2 methods of transferring the # drmkeys image: 1. via serial 2. via tftp. In both methods, we're copying # the drmkeys image to an unused DRAM area then writing from DRAM to the # appropriate nand-flash address: 0x140000(virtual). We use cksums to # verify the transfers. # # via serial - slower... YAMON> load uu 0xa7000000 host> uuencode drmkeys.romfs x > /dev/ttyS0 host> cksum drmkeys.romfs YAMON> cksum 0xa7000000 <size> YAMON> nflash write -v 0x140000 0xa7000000 0x20000 0 # or via tftp - faster but assumes tftp server is installed on host PC. host> cp drmkeys.romfs /tftpboot/. host> cksum drmkeys.romfs YAMON> net init YAMON> load -b tftp://10.60.1.248/huyle/drmkeys.romfs 0xa7000000 YAMON> cksum 0xa7000000 <size> YAMON> nflash write -v 0x140000 0xa7000000 0x20000 0 3. flash_erase /dev/mtd1 10 1 nandwrite /dev/mtd1 -s 0x140000 drmkeys.romf

You might also like