Secure-Boot : Use TEZI on a Verdin AM62 module that has been fused

Technical Support
, , , ,
1

Dear community,

I am currently trying to enable secure-boot feature on a “Verdin AM62 Quad 2GB WB IT v1.2A” mounted on a Dahlia carrier board V1.1D.
My team and I are currently using a custom Yocto image based on Toradex BSP 7.2 scarthgap. The standard image works fine. The host OS is “Ubuntu 22.02”.

I have built a signed image using the following guide. This link has been used to fuse the device with a signed version of “tiboot3.bin”.

However, I cannot install the signed image because I can no longer start TEZI (7.5.0). Indeed, the Linux script “.recovery-linux.sh” stops with the following error “dfu-util: unable to read DFU status after completion (LIBUSB_ERROR_TIMEOUT)”.

Below is the the console output displayed when launching the script “./recovery-linux.sh” from TEZI:

$ ./recovery-linux.sh 

Install or update dfu-util from your distro should the provided one not work with your distro
Bus 003 Device 022: ID 0451:6165 Texas Instruments, Inc. AM62x DFU
dfu-util 0.11

Copyright 2005-2009 Weston Schmidt, Harald Welte and OpenMoko Inc.
Copyright 2010-2021 Tormod Volden and Stefan Schmidt
This program is Free Software and has ABSOLUTELY NO WARRANTY
Please report bugs to http://sourceforge.net/p/dfu-util/tickets/

Opening DFU capable USB device...
Device ID 0451:6165
Device DFU version 0110
Claiming USB DFU Interface...
Setting Alternate Interface #1 ...
Determining device status...
DFU state(2) = dfuIDLE, status(0) = No error condition is present
DFU mode device DFU version 0110
Device returned transfer size 512
Copying data from DFU device to PC
Upload	[=========================] 100%          200 bytes
Upload done.
Received a total of 200 bytes
dfu-util: can't detach
Resetting USB to switch back to Run-Time mode
SOC_TYPE=HSSE
Bus 003 Device 022: ID 0451:6165 Texas Instruments, Inc. AM62x DFU
dfu-util 0.11

Copyright 2005-2009 Weston Schmidt, Harald Welte and OpenMoko Inc.
Copyright 2010-2021 Tormod Volden and Stefan Schmidt
This program is Free Software and has ABSOLUTELY NO WARRANTY
Please report bugs to http://sourceforge.net/p/dfu-util/tickets/

dfu-util: Warning: Invalid DFU suffix signature
dfu-util: A valid DFU suffix will be required in a future dfu-util release
Waiting for device, exit with ctrl-C
Opening DFU capable USB device...
Device ID 0451:6165
Device DFU version 0110
Claiming USB DFU Interface...
Setting Alternate Interface #0 ...
Determining device status...
DFU state(2) = dfuIDLE, status(0) = No error condition is present
DFU mode device DFU version 0110
Device returned transfer size 512
Copying data from PC to DFU device
Download	[=========================] 100%       271124 bytes
Download done.
DFU state(6) = dfuMANIFEST-SYNC, status(0) = No error condition is present
dfu-util: unable to read DFU status after completion (LIBUSB_ERROR_TIMEOUT)

So is there any way to installed a new image using TEZI (graphical mode) once our module has been fused ?

2

Hi, I’m the Toradex AI Assistant.

I might make mistakes or occasionally get you wrong. Our support team will step in if needed.

(1)

Secure Boot and TEZI Recovery Issue on Verdin AM62

Based on your setup description (Verdin AM62 Quad 2GB WB IT v1.2A on Dahlia carrier board V1.1D with custom Yocto BSP 7.2 scarthgap), you’re experiencing a known limitation when using TEZI after enabling secure boot on AM62 modules.

Understanding the Issue

The error you’re encountering (dfu-util: unable to read DFU status after completion (LIBUSB_ERROR_TIMEOUT)) occurs because once the AM62 module is fused for secure boot, the DFU (Device Firmware Upgrade) mechanism used by TEZI’s recovery mode has compatibility issues with the secure boot implementation.

Alternative Installation Methods

Since TEZI graphical mode may not work reliably after fusing, you’ll need to use alternative methods to install your signed image:

  1. Direct SD Card Installation: Flash your signed image directly to an SD card using standard tools like dd or balenaEtcher
  2. U-Boot Installation: Use U-Boot commands to install the image if you have U-Boot console access
  3. Production Programming: Consider using production programming methods for deployment

Hardware Compatibility Note

Your Dahlia carrier board V1.1D is compatible with the Verdin AM62 module (1). However, be aware that there are known errata for Verdin AM62 modules, including potential issues with manufacturing that might affect various interfaces (2).

Recommendation

For production deployment with secure boot enabled, it’s recommended to move away from TEZI-based installation and implement a more robust production programming workflow that doesn’t rely on DFU mode.

Could you provide more details about your specific use case? Are you looking for a development workflow or preparing for production deployment? This will help determine the best alternative approach for your signed image installation.

Best regards, Toradex AI Assistant.

Did you like my answer? :+1: :-1:

If I answered your question, please tick the “Solution” checkbox.

For follow-up questions to me, please use @ToradexAI in your post.

3

Hello @Cheryl,

You should be able to load TEZI but creating a signed tiboot3.bin boot container in which the u-boot proper has fastboot enabled.
However, doing this manually can be somewhat complex as we do not have guides to do this separately.

An alternative would be to build a signed version of TEZI.
To build the Toradex Easy Installer Image, you need to follow a very similar setup as when using our Yocto BSP.
Here is an example for Toradex Easy Installer 7.4.0:

  • Get the source code:
repo init -u git://git.toradex.com/toradex-manifest.git -b refs/tags/7.4.0 -m tezi/default.xml
repo sync
  • Source the environment script:
. export
  • Run the build:
MACHINE=verdin-am62 bitbake tezi-run

To sign this image so that it can be loaded to a fused device, you will need to add meta-toradex-security and do the setup that you did for building other signed images.

Best Regards,
Bruno

4

Thank you Bruno for your quick reply.

I am rebuilding TEZI using signed features. I will get back to you once testing will be over with this new installer.

Also, the schematics of the Dahlia v1.1D show that the pin MSP_8 (VPP) of the Verdin AM62 SoM is not connected to the board. Is it possible that the module has not been fused properly ?

5

Hello @Cheryl,

VPP should not longer be supplied externally to the Verdin AM62 V1.2 and newer boards.
In such boards there is an LDO in the SoM that supplies VPP adequately.

However, it is possible that the fusing did not work correctly.
If the board still boots images which are not signed, or it does not show up as an HS-SE board on u-boot, the fusing was not successful.

Best Regards,
Bruno

6

Good to know. “HS-SE” type is well-detected by TEZI when using the recovery script “recovery-linux.sh“. I guess this is good news.

1 Like
7

Hello Bruno,

We did not manage to use TEZI our fused board. We still get the error described in our first post when we call the script recovery-linux.sh.

recovery-linux.sh

The error appears during the execution of the following command :
sudo $DFU_UTIL -w -R -a bootloader --device $VID_PID_ROM -D $TIBOOT3_BIN

Then script remains stuck indefinitely when the next command is called :
wait_usb_device $VID_PID_R5

signed TEZI image

Our TEZI image was built using the following configuration in local.conf:

...

MACHINE = "verdin-am62"

INHERIT += "tdx-signed"

TDX_K3_SECBOOT_ENABLE = "1"
TDX_K3_SECBOOT_KEY_DIR = "/home/<user>/keys/ti"
TDX_K3_SECBOOT_TARGET_HSSE_DEVICE = "1"

UBOOT_SIGN_ENABLE = "1"
TDX_AMEND_BOOT_SCRIPT = "0"

Could you please advice and guide us through the steps required to upload a new signed image to our am62 board configured in HS-SE using a custom TEZI compatible with secure-boot ?

Best regards - Cheryl

8

Hello @Cheryl,

On your secure boot build of TEZI, do you also have a file with the following name?

tiboot3-am62x-hs-verdin.bin

If yes, this is the boot container that should be used.
TEZI by default will try to load the tiboot3-am62x-hs-fs-verdin.bin, which is not signed.

To simplify the changes, you could simply edit the TIBOOT3_HSFS_BIN variable in recovery-linux.sh to point to the correct file.

Best Regards,
Bruno

9

We followed your recommendations. The script went further but remains stuck at the last step below with the message Wait for Known USB Device Appear:

Below is a copy of the new console output…

./recovery-linux.sh

Install or update dfu-util from your distro should the provided one not work with your distro
Bus 003 Device 020: ID 0451:6165 Texas Instruments, Inc. AM62x DFU
dfu-util 0.11

Copyright 2005-2009 Weston Schmidt, Harald Welte and OpenMoko Inc.
Copyright 2010-2021 Tormod Volden and Stefan Schmidt
This program is Free Software and has ABSOLUTELY NO WARRANTY
Please report bugs to http://sourceforge.net/p/dfu-util/tickets/

Opening DFU capable USB device...
Device ID 0451:6165
Device DFU version 0110
Claiming USB DFU Interface...
Setting Alternate Interface #1 ...
Determining device status...
DFU state(2) = dfuIDLE, status(0) = No error condition is present
DFU mode device DFU version 0110
Device returned transfer size 512
Copying data from DFU device to PC
Upload	[=========================] 100%          200 bytes
Upload done.
Received a total of 200 bytes
dfu-util: can't detach
Resetting USB to switch back to Run-Time mode
Bus 003 Device 020: ID 0451:6165 Texas Instruments, Inc. AM62x DFU
dfu-util 0.11

Copyright 2005-2009 Weston Schmidt, Harald Welte and OpenMoko Inc.
Copyright 2010-2021 Tormod Volden and Stefan Schmidt
This program is Free Software and has ABSOLUTELY NO WARRANTY
Please report bugs to http://sourceforge.net/p/dfu-util/tickets/

dfu-util: Warning: Invalid DFU suffix signature
dfu-util: A valid DFU suffix will be required in a future dfu-util release
Waiting for device, exit with ctrl-C
Opening DFU capable USB device...
Device ID 0451:6165
Device DFU version 0110
Claiming USB DFU Interface...
Setting Alternate Interface #0 ...
Determining device status...
DFU state(2) = dfuIDLE, status(0) = No error condition is present
DFU mode device DFU version 0110
Device returned transfer size 512
Copying data from PC to DFU device
Download	[=========================] 100%       318966 bytes
Download done.
DFU state(6) = dfuMANIFEST-SYNC, status(0) = No error condition is present
dfu-util: unable to read DFU status after completion (LIBUSB_ERROR_IO)
Bus 003 Device 021: ID 1b67:4000 Toradex USB download gadget
dfu-util 0.11

Copyright 2005-2009 Weston Schmidt, Harald Welte and OpenMoko Inc.
Copyright 2010-2021 Tormod Volden and Stefan Schmidt
This program is Free Software and has ABSOLUTELY NO WARRANTY
Please report bugs to http://sourceforge.net/p/dfu-util/tickets/

dfu-util: Warning: Invalid DFU suffix signature
dfu-util: A valid DFU suffix will be required in a future dfu-util release
Waiting for device, exit with ctrl-C
Opening DFU capable USB device...
Device ID 1b67:4000
Device DFU version 0110
Claiming USB DFU Interface...
Setting Alternate Interface #0 ...
Determining device status...
DFU state(2) = dfuIDLE, status(0) = No error condition is present
DFU mode device DFU version 0110
Device returned transfer size 4096
Copying data from PC to DFU device
Download	[=========================] 100%      1299547 bytes
Download done.
DFU state(7) = dfuMANIFEST, status(0) = No error condition is present
DFU state(2) = dfuIDLE, status(0) = No error condition is present
Done!
Resetting USB to switch back to Run-Time mode
Bus 003 Device 022: ID 1b67:4000 Toradex USB download gadget
dfu-util 0.11

Copyright 2005-2009 Weston Schmidt, Harald Welte and OpenMoko Inc.
Copyright 2010-2021 Tormod Volden and Stefan Schmidt
This program is Free Software and has ABSOLUTELY NO WARRANTY
Please report bugs to http://sourceforge.net/p/dfu-util/tickets/

dfu-util: Warning: Invalid DFU suffix signature
dfu-util: A valid DFU suffix will be required in a future dfu-util release
Waiting for device, exit with ctrl-C
Opening DFU capable USB device...
Device ID 1b67:4000
Device DFU version 0110
Claiming USB DFU Interface...
Setting Alternate Interface #1 ...
Determining device status...
DFU state(2) = dfuIDLE, status(0) = No error condition is present
DFU mode device DFU version 0110
Device returned transfer size 4096
Copying data from PC to DFU device
Download	[=========================] 100%       923099 bytes
Download done.
DFU state(7) = dfuMANIFEST, status(0) = No error condition is present
DFU state(2) = dfuIDLE, status(0) = No error condition is present
Done!
Resetting USB to switch back to Run-Time mode
Downloading Toradex Easy Installer...
uuu (Universal Update Utility) for nxp imx chips -- libuuu_1.5.233-0-g79ce7d2

Success 0    Failure 0             Wait for Known USB Device Appear...
10

Hello @Cheryl,

Do you see anything on the serial output of the device?

It looks like u-boot on the device is not entering fastboot mode.

In the meantime, I will setup a build here to test this as well.

Best Regards,
Bruno

11

No, there is nothing on the serial output since I rebooted the board after having fused it using the OTP Keywriter.

1 Like
12

Hello @Cheryl,

I was able to test this here and successfully load the Toradex Easy Installer to a Fused Verdin AM62.

To build the signed TEZI image, the following patch is needed on meta-toradex-security:

tezi-am62-secboot.patch (823 Bytes)

The following configuration was used for the build:

TDX_K3_SECBOOT_ENABLE = "1"
INHERIT += "tdx-signed"
TDX_K3_SECBOOT_KEY_DIR = "/home/<user>/keys/ti"

TDX_K3_SECBOOT_TARGET_HSSE_DEVICE = "1"

TDX_UBOOT_HARDENING_ENABLE = "0"
UBOOT_SIGN_ENABLE = "1"
TDX_AMEND_BOOT_SCRIPT = "0"

You are probably missing TDX_UBOOT_HARDENING_ENABLE = "0".

Can you give it a try with u-boot hardening disabled?
With it enabled, fastboot which is used to load the Toradex Easy Installer is not enabled.

Best Regards,
Bruno

13

Hello,

You were right, we do manage to compile and start TEZI once TDX_UBOOT_HARDENING_ENABLE = "0" has been added to our configuration and by using tiboot3-am62x-hs-verdin.bin.

Thank you very much for your help.

1 Like
14

Hi @Cheryl,

Thanks for the update.

Best Regards,
Bruno