6.1 Customer Key Message

The customer key message bundle can be generated using either the secure_sam_ba_cipher.py script and the customer-key command or directly with the sam_gen_keypayload.py command. Be aware that both methods require a valid license.

secure_sam_ba_cipher.py command:

/secure_sam_ba_cipher-3.9.0/secure_sam_ba_cipher.py customer-key -d sam9x60 -l ../sam9x60_license.txt -pk ../sam9x60_license_priv_key.pem -k sam9x60_cstm_keys.txt -o cstm_keys_msg.cip

The sam9x60_cstm_keys.txt customer key file should be formatted as follows:

CBC_KEY=00112233445566778899aabbccddeeff00112233445566778899aabbccddeeff
CBC_IV=0123456789abcdef0123456789abcdef
CMAC_KEY=cafecafecafecafecafecafecafecafecafecafecafecafecafecafecafecafe

sam_gen_keypayload.py command:

/secure_sam_ba_cipher-3.9.1/sam_gen_keypayload.py -l ../sam9x60_license.txt -pk ../sam9x60_license_priv_key.pem -k sam9x60_cstm_keys_new_format.yaml -o cstm_keys_msg_new_format.cip

sam9x60_cstm_keys_new_format.yaml is the customer key file in the new format.

chip_type: sam9x60
image_type: secure
security:
  cipher:
    iv_data: data:0123456789abcdef0123456789abcdef
    key_data: data:cafecafecafecafecafecafecafecafecafecafecafecafecafecafecafecafe
    type: AES
  signature:
    key_data: data:00112233445566778899aabbccddeeff00112233445566778899aabbccddeeff
    type: CMAC_AES

To convert the customer key from the old format to the new format, use the secure_sam_ba_cipher.py tool with the convert-key-file command as shown:

Figure 6-1. Generating the Customer Key Message on Host

Note: The CMAC signature key data is mandatory to generate the customer key message bundle. If the RSA signature mode is selected, the CMAC key data should contain some dummy values.