Authentication - 2020.2 English

Zynq UltraScale+ MPSoC Software Developer Guide (UG1137)

Document ID
Release Date
2020.2 English

The SHA hardware accelerator included in the Zynq UltraScale+ MPSoC implements the SHA-3 algorithm and produces a 384-bit digest. It is used together with the RSA accelerator to provide image authentication These blocks (SHA-3/384, and RSA) are hardened and part of crypto interface block (CIB). You can use authentication by itself or in conjunction with encryption.

Authentication flow treats the FSBL as raw data, where it makes no difference whether the image is encrypted or not. There are two level of keys: primary key (PK) and secondary Key (SK).

Each key has two complementary parts: secret key and public key:

  • PK contains primary public key (PPK) and primary secret key (PSK).
  • SK contains secondary public key (SPK) and secondary secret key (SSK).

The hardened RSA block in the CIB is a Montgomery multiplier for acceleration of the big math required for RSA. The hardware accelerator can be used for signature generation or verification. The ROM code only supports signature verification. Secret keys are only used in the signature generation stage when the certificate is generated.

Important: Signature generation is not done on the device, but in software during preparation of the boot image.

To better understand the format of the authentication certificate, see Bootgen User Guide (UG1283).

As with all asymmetric algorithms, the private (secret) keys (PSK and SSK) are used to sign while the public versions (PPK and SPK) are used to verify (authenticate). The equations for each signature (SPK, boot header, and boot image) are listed here:

  • SPK signature. The 512 bytes of the SPK signature is generated by the following calculation:
    SPK signature = RSA(PSK, padding || SHA(SPK+ auth_header)).
  • Boot header signature. The 512 bytes of the boot header signature is generated by the following calculation:
    Boot header signature = RSA(SSK, padding || SHA(boot header)).
  • Boot image signature. The 512 bytes of the boot image signature is generated by the following calculation:
    BI signature = RSA(SSK, padding || SHA(PFW + FSBL + authentication certificate)).
Note: For SHA-3 authentication, Xilinx uses Keccak SHA3 to calculate hash on boot header, PPK hash and boot image. NIST-SHA3 is used for all other partitions which are not loaded by ROM. The difference between the two is padding (10*1 vs 0110*1). Request XPT475 from your Xilinx representative for details on the NIST variances.

Bootgen supports RSA-4096 signature generation only. The modulus, exponentiation and precalculated R^2 Mod N are required. Software is supported only for RSA public key encryption, for encrypting the signature RSA engine requires modulus, exponentiation and pre-calculated R^2 Mod N, all these are extracted from keys.