Design Advisories for Bootgen - 2021.1 English
Bootgen User Guide (UG1283)
Document ID
UG1283
Release Date
2021-06-16
Version
2021.1 English
Revision History
Introduction
Navigating Content by Design Process
Installing Bootgen
Boot Time Security
Boot Image Layout
Zynq-7000 SoC Boot and Configuration
Zynq-7000 SoC Boot Image Layout
Zynq-7000 SoC Boot Header
Zynq-7000 SoC Register Initialization Table
Zynq-7000 SoC Image Header Table
Zynq-7000 SoC Image Header
Zynq-7000 SoC Partition Header
Zynq-7000 SoC Partition Attribute Bits
Zynq-7000 SoC Authentication Certificate
Zynq-7000 SoC Authentication Certificate Header
Zynq-7000 SoC Boot Image Block Diagram
Zynq UltraScale+ MPSoC Boot and Configuration
Zynq UltraScale+ MPSoC Boot Image
Zynq UltraScale+ MPSoC Boot Header
Zynq UltraScale+ MPSoC Boot Header Attribute Bits
Zynq UltraScale+ MPSoC Register Initialization Table
Zynq UltraScale+ MPSoC PUF Helper Data
Zynq UltraScale+ MPSoC Image Header Table
Zynq UltraScale+ MPSoC Image Header
Zynq UltraScale+ MPSoC Partition Header
Zynq UltraScale+ MPSoC Partition Attribute Bits
Zynq UltraScale+ MPSoC Authentication Certificates
Zynq UltraScale+ MPSoC Authentication Certification Header
Zynq UltraScale+ MPSoC Secure Header
Zynq UltraScale+ MPSoC Boot Image Block Diagram
Versal ACAP Boot Image Format
Versal ACAP Boot Header
Boot Header Attributes
Versal ACAP Image Header Table
Versal ACAP Image Header
Versal ACAP Partition Header
Versal ACAP Authentication Certificates
Versal ACAP Authentication Certification Header
Creating Boot Images
Boot Image Format (BIF)
BIF Syntax and Supported File Types
BIF Syntax for Versal ACAP
Attributes
Using Bootgen Interfaces
Bootgen GUI Options
Using Bootgen on the Command Line
Commands and Descriptions
Boot Time Security
Using Encryption
Encryption Process
Decryption Process
Encrypting Zynq-7000 Device Partitions
Encrypting Zynq MPSoC Device Partitions
Operational Key
Rolling Keys
Gray/Obfuscated Keys
Key Generation
Black/PUF Keys
Multiple Encryption Key Files
Encrypting Versal Device Partitions
Rolling Keys
Key Generation
Black/PUF Keys
Meta Header Encryption
Using Authentication
Signing
Verifying
Zynq UltraScale+ MPSoC Authentication Support
NIST SHA-3 Support
Bitstream Authentication Using External Memory
User eFUSE Support with Enhanced RSA Key Revocation
Key Generation
PPK Hash for eFUSE
Versal Authentication Support
Using HSM Mode
Creating a Boot Image Using HSM Mode: PSK is not Shared
Creating a Zynq-7000 SoC Device Boot Image using HSM Mode
Creating a Zynq UltraScale+ MPSoC Device Boot Image using HSM Mode
Creating a Versal Device Boot Image using HSM
Generating the PDI
HSM Mode Steps
FPGA Support
Encryption and Authentication
HSM Mode
HSM Flow with Both Authentication and Encryption
Use Cases and Examples
Zynq MPSoC Use Cases
Simple Application Boot on Different Cores
PMU Firmware Load by BootROM
PMU Firmware Load by FSBL
Booting Linux
Encryption Flow: BBRAM Red Key
Encryption Flow: Red Key Stored in eFUSE
Encryption Flow: Black Key Stored in eFUSE
Encryption Flow: Black Key Stored in Boot Header
Encryption Flow: Gray Key Stored in eFUSE
Encryption Flow: Gray Key Stored in Boot Header
Operational Key
Using Op Key to Protect the Device Key in a Development Environment
Single Partition Image
Authentication Flow
BIF File with SHA-3 eFUSE RSA Authentication and PPK0
XIP
Split with "Offset" Attribute
Versal ACAP Use Cases
Bootloader, PMC_CDO
Bootloader, PMC_CDO with Load Address
Enable Checksum for Bootloader
Bootloader, PMC_CDO, PL CDO, NPI
Bootloader, PMC_CDO, PL CDO, NPI, PS CDO, and PS ELFs
AI Engine Configuration and AI Engine Partitions
Appending New Partitions to Existing PDI
RSA Authentication Example
ECDSA Authentication Example
AES Encryption Example
AES Encryption with Key Rolling Example
AES Encryption with Multiple Key Sources Example
AES Encryption and Authentication Example
Replacing PLM from an Existing PDI
BIF Attribute Reference
aarch32_mode
aeskeyfile
alignment
auth_params
authentication
big_endian
bbram_kek_iv
bh_kek_iv
bh_keyfile
bh_key_iv
bhsignature
blocks
boot_device
bootimage
bootloader
bootvectors
boot_config
checksum
copy
core
delay_handoff
delay_load
destination_cpu
destination_device
early_handoff
efuse_kek_iv
efuse_user_kek0_iv
efuse_user_kek1_iv
encryption
exception_level
familykey
file
fsbl_config
headersignature
hivec
id
image
init
keysrc
keysrc_encryption
load
metaheader
name
offset
parent_id
partition
partition_owner, owner
pid
pmufw_image
ppkfile
presign
pskfile
puf_file
reserve
split
spkfile
spksignature
spk_select
sskfile
startup
trustzone
type
udf_bh
udf_data
userkeys
xip_mode
Command Reference
arch
authenticatedjtag
bif_help
dual_ospi_mode
dual_qspi_mode
dump
dump_dir
efuseppkbits
encrypt
encryption_dump
fill
generate_hashes
generate_keys
h, help
image
log
nonbooting
o
p
padimageheader
process_bitstream
read
spksignature
split
verify
verify_kdf
w
zynqmpes1
Initialization Pairs and INT File Attribute
CDO Utility
Accessing
Usage
Command Line Options
Address Filter File
Examples
Converting Binary to Source without Annotations
Converting Binary to Source with Annotations
Editing Binary CDO File
Converting Source to Binary
Design Advisories for Bootgen
Additional Resources and Legal Notices
Documentation Navigator and Design Hubs
Xilinx Resources
Additional Resources
Please Read: Important Legal Notices
Xilinx recommends that you
generate your own keys for fielded systems and then provide those keys to the
development tools. See AR#76171 for more information.
In this release, few encryption key rolling blocks are supported for Versal . See AR#76515 for more information.