Team-A encrypts the boot loader with the device key (using the Op Key option) and delivers the encrypted bootloader to Team-B. Team-B encrypts all the other partitions using the Op Key.
Team-B takes the encrypted partitions that they created and the encrypted boot loader they received from the Team-A and uses Bootgen to ‘stitch’ everything together into a single boot.bin.
The following procedures describe the steps to build an image:
Procedure 1
In the initial step, Team-A encrypts the boot loader with the device key using the opt_key option, delivers the encrypted boot loader to Team-B. Now, Team-B can create the complete image at a go with all the partitions and the encrypted boot loader using the operational key as device key.
- Encrypt boot loader with device
key:
bootgen -arch zynqmp -image stage1.bif -o fsbl_e.bin -w on -log error
Example stage1.bif:
stage1: { [aeskeyfile] aes.nky [fsbl_config] opt_key [keysrc_encryption] bbram_red_key [bootloader,destination_cpu=a53-0,encryption=aes]fsbl.elf }
Example aes.nky for stage1:
Device xc7z020clg484; Key 0 AD00C023E238AC9039EA984D49AA8C819456A98C124AE890ACEF002100128932; IV 0 F7F8FDE08674A28DC6ED8E37; Key Opt 229C993D1310DD27B6713749B6D07FCF8D3DCA01EC9C64778CBAF457D613508F;
- Attach the encrypted boot loader and rest of the partitions with the operational
key as device key to form a complete
image:
bootgen -arch zynqmp -image stage2a.bif -o final.bin -w on -log error
Example of stage2.bif:
stage2: { [aeskeyfile] aes-opt.nky [bootimage]fsbl_e.bin [destination_cpu=a53-0,encryption=aes]hello.elf [destination_cpu=a53-1,encryption=aes]hello1.elf }
Example aes-opt.nky for stage2:
Device xc7z020clg484; Key 0 229C993D1310DD27B6713749B6D07FCF8D3DCA01EC9C64778CBAF457D613508F; IV 0 F7F8FDE08674A28DC6ED8E37;
Procedure 2
In the initial step, Team-A encrypts the boot loader with the device key using the opt_key option and delivers the encrypted boot loader to Team-B. Now, Team-B can create encrypted images for each partition independently, using the operational key as the device key. Finally, Team-B can use Bootgen to stitch all the encrypted partitions and the encrypted boot loader, to get the complete image.
- Encrypt boot loader with device
key:
bootgen -arch zynqmp -image stage1.bif -o fsbl_e.bin -w on -log error
Example stage1.bif:
stage1: { [aeskeyfile] aes.nky [fsbl_config] opt_key [keysrc_encryption] bbram_red_key [bootloader,destination_cpu=a53-0,encryption=aes]fsbl.elf }
Example aes.nky for stage1:
Device xc7z020clg484; Key 0 AD00C023E238AC9039EA984D49AA8C819456A98C124AE890ACEF002100128932; IV 0 F7F8FDE08674A28DC6ED8E37; Key Opt 229C993D1310DD27B6713749B6D07FCF8D3DCA01EC9C64778CBAF457D613508F;
- Encrypt the rest of the partitions with operational key as device
key:
bootgen -arch zynqmp -image stage2a.bif -o hello_e.bin -w on -log error
Example of stage2a.bif:
stage2a: { [aeskeyfile] aes-opt.nky [destination_cpu=a53-0,encryption=aes]hello.elf } bootgen -arch zynqmp -image stage2b.bif -o hello1_e.bin -w on -log error
Example of stage2b.bif:
stage2b: { [aeskeyfile] aes-opt.nky [destination_cpu=a53-1,encryption=aes]hello1.elf
Example of aes-opt.nky for stage2a and stage2b:
Device xc7z020clg484; Key 0 229C993D1310DD27B6713749B6D07FCF8D3DCA01EC9C64778CBAF457D613508F; IV 0 F7F8FDE08674A28DC6ED8E37;
- Use Bootgen to stitch the above to form a complete image:
Example of stage3.bif:
stage3: { [bootimage]fsbl_e.bin [bootimage]hello_e.bin [bootimage]hello1_e.bin }