Note: For SHA-3 Authentication, always use Keccak
SHA-3 to calculate hash on boot header, PPK hash and boot image. NIST-SHA3 is used for
all other partitions which are not loaded by ROM.
The generated signature uses the Keccak-SHA3 or NIST-SHA3 based on following table:
Which Authentication Certificate (AC)? | Signature | SHA Algorithm and SPK eFUSE | Secret Key used for Signature Generation |
---|---|---|---|
Partitions header AC (loaded by FSBL/FW) | SPK Signature | If SPKID eFUSEs, then Keccak; If User eFUSE, then NIST | PSK |
BH Signature | Always Keccak | SSKheader | |
Header Signature | Always Nist | SSKheader | |
BootLoader (FSBL) AC (loaded by ROM) | SPK Signature | Always Keccak; Always SPKID eFUSE for SPK | PSK |
BH Signature | Always Keccak | SSKBootloader | |
FSBL Signature | Always Keccak | SSKBootloader | |
Other Partition AC (loaded by FSBL FW) | SPK Signature | If SPKID eFUSEs then Keccak; If User eFUSE then NIST | PSK |
BH Signature | Always Keccak padding | SSKPartition | |
Partition Signature | Always NIST padding | SSKPartition |
Examples
Example 1: BIF file for authenticating the partition with single set of key files:
image:
{
[fsbl_config] bh_auth_enable
[auth_params] ppk_select=0; spk_id=0x00000000
[pskfile] primary_4096.pem
[sskfile] secondary_4096.pem
[pmufw_image] pmufw.elf
[bootloader, authentication=rsa, destination_cpu=a53-0] fsbl.elf
[authenication=rsa, destination_cpu=r5-0] hello.elf
}
Example 2: BIF file for authenticating the partitions with separate secondary key for each partition:
image:
{
[auth_params] ppk_select=1
[pskfile] primary_4096.pem
[sskfile] secondary_4096.pem
// FSBL (Partition-0)
[
bootloader,
destination_cpu = a53-0,
authentication = rsa,
spk_id = 0x01,
sskfile = secondary_p1.pem
] fsbla53.elf
// ATF (Partition-1)
[
destination_cpu = a53-0,
authentication = rsa,
exception_level = el-3,
trustzone = secure,
spk_id = 0x01,
sskfile = secondary_p2.pem
] bl31.elf
// UBOOT (Partition-2)
[
destination_cpu = a53-0,
authentication = rsa,
exception_level = el-2,
spk_id = 0x01,
sskfile = secondary_p3.pem
] u-boot.elf
}