The following figure provides a diagram of an HSM mode boot image for a Zynq®-7000 SoC device. The steps to create this boot image are immediately after the diagram.
The process to create a boot image using HSM mode for a Zynq®-7000 SoC device is similar to that of a boot image created using a standard flow with the following BIF file. These examples, where needed, use the OpenSSL program to generate hash files.
all:
{
[aeskeyfile]my_efuse.nky
[pskfile]primary.pem
[sskfile]secondary.pem
[bootloader,encryption=aes,authentication=rsa] zynq_fsbl_0.elf
[authentication=rsa]system.bit
}
Stage 0: Generate a hash for SPK
This stage generates the hash of the SPK key.
stage0:
{
[ppkfile] primary.pub
[spkfile] secondary.pub
}
The following is the Bootgen command.
bootgen -image stage0.bif –w -generate_hashes
Stage 1: Sign the SPK Hash
This stage creates the signatures by signing the SPK hash
xil_rsa_sign.exe -gensig -sk primary.pem -data secondary.pub.sha256 -out secondary.pub.sha256.sig
#Swap the bytes in SPK hash
objcopy -I binary -O binary --reverse-bytes=256 secondary.pub.sha256
#Generate SPK signature using OpenSSL
openssl rsautl -raw -sign -inkey primary.pem -in secondary.pub.sha256 > secondary.pub.sha256.sig
#Swap the bytes in SPK signature
objcopy -I binary -O binary --reverse-bytes=256 secondary.pub.sha256.sig
Stage 2: Encrypt using AES
This stage encrypts the partition. The stage2.bif is as follows.
stage2:
{
[aeskeyfile] my_efuse.nky
[bootloader, encryption=aes] zynq_fsbl_0.elf
}
bootgen -image stage2.bif -w -o fsbl_e.bin -encrypt efuse
The
output is the encrypted file fsbl_e.bin.Stage 3: Generate Partition Hashes
This stage generates the hashes of different partitions.
The BIF file is as follows:
stage3a:
{
[ppkfile] primary.pub
[spkfile] secondary.pub
[spksignature] secondary.pub.sha256.sig
[bootimage, authentication=rsa] fsbl_e.bin
}
The
Bootgen command is as
follows.bootgen -image stage3a.bif -w -generate_hashes
The output is the hash file zynq_fsbl_0.elf.0.sha256.
The stage3b BIF file is as follows:
stage3b:
{
[ppkfile] primary.pub
[spkfile] secondary.pub
[spksignature] secondary.pub.sha256.sig
[authentication=rsa] system.bit
}
The
Bootgen command is as
follows.bootgen -image stage3b.bif -w -generate_hashes
The
output is the hash file system.bit.0.sha256.Stage 4: Sign the Hashes
This stage creates signatures from the partition hash files created.
xil_rsa_sign.exe -gensig -sk secondary.pem -data zynq_fsbl_0.elf.0.sha256 -out zynq_fsbl_0.elf.0.sha256.sig
Or
by using the following OpenSSL
program.#Swap the bytes in FSBL hash
objcopy -I binary -O binary --reverse-bytes=256 zynq_fsbl_0.elf.0.sha256
#Generate FSBL signature using OpenSSL
openssl rsautl -raw -sign -inkey secondary.pem -in zynq_fsbl_0.elf.0.sha256 > zynq_fsbl_0.elf.0.sha256.sig
#Swap the bytes in FSBL signature
objcopy -I binary -O binary --reverse-bytes=256 zynq_fsbl_0.elf.0.sha256.sig
The output is the signature file zynq_fsbl_0.elf.0.sha256.sig.
xil_rsa_sign.exe -gensig -sk secondary.pem -data system.bit.0.sha256 -out system.bit.0.sha256.sig
Or
by using the following OpenSSL
program.#Swap the bytes in bitstream hash
objcopy -I binary -O binary --reverse-bytes=256 system.bit.0.sha256
#Generate bitstream signature using OpenSSL
openssl rsautl -raw -sign -inkey secondary.pem -in system.bit.0.sha256 > system.bit.0.sha256.sig
#Swap the bytes in bitstream signature
objcopy -I binary -O binary --reverse-bytes=256 system.bit.0.sha256.sig
The
output is the signature file system.bit.0.sha256.sig.Stage 5: Insert Partition Signatures
Insert partition signatures created above are changed into authentication certificates.
The stage5a.bif is as follows.
stage5a:
{
[ppkfile] primary.pub
[spkfile] secondary.pub
[spksignature] secondary.pub.sha256.sig
[bootimage, authentication=rsa, presign=zynq_fsbl_0.elf.0.sha256.sig] fsbl_e.bin
}
The
Bootgen command is as
follows.bootgen -image stage5a.bif -w -o fsbl_e_ac.bin -efuseppkbits efuseppkbits.txt -nonbooting
The
authenticated output files are fsbl_e_ac.bin and
efuseppkbits.txt.stage5b:
{
[ppkfile] primary.pub
[spkfile] secondary.pub
[spksignature] secondary.pub.sha256.sig
[authentication=rsa, presign=system.bit.0.sha256.sig] system.bit
}
The
Bootgen command is as
follows.bootgen -image stage5b.bif -o system_e_ac.bin –nonbooting
The
authenticated output file is system_e_ac.bin.Stage 6: Generate Header Table Hash
This stage generates the hash for the header tables.
The stage6.bif is as follows.stage6:
{
[bootimage] fsbl_e_ac.bin
[bootimage] system_e_ac.bin
}
The
Bootgen command is as
follows.bootgen -image stage6.bif -generate_hashes
The
output hash file is ImageHeaderTable.sha256.Stage 7: Generate Header Table Signature
This stage generates the header table signature.
xil_rsa_sign.exe -gensig -sk secondary.pem -data ImageHeaderTable.sha256 -out ImageHeaderTable.sha256.sig
Or
by using the following OpenSSL
program:#Swap the bytes in header table hash
objcopy -I binary -O binary --reverse-bytes=256 ImageHeaderTable.sha256
#Generate header table signature using OpenSSL
openssl rsautl -raw -sign -inkey secondary.pem -in ImageHeaderTable.sha256 > ImageHeaderTable.sha256.sig
#Swap the bytes in header table signature
objcopy -I binary -O binary --reverse-bytes=256 ImageHeaderTable.sha256.sig
The
output is the signature file ImageHeaderTable.sha256.sig.Stage 8: Combine Partitions, Insert Header Table Signature
The stage8.bif is as follows:
stage8:
{
[headersignature] ImageHeaderTable.sha256.sig
[bootimage] fsbl_e_ac.bin
[bootimage] system_e_ac.bin
}
The
Bootgen command is as
follows:bootgen -image stage8.bif -w -o final.bin
The
output is the boot image file final.bin.