Stage 0: Encrypt and authenticate the plain bitstream with dummy key. Add the keylife parameter if keyrolling is required.
You can provide the .nky file, or Bootgen can generate .nky file that contains the keys for encryption.
Obfuscated AES key generation is not supported by Bootgen. The keylife
parameter is necessary for the keyrolling
feature.
the_ROM_image:
{
[aeskeyfile] encrypt.nky
[sskfile] dummykey.pem
[encryption=aes, authentication=rsa,keylife =32] plain-system.bit
}
bootgen -arch fpga -image stage0.bif -w -o auth-encrypt-system.bit -log info
After
this step, the .nky file is generated if encryption
is enabled. This file contains all the keys. Stage 1: Generate hashes
See the following code for an example.
the_ROM_image:
{
[authentication=rsa] auth-encrypt-system.bit
}
bootgen -arch fpga -image stage1.bif -generate_hashes -log info
Stage 2: Sign the hash HSM
Here, OpenSSL is used for demonstration.
openssl rsautl -sign -inkey rsaPrivKeyInfo.pem -in auth-encrypt-system.sha384 > auth-encrypt-system.sha384.sig
You can use the HSM server to sign the hashes. For SSI technology devices, generate the signatures for each super logic region (SLR). The following example shows the code to generate the signatures for a device with four SLRs.
openssl rsautl -sign -inkey rsaPrivKeyInfo.pem -in auth-encrypt-system.0.sha384 > auth-encrypt-system.0.sha384.sig
openssl rsautl -sign -inkey rsaPrivKeyInfo.pem -in auth-encrypt-system.1.sha384 > auth-encrypt-system.1.sha384.sig
openssl rsautl -sign -inkey rsaPrivKeyInfo.pem -in auth-encrypt-system.2.sha384 > auth-encrypt-system.2.sha384.sig
openssl rsautl -sign -inkey rsaPrivKeyInfo.pem -in auth-encrypt-system.3.sha384 > auth-encrypt-system.3.sha384.sig
Stage 3: Update the RSA certificate with the actual signature
See the following code for an example.
the_ROM_image:
{
[spkfile] rsaPubKeyInfo.pem
[authentication=rsa, presign=auth-encrypt-system.sha384.sig] auth-encrypt-system.bit
}
Command:bootgen -arch fpga -image stage3.bif -w -o rsa_encrypt.bit -log info
Note: For SSI technology
devices, use
presign=<first presign
filename>:<number of total presigns>
. For example, a device
with four SLRs should have <first presign
filename:4>
.