Design Advisories for Bootgen - 2023.1 English
Bootgen User Guide (UG1283)
Document ID
UG1283
Release Date
2023-07-26
Version
2023.1 English
Introduction
Installing Bootgen
Boot Time Security
Boot Image Layout
Zynq 7000 SoC Boot and Configuration
Zynq 7000 SoC Boot Image Layout
Zynq 7000 SoC Boot Header
Zynq 7000 SoC Register Initialization Table
Zynq 7000 SoC Image Header Table
Zynq 7000 SoC Image Header
Zynq 7000 SoC Partition Header
Zynq 7000 SoC Partition Attribute Bits
Zynq 7000 SoC Authentication Certificate
Zynq 7000 SoC Authentication Certificate Header
Zynq 7000 SoC Boot Image Block Diagram
Zynq UltraScale+ MPSoC Boot and Configuration
Zynq UltraScale+ MPSoC Boot Image
Zynq UltraScale+ MPSoC Boot Header
Zynq UltraScale+ MPSoC Boot Header Attribute Bits
Zynq UltraScale+ MPSoC Register Initialization Table
Zynq UltraScale+ MPSoC PUF Helper Data
Zynq UltraScale+ MPSoC Image Header Table
Zynq UltraScale+ MPSoC Image Header
Zynq UltraScale+ MPSoC Partition Header
Zynq UltraScale+ MPSoC Partition Attribute Bits
Zynq UltraScale+ MPSoC Authentication Certificates
Zynq UltraScale+ MPSoC Authentication Certification Header
Zynq UltraScale+ MPSoC Secure Header
Zynq UltraScale+ MPSoC Boot Image Block Diagram
Versal Adaptive SoC Boot Image Format
Versal Adaptive SoC Boot Header
Versal Adaptive SoC Boot Header Attributes
Versal Adaptive SoC Image Header Table
Versal Adaptive SoC Image Header
Versal Adaptive SoC Partition Header
Versal Adaptive SoC Authentication Certificates
Versal Adaptive SoC Authentication Certification Header
Creating Boot Images
Boot Image Format (BIF)
BIF Syntax and Supported File Types
BIF Syntax for Versal Adaptive SoC
Attributes
Using Bootgen GUI
Launch Bootgen GUI
Bootgen GUI for Zynq 7000 and Zynq UltraScale+ Devices
Using Bootgen GUI Options for Versal Adaptive SoCs
Using Bootgen on the Command Line
Commands and Descriptions
Boot Time Security
Using Encryption
Encryption Process
Decryption Process
Encrypting Zynq 7000 Device Partitions
Encrypting Zynq MPSoC Device Partitions
Operational Key
Rolling Keys
Gray/Obfuscated Keys
Key Generation
Black/PUF Keys
Multiple Encryption Key Files
Encrypting Versal Device Partitions
Rolling Keys
Key Generation
Black/PUF Keys
Meta Header Encryption
Using Authentication
Signing
Verifying
Zynq UltraScale+ MPSoC Authentication Support
NIST SHA-3 Support
Bitstream Authentication Using External Memory
User eFUSE Support with Enhanced RSA Key Revocation
Key Generation
PPK Hash for eFUSE
Versal Authentication Support
Versal Hashing Scheme
Using HSM Mode
Creating a Boot Image Using HSM Mode: PSK is not Shared
Creating a Zynq 7000 SoC Device Boot Image using HSM Mode
Creating a Zynq UltraScale+ MPSoC Device Boot Image using HSM Mode
Creating a Versal Device Boot Image Using HSM
Generating the PDI
HSM Mode Steps
SSIT Support
FPGA Support
Encryption and Authentication
HSM Mode
HSM Flow with Both Authentication and Encryption
Use Cases and Examples
Zynq MPSoC Use Cases
Simple Application Boot on Different Cores
PMU Firmware Load by BootROM
PMU Firmware Load by FSBL
Booting Linux
Encryption Flow: BBRAM Red Key
Encryption Flow: Red Key Stored in eFUSE
Encryption Flow: Black Key Stored in eFUSE
Encryption Flow: Black Key Stored in Boot Header
Encryption Flow: Gray Key Stored in eFUSE
Encryption Flow: Gray Key Stored in Boot Header
Operational Key
Using Op Key to Protect the Device Key in a Development Environment
Single Partition Image
Authentication Flow
BIF File with SHA-3 eFUSE RSA Authentication and PPK0
XIP
Split with "Offset" Attribute
Versal Adaptive SoC Use Cases
Bootloader, PMC_CDO
Bootloader, PMC_CDO with Load Address
Enable Checksum for Bootloader
Bootloader, PMC_CDO, PL CDO, NPI
Bootloader, PMC_CDO, PL CDO, NPI, PS CDO, and PS ELFs
AI Engine Configuration and AI Engine Partitions
Appending New Partitions to Existing PDI
RSA Authentication Example
ECDSA Authentication Example
AES Encryption Example
AES Encryption with Key Rolling Example
AES Encryption with Multiple Key Sources Example
AES Encryption and Authentication Example
Replacing PLM from an Existing PDI
Replace PLM and PMC CDO in SSI technology PDIs
BIF Attribute Reference
aarch32_mode
aeskeyfile
alignment
auth_params
authentication
big_endian
bbram_kek_iv
bh_kek_iv
bh_keyfile
bh_key_iv
bhsignature
blocks
boot_config
boot_device
bootimage
bootloader
bootvectors
checksum
copy
core
delay_auth
delay_handoff
delay_load
destination_cpu
destination_device
early_handoff
efuse_kek_iv
efuse_user_kek0_iv
efuse_user_kek1_iv
encryption
exception_level
familykey
file
fsbl_config
headersignature
hivec
id
image
imagestore
init
keysrc
keysrc_encryption
load
metaheader
name
offset
overlay_cdo
parent_id
partition
partition_owner, owner
pid
pmufw_image
ppkfile
presign
pskfile
puf_file
reserve
split
spkfile
spksignature
spk_select
sskfile
startup
trustzone
type
udf_bh
udf_data
userkeys
xip_mode
Command Reference
arch
authenticatedjtag
bif_help
dual_ospi_mode
dual_qspi_mode
dump
dump_dir
efuseppkbits
encrypt
encryption_dump
fill
generate_hashes
generate_keys
h, help
image
log
nonbooting
o
p
padimageheader
process_bitstream
read
spksignature
split
verify
verify_kdf
w
zynqmpes1
Initialization Pairs and INT File Attribute
CDO Utility
Accessing
Usage
Command Line Options
Address Filter File
Examples
Converting Binary to Source without Annotations
Converting Binary to Source with Annotations
Editing Binary CDO File
Converting Source to Binary
Design Advisories for Bootgen
Additional Resources and Legal Notices
Finding Additional Documentation
Support Resources
Additional Resources
Revision History
Please Read: Important Legal Notices
AMD recommends that you generate
your own keys for fielded systems and then provide those keys to the development
tools. See Answer Record 76171 for more information.
In this release, few encryption key rolling blocks are supported for
Versal . See Answer Record 76515 for more information.