Bootgen supports RSA-4096 and ECDSA P384 and P521 curves for Versal adaptive SoC authentication. NIST SHA-3 is used to calculate hash on all partitions/headers. The signature calculated on the hash is placed in the PDI.
Meta Header Authentication
For a Versal adaptive SoC, Bootgen authenticates the meta header based on the parameters under the bif attribute "metaheader." A snippet of the usage is shown below.
metaheader
{
authentication = rsa,
pskfile = psk.pem,
sskfile = ssk.pem
}
PPK Hash for eFUSE
Bootgen generates the PPK hash for storing in eFUSE for PPK to be trusted. This step is required only for authentication with eFUSE mode, and can be skipped for Boot Header Authentication. The value from efuseppksha.txt can be programmed to eFUSE for authentication with the eFUSE mode.
BIF File Example
The following is a sample BIF file, generate_hash_ppk.bif.
generate_hash_ppk:
{
pskfile = primary0.pem
sskfile = secondary0.pem
image
{
name = pmc_ss, id = 0x1c000001
{ type=bootloader, authentication=rsa, file=plm.elf}
{ type=pmcdata, load=0xf2000000, file=pmc_cdo.bin}
}
}
Command
The command to generate PPK hash for eFUSE programming is:
bootgen –image generate_hash_ppk.bif –arch versal –w –o test.bin –efuseppkbits efuseppksha.txt
Cumulative Secure Boot Operations for Versal Adaptive SoC
Boot Type | Operations | Hardware Crypto Engines | ||
---|---|---|---|---|
Authentication | Decryption | Integrity (Checksum Verification) | ||
Non-secure boot | No | No | No | None |
Asymmetric Hardware Root-of-Trust (A-HWRoT) | Yes (Required) | No | No | RSA/ECDSA along with SHA3 |
Symmetric Hardware Root-of-Trust (S-HWRoT) (Forces decryption of PDI with eFUSE black key) | No | Yes (Required PLM and Meta Header should be encrypted with eFUSE KEK) | No | AES-GCM |
A-HWRoT + S-HWRoT | Yes (Required) | Yes (Required) | No | RSA/ECDSA along with SHA3 and AES-GCM |
Authentication + Decryption of PDI | Yes | Yes (Key source can be either from BBRAM or eFUSE) | No | RSA/ECDSA along with SHA3 and AES-GCM |
Decryption (Uses user-selected key. The key source can be of any type such as BBRAM/BHDR or even eFUSE) | No | Yes | No | AES-GCM |
Checksum Verification | No | No | Yes | SHA3 |