The following steps are required only for RSA authentication in eFUSE mode, and can be skipped for RSA authentication in boot header mode. The 384 bits from sha3.txt can be programmed to eFUSE for RSA authentication in eFUSE mode. For more information, see Programming BBRAM and eFUSEs (XAPP1319).
Perform the steps from the prior section.
Now that the PEM files have been defined, add
authentication = rsaattributes as shown below tokey_generation.bif.the_ROM_image: { [pskfile]psk0.pem [sskfile]ssk0.pem [auth_params]spk_id = 0; ppk_select = 0 [fsbl_config]a53_x64 [bootloader, authentication = rsa]fsbl_a53.elf [destination_cpu = pmu,authentication = rsa]pmufw.elf [destination_device = pl, authentication = rsa]edt_zcu102_wrapper.bit [destination_cpu = a53-0, exception_level = el-3, trustzone,authentication = rsa]bl31.elf [destination_cpu = r5-0, authentication = rsa]tmr_psled_r5.elf [destination_cpu = a53-0, exception_level = el-2, authentication = rsa]u-boot.elf [load = 0x1000000, destination_cpu = a53-0, authentication = rsa]image.ub }
Use the
bootgencommand to calculate the hash of the PPK:bootgen -p zcu9eg -arch zynqmp -efuseppkbits ppk0_digest.txt -image key_generation.bif
Verify that the file
ppk0_digest.txtis generated at the location specified (c:\edt\secure_boot_sd\keys).