The PUF registration software is included in the XILSKEY library. The PUF registration software operates in a boot header mode or eFUSE mode. The boot header mode allows development without programming the OTP eFUSEs. The eFUSE mode is used in production. This lab runs through PUF registration in boot header mode only. For PUF registration using eFUSE, see Programming BBRAM and eFUSEs (XAPP1319).
The PUF registration software accepts a red (unencrypted) key as input, and produces syndrome data (helper data), which also contains CHASH and AUX, and a black (encrypted) key. When the PUF boot header mode is used, the output is put in the boot header. When the PUF eFUSE mode is used, the output is programmed into eFUSEs.
In the Vitis IDE, navigate to tmr_psled_r5 Board Support Package Settings.
Ensure that the xilskey and the xilsecure libraries are enabled.
Click OK. Rebuild the hardware platform for changes to apply. Navigate to tmr_psled_r5_bsp settings.
Scroll to the Libraries section. Click xilskey 6.8 Import Examples.
In the view, select xilskey_puf_registration example. Click OK.
In the Project Explorer view, verify that the xilskey_puf_example_1 application is created.
In the Project Explorer view, xilskey_puf_example_1 ‘Src’, double-click xilskey_puf_registration.h to open it in the Vitis IDE.
Edit xilskey_puf_registration.h as follows:
Change
#define XSK_PUF_INFO_ON_UARTfromFALSEtoTRUE.Ensure that
#define XSK_PUF_PROGRAM_EFUSEis set toFALSE.Set
XSK_PUF_AES_KEY(256-bit key).The key must be entered in hex format and should be Key 0 from the
fsbl_a53.nkyfile that you generated in Generating All of the AES Keys. You can find a sample key below:#define XSK_PUF_AES_KEY "68D58595279ED1481C674383583C1D98DA816202A57E7FE4F67859CB069CD510"
Note
Do not copy this key. Refer to the fsbl_a53.nky file for your key.
Set the
XSK_PUF_BLACK_KEY_IV. The initialization vector IV is a 12-byte piece of data of your choice.#define XSK_PUF_BLACK_KEY_IV \"E1757A6E6DD1CC9F733BED31\"
Save the file and exit.
In the Project Explorer view, right-click the xilskey_puf_example_1 project and select Build Project.
In the Vitis IDE, select Vitis → Create Boot Image.
Select Zynq Ultrascale+ in the Architecture view.
Specify the BIF path in the Output BIF file path view as
C:\edt\secureboot_sd\puf_registration\puf_registration.bif.Specify the output path in the Output Path view as
C:\edt\secureboot_sd\puf_registration\BOOT.bin.In the Boot Image Partitions pane, click Add. Add the partitions and set the destination CPU of the xilskey_puf_example_1 application to R5-0:
C:\edt\fsbl_a53\Debug\fsbl_a53.elf C:\edt\xilskey_puf_example_1\Debug\xilskey_puf_example_1.elf
Click Create Image to create the boot image for PUF registration.
Insert an SD card into the PC SD card slot.
Copy
C:\edt\secureboot_sd\puf_registration\BOOT.binto the SD card.Move the SD card from the PC SD card slot to the ZCU102 card slot.
Start a terminal session using Tera Term or Minicom depending on the host machine being used, as well as the COM port and baud rate for your system.
In the communication terminal menu bar, select File → Log. Enter
C:\edt\secureboot_sd\puf_registration\puf_registration.login the view.Power cycle the board.
After the puf_registration software has run, exit the communication terminal.
The
puf_registration.logfile is used in Using PUF in Boot Header Mode. Openpuf_registration.login a text editor.Save the PUF Syndrome data that starts after
App PUF Syndrome data Start!!!and ends atPUF Syndrome data End!!!, non-inclusive, to a file namedhelperdata.txt.Save the black key IV identified by
App: Black Key IVto a file namedblack_iv.txt.Save the black key to a file named
black_key.txt.The files
helperdata.txt,black_key.txt, andblack_iv.txtcan be saved inC:\edt\secure_boot_sd\keys.