The previous sections enabled the various security features (authentication, confidentiality, DPA protections, and black key storage) by hand editing the BIF file. This section performs the same operations, but uses the Bootgen Wizard as a starting point. The Bootgen Wizard creates a base BIF file, and then adds the additional security features that are not supported by the wizard using a text editor.
Change directory to the
bootgen_filesdirectory.cd C:\edt\secure_boot_sd\bootgen_files
Copy the below data from the previous example to this example.
cp ../keys/*nky . cp ../keys/*pem . cp ../keys/black_iv.txt . cp ../keys/helperdata.txt . cp ../keys/*.elf . cp ../keys/edt_zcu102_wrapper.bit . cp ../keys/image.ub . cp ../keys/black_key.txt.
Click Programs → Xilinx Design Tools → Vitis <version number> → Vitis 2024.2 to launch the Vitis IDE.
Click Vitis → Create Boot Image from the menu bar to launch the Create Boot Image wizard.
Select Zynq UltraScale+ as the Architecture.
Enter the Output BIF file path as
C:\edt\secure_boot_sd\bootgen_files\design_bh_bkey_keyrolling.bif.Select BIN as the output format.
Enter the output path
C:\edt\secure_boot_sd\bootgen_files\BOOT.bin.Enable authentication.
Check the Use Authentication check box.
Browse to select the psk0.pem file for the PSK File and the ssk0.pem for the SSK File.
Ensure PPK select is 0.
Enter SPK ID as 0.
Check the Use BH Auth check box.
Enable encryption.
Check the Use Encryption check box.
Provide the part name as zcu9eg.
Check the Operational Key check box.
Add the FSBL binary to the boot image.
Click the Add button.
Use the browse button to select the fsbl.elf file.
Make sure the partition type is bootloader and the destination CPU is a53-0.
Change the authentication to RSA.
Change the encryption to AES.
Browse to the fsbl_a53.nky file that was generated earlier and add the key file.
Click OK.
Add the PMU firmware binary to the boot image.
Click the Add button.
Use the browse button to select the pmufw.elf file.
Make sure the partition type is datafile.
Change the destination CPU to PMU.
Change the authentication to RSA.
Change the encryption to AES.
Add the pmufw.nky file as the key file.
Click OK.
Add the PL bitstream to the boot image.
Click the Add.
Use the browse button to select the edt_zcu102_wrapper.bit file.
Make sure the partition type is datafile.
Make sure the destination device is PL.
Change the authentication to RSA.
Change the encryption to AES.
Add the edt_zcu102_wrapper.nky file as the key file.
Click OK.
Add the Trusted Firmware-A (TF-A) binary to the image.
Click the Add button.
Use the browse button to select the bl31.elf file.
Make sure the partition type is datafile.
Make sure the destination CPU is A53 0.
Change the authentication to RSA.
Make sure the encryption is none.
Make sure the exception level is EL3 and click Enable TrustZone.
Click OK.
Add the R5 software binary to the boot image.
Click the Add button.
Use the browse button to select the tmr_psled_r5.elf file.
Make sure the partition type is datafile.
Make sure the destination CPU is R5 0.
Change the authentication to RSA.
Change the encryption to AES.
Add the tmr_psled_r5.nky file as the key file.
Click OK.
Add the U-Boot software binary to the boot image.
Click the Add button.
Use the browse button to select the u-boot.elf file.
Make sure the partition type is datafile.
Make sure the destination CPU is A53 0.
Change the authentication to RSA.
Make sure that encryption is none.
Change the exception level to EL2.
Click OK.
Add the Linux image to the boot image.
Click the Add button.
Use the browse button to select the image.ub file.
Make sure the partition type is datafile.
Make sure the destination CPU is A53 0.
Change the authentication to RSA.
Make sure that the encryption is none.
Update the load field to 0x2000000.
Click OK.
Click Create image.
The
design_bh_bkey_keyrolling.biffile should look similar to the following://arch = zynqmp; split = false; format = BIN; key_part_name = zcu9eg the_ROM_image: { [pskfile]C:\edt\secure_boot_sd\bootgen_files\psk0.pem [sskfile]C:\edt\secure_boot_sd\bootgen_files\ssk0.pem [auth_params]spk_id = 0; ppk_select = 0 [keysrc_encryption]efuse_red_key [fsbl_config]bh_auth_enable, opt_key [bootloader, encryption = aes, authentication = rsa, aeskeyfile = C:\edt\secure_boot_sd\bootgen_files\fsbl_a53.nky]C:\edt\secure_boot_sd\bootgen_files\fsbl_a53.elf [encryption = aes, authentication = rsa, aeskeyfile = C:\edt\secure_boot_sd\bootgen_files\pmufw.nky, destination_cpu = pmu]C:\edt\secure_boot_sd\bootgen_files\pmufw.elf [encryption = aes, authentication = rsa, aeskeyfile = C:\edt\secure_boot_sd\bootgen_files\edt_zcu102_wrapper.nky, destination_device = pl]C:\edt\secure_boot_sd\bootgen_files\edt_zcu102_wrapper.bit [authentication = rsa, destination_cpu = a53-0, exception_level = el-3, trustzone]C:\edt\secure_boot_sd\bootgen_files\bl31.elf [encryption = aes, authentication = rsa, aeskeyfile = C:\edt\secure_boot_sd\bootgen_files\tmr_psled_r5.nky, destination_cpu =r5-0]C:\edt\secure_boot_sd\bootgen_files\tmr_psled_r5.elf [authentication = rsa, destination_cpu = a53-0, exception_level = el-2]C:\edt\secure_boot_sd\bootgen_files\u-boot.elf [authentication = rsa, load = 0x2000000, destination_cpu = a53-0]C:\edt\secure_boot_sd\bootgen_files\image.ub }
Note
This BIF file is still missing several security features that are not supported by the Create Boot Image wizard. These are features are key rolling and black key store.
Add black key store by changing the
keysrc_encryptionand adding the other additional items so that the BIF file looks like the following:the_ROM_image: { [pskfile]C:\edt\secure_boot_sd\bootgen_files\psk0.pem [sskfile]C:\edt\secure_boot_sd\bootgen_files\ssk0.pem [auth_params]spk_id = 0; ppk_select = 0 [keysrc_encryption]bh_blk_key [bh_key_iv]black_iv.txt [bh_keyfile]black_key.txt [puf_file]helperdata.txt [fsbl_config]a53_x64, bh_auth_enable, opt_key,puf4kmode,shutter=0x0100005E,pufhd_bh [bootloader, encryption = aes, authentication = rsa, aeskeyfile = C:\edt\secure_boot_sd\bootgen_files\fsbl_a53.nky]C:\edt\secure_boot_sd\bootgen_files\fsbl_a53.elf [encryption = aes, authentication = rsa, aeskeyfile = C:\edt\secure_boot_sd\bootgen_files\pmufw.nky, destination_cpu = pmu]C:\edt\secure_boot_sd\bootgen_files\pmufw.elf [encryption = aes, authentication = rsa, aeskeyfile = C:\edt\secure_boot_sd\bootgen_files\edt_zcu102_wrapper.nky, destination_device= pl]C:\edt\secure_boot_sd\bootgen_files\edt_zcu102_wrapper.bit [authentication = rsa, destination_cpu = a53-0, exception_level = el-3, trustzone]C:\edt\secure_boot_sd\bootgen_files\bl31.elf [encryption = aes, authentication = rsa, aeskeyfile = C:\edt\secure_boot_sd\bootgen_files\tmr_psled_r5.nky, destination_cpu = r5-0]C:\edt\secure_boot_sd\bootgen_files\tmr_psled_r5.elf [authentication = rsa, destination_cpu = a53-0, exception_level = el-2]C:\edt\secure_boot_sd\bootgen_files\u-boot.elf [authentication = rsa, load = 0x2000000, destination_cpu = a53-0]C:\edt\secure_boot_sd\bootgen_files\image.ub }
Enable key rolling by adding the block attributes to the encrypted partitions. The updated BIF file should now look like the following:
//arch = zynqmp; split = false; format = BIN; key_part_name = zcu9eg the_ROM_image: { [pskfile]C:\edt\secure_boot_sd\bootgen_files\psk0.pem [sskfile]C:\edt\secure_boot_sd\bootgen_files\ssk0.pem [auth_params]spk_id = 0; ppk_select = 0 [keysrc_encryption]bh_blk_key [bh_key_iv]black_iv.txt [bh_keyfile]black_key.txt [puf_file]helperdata.txt [fsbl_config]a53_x64, bh_auth_enable, opt_key, puf4kmode,shutter=0x0100005E,pufhd_bh [bootloader, encryption = aes, authentication = rsa, aeskeyfile = C:\edt\secure_boot_sd\bootgen_files\fsbl_a53.nky, blocks = 1728(*)]C:\edt \secure_boot_sd\bootgen_files\fsbl_a53.elf [encryption = aes, authentication = rsa, aeskeyfile = C:\edt\secure_boot_sd\bootgen_files\pmufw.nky, destination_cpu = pmu, blocks = 1728(*)]C:\edt\secure_boot_sd\bootgen_files\pmufw.elf [encryption = aes, authentication = rsa, aeskeyfile = C:\edt\secure_boot_sd\bootgen_files\edt_zcu102_wrapper.nky, destination_device = pl, blocks = 1728(*)]C:\edt\secure_boot_sd\bootgen_files\edt_zcu102_wrapper.bit [authentication = rsa, destination_cpu = a53-0, exception_level = el-3, trustzone]C:\edt\secure_boot_sd\bootgen_files\bl31.elf [encryption = aes, authentication = rsa, aeskeyfile = C:\edt\secure_boot_sd\bootgen_files\tmr_psled_r5.nky, destination_cpu = r5-0, blocks = 1728(*)]C:\edt\secure_boot_sd\bootgen_files\tmr_psled_r5.elf [authentication = rsa, destination_cpu = a53-0, exception_level = el-2]C:\edt\secure_boot_sd\bootgen_files\u-boot.elf [authentication = rsa, load = 0x2000000, destination_cpu = a53-0]C:\edt\secure_boot_sd\bootgen_files\image.ub }
Generate the boot image by running the following command. Note that the
- encryption_dumpflag has been added. This flag causes the log fileaes_log.txtto be created. The log file details all encryption operations that were used. This allows you to see which keys and IVs were used on which sections of the boot image.
bootgen -p zcu9eg -arch zynqmp -image design_bh_bkey_keyrolling.bif -w -o BOOT.bin -encryption_dump