The following figure shows a Stage 0 to Stage 2 Boot stack that uses the HSM mode. It reduces the number of steps by distributing the SSK.
This figure uses the AMD Zynq™ UltraScale+™ MPSoC to illustrate the stages.
Boot Process
Creating a boot image using HSM mode is similar to creating a boot image using a standard flow with following BIF file.
all:
{
[auth_params] ppk_select=1;spk_id=0x8
[keysrc_encryption]bbram_red_key
[pskfile]primary.pem
[sskfile]secondary.pem
[
bootloader,
encryption=aes,
aeskeyfile=aes.nky,
authentication=rsa
]fsbl.elf
[destination_cpu=a53-0,authentication=rsa]hello_a53_0_64.elf
}
Create a Boot Image using HSM Mode
Stage 0: Generate a Hash for SPK
A trusted individual creates the SPK signature using the Primary Secret Key. The SPK signature is on the Authentication Certificate Header, SPK, and SPK ID. To generate a hash for the above, use the following BIF file snippet.
stage 0:
{
[auth_params] ppk_select=1;spk_id=0x3
[spkfile]keys/secondary.pub
}
The following is the Bootgen command:
bootgen -arch zynqmp -image stage0.bif -generate_hashes
The output of this command is: secondary.pub.sha384.
Stage 1: Distribute the SPK Signature
The trusted individual distributes the SPK Signature to the development teams.
openssl rsautl -raw -sign -inkey keys/primary0.pem -in secondary.pub.sha384 > secondary.pub.sha384.sig
The output of this command is: secondary.pub.sha384.sig
Stage 2: Encrypt using AES in FSBL
The development teams use Bootgen to create as many boot images as needed. The development teams use:
- The SPK Signature from the trusted individual.
- The SSK, SPK, and SPKID
Stage2:
{
[keysrc_encryption]bbram_red_key
[auth_params] ppk_select=1;spk_id=0x3
[ppkfile]keys/primary.pub
[sskfile]keys/secondary0.pem
[spksignature]secondary.pub.sha384.sig
[bootloader,destination_cpu=a53-0, encryption=aes, aeskeyfile=aes0.nky, authentication=rsa] fsbl.elf
[destination_cpu=a53-0, authentication=rsa] hello_a53_0_64.elf
}
bootgen -arch zynqmp -image stage2.bif -o final.bin