This features provides support for authentication and/or decryption of single
partition (non-bitstream) image created by Bootgen at U-Boot prompt.
Note: This
feature does not support images with multiple partitions.
U-Boot Command for Loading Secure Images
zynqmp secure <srcaddr> <len> [key_addr]
This command verifies secure images of $len bytes\ long at address $src. Optional key_addr can be specified if user key needs to be used for decryption.
Only Authentication Use Case
To use only authentication at U-Boot, create the authenticated image using bif as shown in the following example.
- Create a single partition image that is authenticated at U-Boot.Note: If you provide an elf file, it should not contain multiple loadable sections. If your elf file contains multiple loadable sections, you should convert the input to the .bin format and provide the .bin as input in bif. An example bif is as follows:
the_ROM_image: { [pskfile]rsa4096_private1.pem [sskfile]rsa4096_private2.pem [auth_params] ppk_select=1;spk_id=0x1 [authentication = rsa]Data.bin }
- When the image is generated, download the authenticated image to the DDR.
- Execute the U-Boot command to authenticate the secure image as shown in the
following
example.
ZynqMP> zynqmp secure 100000 2d000 Verified image at 0x102800
- U-Boot returns the start address of the actual partition after successful authentication. U-Boot prints an error code in the event of a failure. If RSA_EN eFUSE is programmed, then image authentication is mandatory. Boot header authentication is not supported when eFUSE RSA enabled.
Only Encryption Use Case
In case the image is only encrypted, there is no support for device key. When authentication is not enabled, only KUP key decryption is supported.