NIST SHA-3 Support - 2024.1 English

Vitis Unified Software Platform Documentation: Embedded Software Development (UG1400)

Document ID
UG1400
Release Date
2024-05-30
Version
2024.1 English
Note: For SHA-3 Authentication, always use Keccak SHA-3 to calculate hash on boot header, PPK hash and boot image. NIST-SHA3 is used for all other partitions which are not loaded by ROM.

The generated signature uses the Keccak-SHA3 or NIST-SHA3 based on following table:

Table 1. Authentication Signatures
Which Authentication Certificate (AC)? Signature SHA Algorithm and SPK eFUSE Secret Key used for Signature Generation
Partitions header AC (loaded by FSBL/FW) SPK Signature If SPKID eFUSEs, then Keccak; If User eFUSE, then NIST PSK
BH Signature Always Keccak SSKheader
Header Signature Always Nist SSKheader
BootLoader (FSBL) AC (loaded by ROM) SPK Signature Always Keccak; Always SPKID eFUSE for SPK PSK
BH Signature Always Keccak SSKBootloader
FSBL Signature Always Keccak SSKBootloader
Other Partition AC (loaded by FSBL FW) SPK Signature If SPKID eFUSEs then Keccak; If User eFUSE then NIST PSK
BH Signature Always Keccak padding SSKPartition
Partition Signature Always NIST padding SSKPartition

Examples

Example 1: BIF file for authenticating the partition with single set of key files:

image:
{
	[fsbl_config] bh_auth_enable
	[auth_params] ppk_select=0; spk_id=0x00000000
	[pskfile] primary_4096.pem
	[sskfile] secondary_4096.pem
	[pmufw_image] pmufw.elf
	[bootloader, authentication=rsa, destination_cpu=a53-0] fsbl.elf
	[authenication=rsa, destination_cpu=r5-0] hello.elf
}

Example 2: BIF file for authenticating the partitions with separate secondary key for each partition:

image:
{
	[auth_params] ppk_select=1
	[pskfile] primary_4096.pem
	[sskfile] secondary_4096.pem
	
	// FSBL (Partition-0)
	[
	  bootloader,
	  destination_cpu = a53-0,
	  authentication = rsa,
	  spk_id = 0x01,
	  sskfile = secondary_p1.pem
	] fsbla53.elf

	// ATF (Partition-1)
	[
	  destination_cpu = a53-0,
	  authentication = rsa,
	  exception_level = el-3,
	  trustzone = secure,
	  spk_id = 0x02,
	  sskfile = secondary_p2.pem
	] bl31.elf
	
	// UBOOT (Partition-2)
	[
	  destination_cpu = a53-0, 
	  authentication = rsa,
	  exception_level = el-2,
	  spk_id = 0x03,
	  sskfile = secondary_p3.pem
	] u-boot.elf
}