Creating a Boot Image Using HSM Mode: PSK is not Shared - 2021.1 English

Bootgen User Guide (UG1283)

Document ID
UG1283
Release Date
2021-06-16
Version
2021.1 English

The following figure shows a Stage 0 to Stage 2 Boot stack that uses the HSM mode. It reduces the number of steps by distributing the SSK.

This figure uses the Zynq® UltraScale+™ MPSoC device to illustrate the stages.

Figure 1. Generic 3-stage boot image

Boot Process

Creating a boot image using HSM mode is similar to creating a boot image using a standard flow with following BIF file.

all:
{
	[auth_params] ppk_select=1;spk_id=0x8
	[keysrc_encryption]bbram_red_key
	[pskfile]primary.pem
	[sskfile]secondary.pem
	[
	 bootloader,
	 encryption=aes,
 	aeskeyfile=aes.nky,
	 authentication=rsa
	]fsbl.elf
	[destination_cpu=a53-0,authentication=rsa]hello_a53_0_64.elf
}

Stage 0: Create a boot image using HSM Mode

A trusted individual creates the SPK signature using the Primary Secret Key. The SPK Signature is on the Authentication Certificate Header, SPK, and SPK ID. To generate a hash for the above, use the following BIF file snippet.

stage 0:
{
	[auth_params] ppk_select=1;spk_id=0x3
	[spkfile]keys/secondary.pub
}

The following is the Bootgen command:

bootgen -arch zynqmp -image stage0.bif -generate_hashes

The output of this command is: secondary.pub.sha384.

Stage 1: Distribute the SPK Signature

The trusted individual distributes the SPK Signature to the development teams.

openssl rsautl -raw -sign -inkey keys/primary0.pem -in secondary.pub.sha384 > secondary.pub.sha384.sig 

The output of this command is: secondary.pub.sha384.sig

Stage 2: Encrypt using AES in FSBL

The development teams use Bootgen to create as many boot images as needed. The development teams use:

  • The SPK Signature from the Trusted Individual.
  • The Secondary Secret Key (SSK), SPK, and SPKID
Stage2:
{
	[keysrc_encryption]bbram_red_key 
	[auth_params] ppk_select=1;spk_id=0x3
	[ppkfile]keys/primary.pub
	[sskfile]keys/secondary0.pem
	[spksignature]secondary.pub.sha384.sig 
	[bootloader,destination_cpu=a53-0, encryption=aes, aeskeyfile=aes0.nky, authentication=rsa] fsbl.elf 
	[destination_cpu=a53-0, authentication=rsa] hello_a53_0_64.elf 
}
The Bootgen command is:
bootgen -arch zynqmp -image stage2.bif -o final.bin