Versal Authentication Support - 2021.2 English

Bootgen User Guide (UG1283)

Document ID
UG1283
Release Date
2021-10-22
Version
2021.2 English

Bootgen supports RSA-4096 and ECDSA P384 and P521 curves for Versal ACAP authentication. NIST SHA-3 is used to calculate hash on all partitions/headers. The signature calculated on the hash is placed in the PDI.

Note: Unlike Zynq devices and Zynq UltraScale+ MPSoC, for Versal ACAPs, the authentication certificate is placed prior to the partition. The ECDSA P521 curve is not supported for authentication of the bootloader partition (PLM) because the BootROM only supports RSA-4096 or ECDSA-P384 authentication. P521 can, however, be used to authenticate any other partition.

Meta Header Authentication

For a Versal ACAP, Bootgen authenticates the meta header based on the parameters under the bif attribute "metaheader". A snippet of the usage is shown below.

metaheader
{
	authentication = rsa,
	pskfile = psk.pem,
	sskfile = ssk.pem
}

PPK Hash for eFUSE

Bootgen generates the PPK hash for storing in eFUSE for PPK to be trusted. This step is required only for authentication with eFUSE mode, and can be skipped for Boot Header Authentication. The value from efuseppksha.txt can be programmed to eFUSE for authentication with the eFUSE mode.

BIF File Example

The following is a sample BIF file, generate_hash_ppk.bif.

generate_hash_ppk:
{
    pskfile = primary0.pem
    sskfile = secondary0.pem
    image
    {
        name = pmc_ss, id = 0x1c000001
        { type=bootloader, authentication=rsa, file=plm.elf}
        { type=pmcdata, load=0xf2000000, file=pmc_cdo.bin}
    }
}

Command

The command to generate PPK hash for eFUSE programming is:

bootgen –image generate_hash_ppk.bif –arch versal –w –o test.bin –efuseppkbits efuseppksha.txt

Cumulative Secure Boot Operations for Versal ACAP

Table 1. Cumulative Secure Boot Operations
Boot Type Operations Hardware Crypto Engines
Authentication Decryption Integrity (Checksum Verification)
Non-secure boot No No No None
Asymmetric Hardware Root-of-Trust (A-HWRoT) Yes (Required) No No RSA/ECDSA along with SHA3
Symmetric Hardware Root-of-Trust (S-HWRoT) (Forces decryption of PDI with eFUSE black key) No Yes (Required PLM and Meta Header should be encrypted with eFUSE KEK) No AES-GCM
A-HWRoT + S-HWRoT Yes (Required) Yes (Required) No RSA/ECDSA along with SHA3 and AES-GCM
Authentication + Decryption of PDI Yes Yes (Key source can be either from BBRAM or eFUSE) No RSA/ECDSA along with SHA3 and AES-GCM
Decryption (Uses user-selected key. The key source can be of any type such as BBRAM/BHDR or even eFUSE) No Yes No AES-GCM
Checksum Verification No No Yes SHA3