Single Partition Image - 2021.2 English

Vitis Unified Software Platform Documentation: Embedded Software Development (UG1400)

Document ID
UG1400
Release Date
2021-12-15
Version
2021.2 English
This features provides support for authentication and/or decryption of single partition (non-bitstream) image created by Bootgen at U-Boot prompt.
Note: This feature does not support images with multiple partitions.

U-Boot Command for Loading Secure Images

zynqmp secure <srcaddr> <len> [key_addr] 

This command verifies secure images of $len bytes\ long at address $src. Optional key_addr can be specified if user key needs to be used for decryption.

Only Authentication Use Case

To use only authentication at U-Boot, create the authenticated image using bif as shown in the following example.

  1. Create a single partition image that is authenticated at U-Boot.
    Note: If you provide an elf file, it should not contain multiple loadable sections. If your elf file contains multiple loadable sections, you should convert the input to the .bin format and provide the .bin as input in bif. An example bif is as follows:
    the_ROM_image:
    {
    	[pskfile]rsa4096_private1.pem
    	[sskfile]rsa4096_private2.pem
    	[auth_params] ppk_select=1;spk_id=0x1
    	[authentication = rsa]Data.bin
    }
  2. When the image is generated, download the authenticated image to the DDR.
  3. Execute the U-Boot command to authenticate the secure image as shown in the following example.
    ZynqMP> zynqmp secure 100000 2d000
    Verified image at 0x102800
  4. U-Boot returns the start address of the actual partition after successful authentication. U-Boot prints an error code in the event of a failure. If RSA_EN eFUSE is programmed, image authentication is mandatory. Boot header authentication is not supported when eFUSE RSA enabled.

Only Encryption Use Case

In case the image is only encrypted, there is no support for device key. When authentication is not enabled, only KUP key decryption is supported.