Creating a Zynq-7000 SoC Device Boot Image using HSM Mode - 2022.1 English

Vitis Unified Software Platform Documentation: Embedded Software Development (UG1400)

Document ID
UG1400
Release Date
2022-04-26
Version
2022.1 English

The following figure provides a diagram of an HSM mode boot image for a Zynq®-7000 SoC device. The steps to create this boot image are immediately after the diagram.

Figure 1. Stage 0 to 8 Boot Process

The process to create a boot image using HSM mode for a Zynq®-7000 SoC device is similar to that of a boot image created using a standard flow with the following BIF file. These examples, where needed, use the OpenSSL program to generate hash files.

all:
{
	[aeskeyfile]my_efuse.nky 
	[pskfile]primary.pem 
	[sskfile]secondary.pem
	[bootloader,encryption=aes,authentication=rsa] zynq_fsbl_0.elf
	[authentication=rsa]system.bit
}

Stage 0: Generate a hash for SPK

This stage generates the hash of the SPK key.

stage0:
{
	[ppkfile] primary.pub
	[spkfile] secondary.pub
}

The following is the Bootgen command.

bootgen -image stage0.bif –w -generate_hashes

Stage 1: Sign the SPK Hash

This stage creates the signatures by signing the SPK hash

xil_rsa_sign.exe -gensig -sk primary.pem -data secondary.pub.sha256 -out secondary.pub.sha256.sig
Or by using the following OpenSSL program.
#Swap the bytes in SPK hash
objcopy -I binary -O binary --reverse-bytes=256 secondary.pub.sha256

#Generate SPK signature using OpenSSL
openssl rsautl -raw -sign -inkey primary.pem -in secondary.pub.sha256 > secondary.pub.sha256.sig

#Swap the bytes in SPK signature
objcopy -I binary -O binary --reverse-bytes=256 secondary.pub.sha256.sig

Stage 2: Encrypt using AES

This stage encrypts the partition. The stage2.bif is as follows.

stage2:
{
	[aeskeyfile] my_efuse.nky
	[bootloader, encryption=aes] zynq_fsbl_0.elf
}
The Bootgen command is as follows.
bootgen -image stage2.bif -w -o fsbl_e.bin -encrypt efuse
The output is the encrypted file fsbl_e.bin.

Stage 3: Generate Partition Hashes

This stage generates the hashes of different partitions.

Stage 3a: Generate the FSBL Hash

The BIF file is as follows:

stage3a:
{
	[ppkfile] primary.pub
	[spkfile] secondary.pub
	[spksignature] secondary.pub.sha256.sig
	[bootimage, authentication=rsa] fsbl_e.bin
}
The Bootgen command is as follows.
bootgen -image stage3a.bif -w -generate_hashes

The output is the hash file zynq_fsbl_0.elf.0.sha256.

Stage 3b: Generate the bitstream hash

The stage3b BIF file is as follows:

stage3b:
{
	[ppkfile] primary.pub
	[spkfile] secondary.pub
	[spksignature] secondary.pub.sha256.sig
	[authentication=rsa] system.bit
}
The Bootgen command is as follows.
bootgen -image stage3b.bif -w -generate_hashes
The output is the hash file system.bit.0.sha256.

Stage 4: Sign the Hashes

This stage creates signatures from the partition hash files created.

Stage 4a: Sign the FSBL partition hash
xil_rsa_sign.exe -gensig -sk secondary.pem -data zynq_fsbl_0.elf.0.sha256 -out zynq_fsbl_0.elf.0.sha256.sig
Or by using the following OpenSSL program.
#Swap the bytes in FSBL hash
objcopy -I binary -O binary --reverse-bytes=256 zynq_fsbl_0.elf.0.sha256

#Generate FSBL signature using OpenSSL
openssl rsautl -raw -sign -inkey secondary.pem -in zynq_fsbl_0.elf.0.sha256 > zynq_fsbl_0.elf.0.sha256.sig

#Swap the bytes in FSBL signature
objcopy -I binary -O binary --reverse-bytes=256 zynq_fsbl_0.elf.0.sha256.sig

The output is the signature file zynq_fsbl_0.elf.0.sha256.sig.

Stage 4b: Sign the bitstream hash
xil_rsa_sign.exe -gensig -sk secondary.pem -data system.bit.0.sha256 -out system.bit.0.sha256.sig
Or by using the following OpenSSL program.
#Swap the bytes in bitstream hash
objcopy -I binary -O binary --reverse-bytes=256 system.bit.0.sha256

#Generate bitstream signature using OpenSSL
openssl rsautl -raw -sign -inkey secondary.pem -in system.bit.0.sha256 > system.bit.0.sha256.sig

#Swap the bytes in bitstream signature
objcopy -I binary -O binary --reverse-bytes=256 system.bit.0.sha256.sig
The output is the signature file system.bit.0.sha256.sig.

Stage 5: Insert Partition Signatures

Insert partition signatures created above are changed into authentication certificates.

Stage 5a: Insert the FSBL signature

The stage5a.bif is as follows.

stage5a:
{
	[ppkfile] primary.pub
	[spkfile] secondary.pub
	[spksignature] secondary.pub.sha256.sig
	[bootimage, authentication=rsa, presign=zynq_fsbl_0.elf.0.sha256.sig] fsbl_e.bin
}
The Bootgen command is as follows.
bootgen -image stage5a.bif -w -o fsbl_e_ac.bin -efuseppkbits efuseppkbits.txt -nonbooting
The authenticated output files are fsbl_e_ac.bin and efuseppkbits.txt.
Stage 5b: Insert the bitstream signature
The stage5b.bif is as follows.
stage5b:
{
	[ppkfile] primary.pub
	[spkfile] secondary.pub
	[spksignature] secondary.pub.sha256.sig
	[authentication=rsa, presign=system.bit.0.sha256.sig] system.bit
}
The Bootgen command is as follows.
bootgen -image stage5b.bif -o system_e_ac.bin –nonbooting
The authenticated output file is system_e_ac.bin.

Stage 6: Generate Header Table Hash

This stage generates the hash for the header tables.

The stage6.bif is as follows.
stage6:
{
	[bootimage] fsbl_e_ac.bin
	[bootimage] system_e_ac.bin
}
The Bootgen command is as follows.
bootgen -image stage6.bif -generate_hashes
The output hash file is ImageHeaderTable.sha256.

Stage 7: Generate Header Table Signature

This stage generates the header table signature.

xil_rsa_sign.exe -gensig -sk secondary.pem -data ImageHeaderTable.sha256 -out ImageHeaderTable.sha256.sig
Or by using the following OpenSSL program:
#Swap the bytes in header table hash
objcopy -I binary -O binary --reverse-bytes=256 ImageHeaderTable.sha256

#Generate header table signature using OpenSSL
openssl rsautl -raw -sign -inkey secondary.pem -in ImageHeaderTable.sha256 > ImageHeaderTable.sha256.sig

#Swap the bytes in header table signature
objcopy -I binary -O binary --reverse-bytes=256 ImageHeaderTable.sha256.sig
The output is the signature file ImageHeaderTable.sha256.sig.

Stage 8: Combine Partitions, Insert Header Table Signature

The stage8.bif is as follows:

stage8:
{
	[headersignature] ImageHeaderTable.sha256.sig
	[bootimage] fsbl_e_ac.bin
	[bootimage] system_e_ac.bin
}
The Bootgen command is as follows:
bootgen -image stage8.bif -w -o final.bin
The output is the boot image file final.bin.