The Authentication Certificate is a structure that contains all the information related to the authentication of a partition. This structure has the public keys, all the signatures that BootROM/FSBL needs to verify. There is an Authentication Header in each Authentication Certificate, which gives information like the key sizes, algorithm used for signing, and so forth. The Authentication Certificate is appended to the actual partition, for which authentication is enabled. If authentication is enabled for any of the partitions, the header tables also needs authentication. Header Table Authentication Certificate is appended at end of the header tables content.
The Zynq®-7000 SoC uses an RSA-2048 authentication with a SHA-256 hashing algorithm, which means the primary and secondary key sizes are 2048-bit. Because SHA-256 is used as the secure hash algorithm, the FSBL, partition, and authentication certificates must be padded to a 512-bit boundary.
The format of the Authentication Certificate in a Zynq®-7000 SoC is as shown in the following table.
|Authentication Certificate Bits||Description|
|0x00||Authentication Header = 0x0101000. See Zynq-7000 SoC Authentication Certificate Header.|
|0x08||UDF (56 bytes)|
|0x40||PPK||Mod (256 bytes)|
|0x140||Mod Ext (256 bytes)|
|0x244||Pad (60 bytes)|
|0x280||SPK||Mod (256 bytes)|
|0x380||Mod Ext (256 bytes)|
|0x480||Exponent (4 bytes)|
|0x484||Pad (60 bytes)|
|0x4C0||SPK Signature = RSA-2048 (PSK, Padding || SHA-256 (SPK))|
|0x5C0||FSBL Partition Signature = RSA-2048 (SSK, SHA256 (Boot Header || FSBL partition))|
|0x5C0||Other Partition Signature = RSA-2048 (SSK, SHA-256 (Partition || Padding || Authentication Header || PPK || SPK || SPK Signature))|