Creating a Boot Image Using HSM Mode: PSK is not Shared - 2021.2 English

Vitis Unified Software Platform Documentation: Embedded Software Development (UG1400)

Document ID
English (United States)
Release Date
2021.2 English

The following figure shows a Stage 0 to Stage 2 Boot stack that uses the HSM mode. It reduces the number of steps by distributing the SSK.

This figure uses the Zynq® UltraScale+™ MPSoC device to illustrate the stages.

Figure 1. Generic 3-stage boot image

Boot Process

Creating a boot image using HSM mode is similar to creating a boot image using a standard flow with following BIF file.

	[auth_params] ppk_select=1;spk_id=0x8

Stage 0: Create a boot image using HSM Mode

A trusted individual creates the SPK signature using the Primary Secret Key. The SPK Signature is on the Authentication Certificate Header, SPK, and SPK ID. To generate a hash for the above, use the following BIF file snippet.

stage 0:
	[auth_params] ppk_select=1;spk_id=0x3

The following is the Bootgen command:

bootgen -arch zynqmp -image stage0.bif -generate_hashes

The output of this command is:

Stage 1: Distribute the SPK Signature

The trusted individual distributes the SPK Signature to the development teams.

openssl rsautl -raw -sign -inkey keys/primary0.pem -in > 

The output of this command is:

Stage 2: Encrypt using AES in FSBL

The development teams use Bootgen to create as many boot images as needed. The development teams use:

  • The SPK Signature from the Trusted Individual.
  • The Secondary Secret Key (SSK), SPK, and SPKID
	[auth_params] ppk_select=1;spk_id=0x3
	[bootloader,destination_cpu=a53-0, encryption=aes, aeskeyfile=aes0.nky, authentication=rsa] fsbl.elf 
	[destination_cpu=a53-0, authentication=rsa] hello_a53_0_64.elf 
The Bootgen command is:
bootgen -arch zynqmp -image stage2.bif -o final.bin