Verifying - 2021.2 English

Vitis Unified Software Platform Documentation: Embedded Software Development (UG1400)

Document ID
UG1400
ft:locale
English (United States)
Release Date
2021-12-15
Version
2021.2 English

In the device, the BootROM verifies the FSBL, and either the FSBL or U-Boot verifies the subsequent partitions using the Public key.

  1. Verify PPK: This step establishes the authenticity of primary key, which is used to authenticate secondary key.
    1. PPK is read from AC in boot image
    2. Generate PPK hash
    3. Hashed PPK is compared with the PPK hash retrieved from eFUSE
    4. If same, then primary key is trusted, else secure boot fail
  2. Verify secondary keys: This step establishes the authenticity of secondary key, which is used to authenticate the partitions.
    1. SPK is read from AC in boot image
    2. Generate SPK hashed
    3. Get the SPK hash, by verifying the SPK signature stored in AC, using PPK
    4. Compare hashes from step (b) and step (c)
    5. If same, then secondary key is trusted, else secure boot fail.
  3. Verify partitions: This step establishes the authenticity of partition which is being booted.
    1. Partition is read from the boot image.
    2. Generate hash of the partition.
    3. Get the partition hash, by verifying the Partition signature stored in AC, using SPK.
    4. Compare the hashes from step (b) and step (c)
    5. If same, then partition is trusted, else secure boot fail
Figure 1. Verification Flow Diagram

Bootgen can create a authentication certificate in two ways:

  • Supply the PSK and SSK. The SPK signature is calculated on-the-fly using these two inputs.
  • Supply the PPK and SSK and the SPK signature as inputs. This is used in cases where the PSK is not known.