Zynq-7000 SoC Authentication Certificate - 2022.1 English

Vitis Unified Software Platform Documentation: Embedded Software Development (UG1400)

Document ID
Release Date
2022.1 English

The Authentication Certificate is a structure that contains all the information related to the authentication of a partition. This structure has the public keys, all the signatures that BootROM/FSBL needs to verify. There is an Authentication Header in each Authentication Certificate, which gives information like the key sizes, algorithm used for signing, and so forth. The Authentication Certificate is appended to the actual partition, for which authentication is enabled. If authentication is enabled for any of the partitions, the header tables also needs authentication. Header Table Authentication Certificate is appended at end of the header tables content.

The Zynq®-7000 SoC uses an RSA-2048 authentication with a SHA-256 hashing algorithm, which means the primary and secondary key sizes are 2048-bit. Because SHA-256 is used as the secure hash algorithm, the FSBL, partition, and authentication certificates must be padded to a 512-bit boundary.

The format of the Authentication Certificate in a Zynq®-7000 SoC is as shown in the following table.

Table 1. Zynq-7000 SoC Authentication Certificate
Authentication Certificate Bits Description
0x00 Authentication Header = 0x0101000. See Zynq-7000 SoC Authentication Certificate Header.
0x04 Certificate size
0x08 UDF (56 bytes)
0x40 PPK Mod (256 bytes)
0x140 Mod Ext (256 bytes)
0x240 Exponent
0x244 Pad (60 bytes)
0x280 SPK Mod (256 bytes)
0x380 Mod Ext (256 bytes)
0x480 Exponent (4 bytes)
0x484 Pad (60 bytes)
0x4C0 SPK Signature = RSA-2048 (PSK, Padding || SHA-256 (SPK))
0x5C0 FSBL Partition Signature = RSA-2048 (SSK, SHA256 (Boot Header || FSBL partition))
0x5C0 Other Partition Signature = RSA-2048 (SSK, SHA-256 (Partition || Padding || Authentication Header || PPK || SPK || SPK Signature))