A new BI containing the pem files must be generated for booting the lab application on the secured ZCU102 device.
- Create a new BIF file named secured.bif with the following
content:
//arch = zynqmp; split = false; format = BIN the_ROM_image: { [pskfile]C:\Xilinx\enhanced_key_revocation_lab_files\psk0.pem [sskfile]C:\Xilinx\enhanced_key_revocation_lab_files\ssk0.pem [auth_params]spk_id = 0x00000000; ppk_select = 0; spk_select = spk-efuse [bootloader, destination_cpu=a53-0, authentication = rsa] C:\Xilinx\Key_Revocation_Lab\Key_Revocation_Platform\export\Key_Revocation_Platform\sw\Key_Revocation_Platform\boot\fsbl.elf [authentication = rsa, destination_cpu=a53-0, exception_level=el-3] C:\Xilinx\Key_Revocation_Lab\key_revocation_lab\Debug\key_revocation_lab.elf } - Generate a secured BOOT.BIN using the
following bootgen
command:
bootgen –image secured.bif -r -o BOOT.bin -arch zynqmp -w onNote: Refer to the Bootgen User Guide (UG1283) for detailed information. - Copy the new BOOT.BIN to the SD card.
- Power on the board.Note: In the serial terminal output, the lab application UI appears, which indicates that with the new BI, the FSBL and lab application have loaded successfully, as shown in the following figure.Figure 1. Secure Boot DisplayNote: In the main menu there is a line of text that says “This device has been booted securely!” confirming secured boot of the ZCU102 device.Note: If a device is securely booted, the option f = force RSA always authentication is not seen in the main menu.Note: In this example the lab application uses the PPK0 eFUSE and the default SPK ID
0x00000000(SPK eFUSE has not been programmed with any value) for authenticating both the FSBL and the lab application.