ステージ 0: SPK ハッシュを生成
SSK1 のハッシュ値を生成:
command : bootgen -arch versal -image stage0-SSK1.bif -generate_hashes -w on -log error
stage0-SSK1:
{
spkfile = rsa-keys/SSK1.pub
}
SSK2 のハッシュ値を生成:
command : bootgen -arch versal -image stage0-SSK2.bif -generate_hashes -w on -log error
stage0-SSK2:
{
spkfile = rsa-keys/SSK2.pub
}
SSK3 のハッシュ値を生成:
command : bootgen -arch versal -image stage0-SSK3.bif -generate_hashes -w on -log error
stage0-SSK3:
{
spkfile = rsa-keys/SSK3.pub
}
ステージ 1: SPK ハッシュに署名
生成されたハッシュに署名:
openssl rsautl -raw -sign -inkey rsa-keys/PSK1.pem -in SSK1.pub.sha384 > SSK1.pub.sha384.sig
openssl rsautl -raw -sign -inkey rsa-keys/PSK2.pem -in SSK2.pub.sha384 > SSK2.pub.sha384.sig
openssl rsautl -raw -sign -inkey rsa-keys/PSK3.pem -in SSK3.pub.sha384 > SSK3.pub.sha384.sig
ステージ 2: 個々のパーティションを暗号化
パーティション 1 を暗号化:
command : bootgen -arch versal -image stage2a.bif -o pmc_subsys_e.bin -w on -log error
stage2a:
{
image
{
name = pmc_subsys, id = 0x1c000001
partition
{
id = 0x01, type = bootloader,
encryption=aes,
keysrc = bbram_red_key,
aeskeyfile = encr_keys/bbram_red_key.nky,
dpacm_enable,
file = images/gen_files/plm.elf
}
partition
{
id = 0x09, type = pmcdata,
load = 0xf2000000,
aeskeyfile = encr_keys/pmcdata.nky,
file = images/gen_files/pmc_data.cdo
}
}
}
パーティション 2 を暗号化:
command : bootgen -arch versal -image stage2b-1.bif -o lpd_lpd_data_e.bin -w on -log error
stage2b-1:
{
image
{
name = lpd, id = 0x4210002
partition
{
id = 0x0C, type = cdo,
encryption=aes, delay_auth,
keysrc = bbram_red_key,
aeskeyfile = encr_keys/key1.nky,
dpacm_enable,
file = images/gen_files/lpd_data.cdo
}
}
}
パーティション 3 を暗号化:
command : bootgen -arch versal -image stage2b-2.bif -o lpd_psm_fw_e.bin -w on -log error
stage2b-2:
{
image
{
name = lpd, id = 0x4210002
partition
{
id = 0x0B, core = psm,
encryption = aes, delay_auth,
keysrc = bbram_red_key,
aeskeyfile = encr_keys/key2.nky,
dpacm_enable,
file = images/static_files/psm_fw.elf
}
}
}
パーティション 4 を暗号化:
command : bootgen -arch versal -image stage2c.bif -o fpd_e.bin -w on -log error
stage2c:
{
image
{
name = fpd, id = 0x420c003
partition
{
id = 0x08, type = cdo,
encryption=aes, delay_auth,
keysrc = bbram_red_key,
aeskeyfile = encr_keys/key5.nky,
dpacm_enable,
file = images/gen_files/fpd_data.cdo
}
}
}
ステージ 3: ブート ヘッダー ハッシュを生成
command : bootgen -arch versal -image stage3.bif -generate_hashes -w on -log error
stage3:
{
image_config {bh_auth_enable}
image
{
name = pmc_subsys, id = 0x1c000001
{
type = bootimage,
authentication=rsa,
ppkfile = rsa-keys/PSK1.pub,
spkfile = rsa-keys/SSK1.pub,
spksignature = SSK1.pub.sha384.sig,
file = pmc_subsys_e.bin
}
}
}
ステージ 4: ブート ヘッダー ハッシュに署名
生成されたハッシュに署名:
openssl rsautl -raw -sign -inkey rsa-keys/SSK1.pem -in bootheader.sha384 > bootheader.sha384.sig
ステージ 5: パーティションのハッシュを生成
command : bootgen -arch versal -image stage5.bif -generate_hashes -w on -log error
stage5:
{
bhsignature = bootheader.sha384.sig
image
{
name = pmc_subsys, id = 0x1c000001
{
type = bootimage,
authentication=rsa,
ppkfile = rsa-keys/PSK1.pub,
spkfile = rsa-keys/SSK1.pub,
spksignature = SSK1.pub.sha384.sig,
file = pmc_subsys_e.bin
}
}
image
{
name = lpd, id = 0x4210002
partition
{
type = bootimage,
authentication = rsa,
ppkfile = rsa-keys/PSK3.pub,
spkfile = rsa-keys/SSK3.pub,
spksignature = SSK3.pub.sha384.sig,
file = lpd_lpd_data_e.bin
}
partition
{
type = bootimage,
authentication = rsa,
ppkfile = rsa-keys/PSK1.pub,
spkfile = rsa-keys/SSK1.pub,
spksignature = SSK1.pub.sha384.sig,
file = lpd_psm_fw_e.bin
}
}
image
{
id = 0x1c000000, name = fpd
{
type = bootimage,
authentication=rsa,
ppkfile = rsa-keys/PSK3.pub,
spkfile = rsa-keys/SSK3.pub,
spksignature = SSK3.pub.sha384.sig,
file = fpd_e.bin
}
}
image
{
id = 0x1c000033, name = ss
{
type = bootimage,
authentication = rsa,
ppkfile = rsa-keys/PSK2.pub,
spkfile = rsa-keys/SSK2.pub,
spksignature = SSK2.pub.sha384.sig,
file = subsystem_e.bin
}
}
}
ステージ 6: パーティション ハッシュに署名
openssl rsautl -raw -sign -inkey rsa-keys/SSK1.pem -in pmc_subsys_1.0.sha384 > pmc_subsys.0.sha384.sig
openssl rsautl -raw -sign -inkey rsa-keys/SSK3.pem -in lpd_12.0.sha384 > lpd.0.sha384.sig
openssl rsautl -raw -sign -inkey rsa-keys/SSK1.pem -in lpd_11.0.sha384 > psm.0.sha384.sig
openssl rsautl -raw -sign -inkey rsa-keys/SSK1.pem -in lpd_11.1.sha384 > psm.1.sha384.sig
openssl rsautl -raw -sign -inkey rsa-keys/SSK1.pem -in lpd_11.2.sha384 > psm.2.sha384.sig
openssl rsautl -raw -sign -inkey rsa-keys/SSK1.pem -in lpd_11.3.sha384 > psm.3.sha384.sig
openssl rsautl -raw -sign -inkey rsa-keys/SSK1.pem -in lpd_11.4.sha384 > psm.4.sha384.sig
openssl rsautl -raw -sign -inkey rsa-keys/SSK3.pem -in fpd_8.0.sha384 > fpd_data.cdo.0.sha384.sig
openssl rsautl -raw -sign -inkey rsa-keys/SSK2.pem -in ss_13.0.sha384 > ss.0.sha384.sig
ステージ 7: パーティションの署名を認証証明に挿入
パーティション 1 の署名を挿入:
command : bootgen -arch versal -image stage7a.bif -o pmc_subsys_e_ac.bin -w on -log error
stage7a:
{
bhsignature = bootheader.sha384.sig
image_config {bh_auth_enable}
image
{
name = pmc_subsys, id = 0x1c000001
{
type = bootimage,
authentication=rsa,
ppkfile = rsa-keys/PSK1.pub,
spkfile = rsa-keys/SSK1.pub,
spksignature = SSK1.pub.sha384.sig,
presign = pmc_subsys.0.sha384.sig,
file = pmc_subsys_e.bin
}
}
}
パーティション 2 の署名を挿入:
command : bootgen -arch versal -image stage7b-1.bif -o lpd_lpd_data_e_ac.bin -w on -log error
stage7b-1:
{
image
{
name = lpd, id = 0x4210002
partition
{
type = bootimage,
authentication = rsa,
ppkfile = rsa-keys/PSK3.pub,
spkfile = rsa-keys/SSK3.pub,
spksignature = SSK3.pub.sha384.sig,
presign = lpd.0.sha384.sig,
file = lpd_lpd_data_e.bin
}
}
}
パーティション 3 の署名を挿入:
command : bootgen -arch versal -image stage7b-2.bif -o lpd_psm_fw_e_ac.bin -w on -log error
stage7b-2:
{
image
{
name = lpd, id = 0x4210002
partition
{
type = bootimage,
authentication = rsa,
ppkfile = rsa-keys/PSK1.pub,
spkfile = rsa-keys/SSK1.pub,
spksignature = SSK1.pub.sha384.sig,
presign = psm.0.sha384.sig,
file = lpd_psm_fw_e.bin
}
}
}
パーティション 4 の署名を挿入:
command : bootgen -arch versal -image stage7c.bif -o fpd_e_ac.bin.bin -w on -log error
stage7c:
{
image
{
id = 0x1c000000, name = fpd
{ type = bootimage,
authentication=rsa,
ppkfile = rsa-keys/PSK3.pub,
spkfile = rsa-keys/SSK3.pub,
spksignature = SSK3.pub.sha384.sig,
presign = fpd_data.cdo.0.sha384.sig,
file = fpd_e.bin
}
}
}
パーティション 5 の署名を挿入:
command : bootgen -arch versal -image stage7d.bif -o subsystem_e_ac.bin -w on -log error
stage7d:
{
image
{
id = 0x1c000033, name = ss
{ type = bootimage,
authentication = rsa,
ppkfile = rsa-keys/PSK2.pub,
spkfile = rsa-keys/SSK2.pub,
spksignature = SSK2.pub.sha384.sig,
presign = ss.0.sha384.sig,
file = subsystem_e.bin
}
}
}
ステージ 8: イメージ ヘッダー テーブルのハッシュを生成
command : bootgen -arch versal -image stage8a.bif -generate_hashes -w on -log error
stage8:
{
id_code = 0x04ca8093
extended_id_code = 0x01
id = 0x2
metaheader
{
authentication = rsa,
ppkfile = rsa-keys/PSK2.pub,
spkfile = rsa-keys/SSK2.pub,
spksignature = SSK2.pub.sha384.sig,
encryption=aes,
keysrc = bbram_red_key,
aeskeyfile = encr_keys/efuse_red_metaheader_key.nky,
dpacm_enable,
revoke_id = 0x00000002
}
image
{
{type = bootimage, file = pmc_subsys_e_ac.bin}
}
image
{
{type = bootimage, file = lpd_lpd_data_e_ac.bin}
{type = bootimage, file = lpd_psm_fw_e_ac.bin}
}
image
{
{type = bootimage, file = fpd_e_ac.bin}
}
image
{
{type = bootimage, file = subsystem_e_ac.bin}
}
}
ステージ 9: イメージ ヘッダー テーブルのハッシュに署名
生成されたハッシュに署名:
openssl rsautl -raw -sign -inkey rsa-keys/SSK2.pem -in imageheadertable.sha384 > imageheadertable.sha384.sig
ステージ 10: メタ ヘッダー ハッシュを生成
command : bootgen -arch versal -image stage8b.bif -generate_hashes -w on -log error
stage8b:
{
headersignature = imageheadertable.sha384.sig
id_code = 0x04ca8093
extended_id_code = 0x01
id = 0x2
metaheader
{
authentication = rsa,
ppkfile = rsa-keys/PSK2.pub,
spkfile = rsa-keys/SSK2.pub,
spksignature = SSK2.pub.sha384.sig,
encryption=aes,
keysrc = bbram_red_key,
aeskeyfile = encr_keys/efuse_red_metaheader_key.nky,
dpacm_enable
}
image
{
{type = bootimage, file = pmc_subsys_e_ac.bin}
}
image
{
{type = bootimage, file = lpd_lpd_data_e_ac.bin}
{type = bootimage, file = lpd_psm_fw_e_ac.bin}
}
image
{
{type = bootimage, file = fpd_e_ac.bin}
}
image
{
{type = bootimage, file = subsystem_e_ac.bin}
}
}
ステージ 11: メタ ヘッダー ハッシュに署名
openssl rsautl -raw -sign -inkey rsa-keys/SSK2.pem -in MetaHeader.sha384 > metaheader.sha384.sig
ステージ 12: パーティションを結合し、ヘッダー署名を挿入
完全な PDI をビルド:
command : bootgen -arch versal -image stage10.bif -o final.bin -w on -log error
stage10:
{
headersignature = imageheadertable.sha384.sig
id_code = 0x04ca8093
extended_id_code = 0x01
id = 0x2
metaheader
{
authentication = rsa,
ppkfile = rsa-keys/PSK2.pub,
spkfile = rsa-keys/SSK2.pub
spksignature = SSK2.pub.sha384.sig,
presign = metaheader.sha384.sig
encryption=aes,
keysrc = bbram_red_key,
aeskeyfile = encr_keys/efuse_red_metaheader_key.nky,
dpacm_enable
}
image
{
{type = bootimage, file = pmc_subsys_e_ac.bin}
}
image
{
{type = bootimage, file = lpd_lpd_data_e_ac.bin}
{type = bootimage, file = lpd_psm_fw_e_ac.bin}
}
image
{
{type = bootimage, file = fpd_e_ac.bin}
}
image
{
{type = bootimage, file = subsystem_e_ac.bin}
}
}