Bootloader u-boot is modified to use ZynqMP hardware cryptographic engines to authenticate and/or decrypt and load the image for execution. Xilinx Linux Distrubution PetaLinux v2018.1 releases u-boot with the required modifications to support authenticated and/or encrypted image loading.
Secure image loading is not supported if the image spans multiple partitions.
Loading an Authenticated Image from u-boot
The following steps shows the process of creating and loading authenticated boot image and data partition.
Create a single partition image authenticated and encrypted using bootgen and the below bif file template. Note that if elf file is provided as input, make sure elf doesn't contain multiple loadable sections.
u-boot returns the start address of actual partition after successful authentication. In case of failure, it prints the error code.
If RSA_EN eFSUE is programmed, authentication of the image is compulsory. Boot header authentication is not supported when eFUSE RSA enabled.
During development/testing phase, user can disable PPK hash and SPK_ID verification by enabling bh_auth_enable flag in bif file to skips PPK and SPKID verification
Loading an Encrypted Image from u-boot
Device key usage for decryption is possible only when one of the below condition meets:
When PMU Firmware running on system is built with trusted execution environment (secure_environment) variable of XilSecure library enabled.
Boot image is authenticated
The following steps shows the process of creating and loading encrypted boot image and data partition. This example doesn't use the authentication feature.
Generate the encrypted boot image using bootgen and below bif template file. Below example expects AES red key is stored in BBRAM. Refer bootgen section of Zynq Ultrascale plus Security Features wiki page for bootgen command details.
Users can also use the bbram_red_key to decrypt the image if authentication is enabled and in that case user should give [keysrc_encryption] tag value as bbram_red_key in above bif file while creating data image.
Program BBRAM to store the AES red key used during the boot image creation in step 1.
Load the boot image to any of the configured/selected boot device(SD/QSPI/NAND) and boot.
On u-boot command prompt, perform following steps to decrypt the partition.
Load image to be authenticated (image created in step 2) in unused DDR memory.
Load AES Key used for encrypting data image in step 2 in unused DDR memory.
Execute below command at u-boot command prompt to decrypt the partition
Create a single partition image authenticated and encrypted using bootgen and the below bif file template. Note that if elf file is provided as input, make sure elf doesn't contain multiple loadable sections. Refer bootgen section of Zynq Ultrascale plus Security Features wiki page for bootgen command details.