Xilinx WikiU-bootLoading PL and Partial PDI on Versal Platform Using U-Boot

Loading PL and Partial PDI on Versal Platform Using U-Boot

Owned by tkarthik (Unlicensed), created
Last updated: Sept 20, 2022 by William Cassells

U-Boot for Versal is capable of loading secure and non-secure partial PDI or DFX PDI using U-Boot commands. This document provides information on “versal loadpdi“ command usage and provides sample BIF files for secure and non-secure cases.

Certain Design considerations are required to load PL logic from U-boot or run-time software. Refer to “Classic SoC Boot” in UG1273 and the Classic SoC boot tutorial available from the Xilinx GitHub repository.

Table of contents

Load PDI

Use the “versal loadpdi“ command to load secure/non-secure PDI.

versal loadpdi <ddr addr> <len> ddr addr: Address at which pdi is loaded len : Length of the pdi loaded

Create PDI binaries

Use the Bootgen tool to create PDI binaries using BIF files. Refer to UG1283 for more details on creating BIF files.

bootgen -arch versal -image image.bif -w -o image.pdi

Sample BIF files to generate a PDI using PL configuration

This section shows some example BIF's to generate a partial PDI with PL configuration data. Such partial PDI's can be loaded on a target which is already configured with the boot PDI and has at least PLM running on the target.

Non-Secure

bif: { id_code = 0x14ca8093 extended_id_code = 0x01 id = 0x2 image { name = PL_Image id = 0x18700000 partition { id = 0x103 type = cdo file = <file1.rcdo> } partition { id = 0x105 type = cdo file = <file1.rnpi> } } }

Secure AES

bif: { id_code = 0x14ca8093 extended_id_code = 0x01 id = 0x2 image { name = PL_Image id = 0x18700000 partition { id = 0x103 type = cdo encryption = aes, keysrc = bbram_red_key, dpacm_enable, revoke_id = 0x1, aeskeyfile = aeskeys_pl1.nky file = file.rcdo } partition { id = 0x105 type = cdo encryption = aes, keysrc = bbram_red_key, dpacm_enable, revoke_id = 0x2, aeskeyfile = aeskeys_pl2.nky file = file.rnpi } } }

The aeskeyfile in the first partition should be the same key that was programmed in the bbram.

Secure AES-RSA

bif: { [pskfile] PSK.pem [sskfile] SSK.pem id_code = 0x14ca8093 extended_id_code = 0x01 id = 0x2 image { name = PL_Image id = 0x18700000 partition { id = 0x103 type = cdo encryption = aes, keysrc = bbram_red_key, dpacm_enable, revoke_id = 0x1, aeskeyfile = aeskeys_pl1.nky authentication = rsa, file = file.rcdo } partition { id = 0x105 type = cdo encryption = aes, keysrc = bbram_red_key, dpacm_enable, revoke_id = 0x2, aeskeyfile = aeskeys_pl2.nky authentication = rsa, file = file.rnpi } } }

The aeskeyfile in the first partition should be the same key which was programmed in the bbram.

Secure ECDSA

bif: { [pskfile] ecdsap384_ppk.pem [sskfile] ecdsap384_ssk.pem id_code = 0x14ca8093 extended_id_code = 0x01 id = 0x2 image { name = PL_Image id = 0x18700000 partition { id = 0x103 type = cdo authentication = ecdsa file = file.rcdo } partition { id = 0x105 type = cdo authentication = ecdsa file = file.rnpi } } }

Sample BIF files for partial PDI with software images

In the below example, the Linux fit image will be loaded to the DDR location (0x10000000) by the PLM by decrypting/Authenticating the PDI image.

Non-Secure

bif: { id_code = 0x14ca8093 extended_id_code = 0x01 id = 0x2 partition { id = 0x1 destination_cpu = a72-0 load = 0x10000000, file = image.ub } }

Secure AES

bif: { id_code = 0x14ca8093 extended_id_code = 0x1 id = 0x2 /* * Uncomment meta header for the first time while building the image. * Then compare image_ub.nky key0 with plm.nky key0, if different * follow below procedure. * Then comment the meta header and copy key0 from plm.nky & replace * image_ub.nky key0 with plm.nky key0. Then rebuild the image again. */ /* metaheader { encryption = aes, keysrc = bbram_red_key, dpacm_enable, aeskeyfile = plm.nky } */ image { name = Linux id = 0x1c000000 partition { id = 0xe partition_type = raw, encryption = aes, dpacm_enable, keysrc = bbram_red_key, aeskeyfile = image_ub.nky load = 0x10000000, file = image.ub } } }

The aeskeyfile in the metaheader should be the same key which was programmed in the bbram.

Secure AES-RSA

bif: { [pskfile] PSK.pem [sskfile] SSK.pem id_code = 0x14ca8093 extended_id_code = 0x01 id = 0x2 /* * Uncomment meta header for the first time while building the image. * Then compare image_ub.nky key0 with plm.nky key0, if different * follow below procedure. * Then comment the meta header and copy key0 from plm.nky & replace * image_ub.nky key0 with plm.nky key0. Then rebuild the image again. */ /* metaheader { encryption = aes, authentication = rsa, keysrc = bbram_red_key, dpacm_enable, aeskeyfile = plm.nky } */ image { name = Linux id = 0x1c000000 partition { id = 0xe partition_type = raw, encryption = aes, dpacm_enable, keysrc = bbram_red_key, aeskeyfile = image_ub.nky load = 0x10000000, file = image.ub } } }

Secure ECDSA

bif: { [pskfile] ecdsap384_ppk.pem [sskfile] ecdsap384_ssk.pem id_code = 0x14ca8093 extended_id_code = 0x01 id = 0x2 image { name = Linux id = 0x1c000000 partition { id = 0xe authentication = ecdsa core = a72-0, load = 0x10000000, file = image.ub } } }

Related links

 

© Copyright 2019 - 2022 Xilinx Inc. Privacy Policy