Loading PL and Partial PDI on Versal Platform Using U-Boot
U-Boot for Versal is capable of loading secure and non-secure partial PDI or DFX PDI using U-Boot commands. This document provides information on “versal loadpdi“ command usage and provides sample BIF files for secure and non-secure cases.
Certain Design considerations are required to load PL logic from U-boot or run-time software. Refer to “Classic SoC Boot” in UG1273 and the Classic SoC boot tutorial available from the Xilinx GitHub repository.
Table of contents
Load PDI
Use the “versal loadpdi“ command to load secure/non-secure PDI.
versal loadpdi <ddr addr> <len>
ddr addr: Address at which pdi is loaded
len : Length of the pdi loaded
Create PDI binaries
Use the Bootgen tool to create PDI binaries using BIF files. Refer to UG1283 for more details on creating BIF files.
bootgen -arch versal -image image.bif -w -o image.pdi
Sample BIF files to generate a PDI using PL configuration
This section shows some example BIF's to generate a partial PDI with PL configuration data. Such partial PDI's can be loaded on a target which is already configured with the boot PDI and has at least PLM running on the target.
Non-Secure
bif:
{
id_code = 0x14ca8093
extended_id_code = 0x01
id = 0x2
image
{
name = PL_Image
id = 0x18700000
partition
{
id = 0x103
type = cdo
file = <file1.rcdo>
}
partition
{
id = 0x105
type = cdo
file = <file1.rnpi>
}
}
}
Secure AES
bif:
{
id_code = 0x14ca8093
extended_id_code = 0x01
id = 0x2
image
{
name = PL_Image
id = 0x18700000
partition
{
id = 0x103
type = cdo
encryption = aes, keysrc = bbram_red_key, dpacm_enable, revoke_id = 0x1, aeskeyfile = aeskeys_pl1.nky
file = file.rcdo
}
partition
{
id = 0x105
type = cdo
encryption = aes, keysrc = bbram_red_key, dpacm_enable, revoke_id = 0x2, aeskeyfile = aeskeys_pl2.nky
file = file.rnpi
}
}
}
The aeskeyfile in the first partition should be the same key that was programmed in the bbram.
Secure AES-RSA
bif:
{
[pskfile] PSK.pem
[sskfile] SSK.pem
id_code = 0x14ca8093
extended_id_code = 0x01
id = 0x2
image
{
name = PL_Image
id = 0x18700000
partition
{
id = 0x103
type = cdo
encryption = aes, keysrc = bbram_red_key, dpacm_enable, revoke_id = 0x1, aeskeyfile = aeskeys_pl1.nky
authentication = rsa,
file = file.rcdo
}
partition
{
id = 0x105
type = cdo
encryption = aes, keysrc = bbram_red_key, dpacm_enable, revoke_id = 0x2, aeskeyfile = aeskeys_pl2.nky
authentication = rsa,
file = file.rnpi
}
}
}
The aeskeyfile in the first partition should be the same key which was programmed in the bbram.
Secure ECDSA
bif:
{
[pskfile] ecdsap384_ppk.pem
[sskfile] ecdsap384_ssk.pem
id_code = 0x14ca8093
extended_id_code = 0x01
id = 0x2
image
{
name = PL_Image
id = 0x18700000
partition
{
id = 0x103
type = cdo
authentication = ecdsa
file = file.rcdo
}
partition
{
id = 0x105
type = cdo
authentication = ecdsa
file = file.rnpi
}
}
}
Sample BIF files for partial PDI with software images
In the below example, the Linux fit image will be loaded to the DDR location (0x10000000) by the PLM by decrypting/Authenticating the PDI image.
Non-Secure
bif:
{
id_code = 0x14ca8093
extended_id_code = 0x01
id = 0x2
partition
{
id = 0x1
destination_cpu = a72-0
load = 0x10000000, file = image.ub
}
}
Secure AES
bif:
{
id_code = 0x14ca8093
extended_id_code = 0x1
id = 0x2
/*
* Uncomment meta header for the first time while building the image.
* Then compare image_ub.nky key0 with plm.nky key0, if different
* follow below procedure.
* Then comment the meta header and copy key0 from plm.nky & replace
* image_ub.nky key0 with plm.nky key0. Then rebuild the image again.
*/
/*
metaheader
{
encryption = aes, keysrc = bbram_red_key, dpacm_enable, aeskeyfile = plm.nky
}
*/
image
{
name = Linux
id = 0x1c000000
partition
{
id = 0xe
partition_type = raw,
encryption = aes, dpacm_enable, keysrc = bbram_red_key, aeskeyfile = image_ub.nky
load = 0x10000000, file = image.ub
}
}
}
The aeskeyfile in the metaheader should be the same key which was programmed in the bbram.
Secure AES-RSA
bif:
{
[pskfile] PSK.pem
[sskfile] SSK.pem
id_code = 0x14ca8093
extended_id_code = 0x01
id = 0x2
/*
* Uncomment meta header for the first time while building the image.
* Then compare image_ub.nky key0 with plm.nky key0, if different
* follow below procedure.
* Then comment the meta header and copy key0 from plm.nky & replace
* image_ub.nky key0 with plm.nky key0. Then rebuild the image again.
*/
/*
metaheader
{
encryption = aes, authentication = rsa, keysrc = bbram_red_key, dpacm_enable, aeskeyfile = plm.nky
}
*/
image
{
name = Linux
id = 0x1c000000
partition
{
id = 0xe
partition_type = raw,
encryption = aes, dpacm_enable, keysrc = bbram_red_key, aeskeyfile = image_ub.nky
load = 0x10000000, file = image.ub
}
}
}
Secure ECDSA
bif:
{
[pskfile] ecdsap384_ppk.pem
[sskfile] ecdsap384_ssk.pem
id_code = 0x14ca8093
extended_id_code = 0x01
id = 0x2
image
{
name = Linux
id = 0x1c000000
partition
{
id = 0xe
authentication = ecdsa
core = a72-0, load = 0x10000000, file = image.ub
}
}
}
Related links
https://xilinx-wiki.atlassian.net/wiki/spaces/A/pages/2037088327/Versal+Platform+Loader+and+Manager#Secure
https://docs.xilinx.com/r/2021.1-English/ug1283-bootgen-user-guide
© Copyright 2019 - 2022 Xilinx Inc. Privacy Policy