Loading PL and Partial PDI on Versal/Versal-Net/Versal2 Platform Using U-Boot
- tkarthik (Unlicensed)
- Begari, Padmarao
- Aniket (Unlicensed)
U-Boot for Versal/Versal-Net/Versal2 is capable of loading secure and non-secure partial PDI or DFX PDI using U-Boot commands. This document provides information on “fpga load“ command usage and provides sample BIF files for secure and non-secure cases.
Certain Design considerations are required to load PL logic from U-boot or run-time software. Refer to “Classic SoC Boot” in UG1273 and the Classic SoC boot tutorial available from the Xilinx GitHub repository.
Table of contents
- 1 Load PDI (This command is deprecated from 2025.1)
- 2 Load PDI
- 3 Create PDI binaries
- 4 Sample BIF files to generate a PDI using PL configuration
- 4.1 Non-Secure
- 4.2 Secure AES
- 4.3 Secure AES-RSA
- 4.4 Secure ECDSA
- 5 Sample BIF files for partial PDI with software images
- 5.1 Non-Secure
- 5.2 Secure AES
- 5.3 Secure AES-RSA
- 5.4 Secure ECDSA
- 6 Related links
Load PDI (This command is deprecated from 2025.1)
Use the “versal loadpdi“ command to load secure/non-secure PDI.
versal loadpdi <ddr addr> <len>
ddr addr: Address at which pdi is loaded
len : Length of the pdi loadedLoad PDI
Use the “fpga load“ command to load secure/non-secure PDI.
fpga load <dev> <ddr addr> <len>
dev : Current device default 0
ddr addr: Address at which pdi is loaded
len : Length of the pdi loadedCreate PDI binaries
Use the Bootgen tool to create PDI binaries using BIF files. Refer to UG1283 for more details on creating BIF files.
bootgen -arch versal -image image.bif -w -o image.pdiSample BIF files to generate a PDI using PL configuration
This section shows some example BIF's to generate a partial PDI with PL configuration data. Such partial PDI's can be loaded on a target which is already configured with the boot PDI and has at least PLM running on the target.
Non-Secure
bif:
{
id_code = 0x14ca8093
extended_id_code = 0x01
id = 0x2
image
{
name = PL_Image
id = 0x18700000
partition
{
id = 0x103
type = cdo
file = <file1.rcdo>
}
partition
{
id = 0x105
type = cdo
file = <file1.rnpi>
}
}
}Secure AES
bif:
{
id_code = 0x14ca8093
extended_id_code = 0x01
id = 0x2
image
{
name = PL_Image
id = 0x18700000
partition
{
id = 0x103
type = cdo
encryption = aes, keysrc = bbram_red_key, dpacm_enable, revoke_id = 0x1, aeskeyfile = aeskeys_pl1.nky
file = file.rcdo
}
partition
{
id = 0x105
type = cdo
encryption = aes, keysrc = bbram_red_key, dpacm_enable, revoke_id = 0x2, aeskeyfile = aeskeys_pl2.nky
file = file.rnpi
}
}
}The aeskeyfile in the first partition should be the same key that was programmed in the bbram.
Secure AES-RSA
bif:
{
[pskfile] PSK.pem
[sskfile] SSK.pem
id_code = 0x14ca8093
extended_id_code = 0x01
id = 0x2
image
{
name = PL_Image
id = 0x18700000
partition
{
id = 0x103
type = cdo
encryption = aes, keysrc = bbram_red_key, dpacm_enable, revoke_id = 0x1, aeskeyfile = aeskeys_pl1.nky
authentication = rsa,
file = file.rcdo
}
partition
{
id = 0x105
type = cdo
encryption = aes, keysrc = bbram_red_key, dpacm_enable, revoke_id = 0x2, aeskeyfile = aeskeys_pl2.nky
authentication = rsa,
file = file.rnpi
}
}
}The aeskeyfile in the first partition should be the same key which was programmed in the bbram.
Secure ECDSA
bif:
{
[pskfile] ecdsap384_ppk.pem
[sskfile] ecdsap384_ssk.pem
id_code = 0x14ca8093
extended_id_code = 0x01
id = 0x2
image
{
name = PL_Image
id = 0x18700000
partition
{
id = 0x103
type = cdo
authentication = ecdsa
file = file.rcdo
}
partition
{
id = 0x105
type = cdo
authentication = ecdsa
file = file.rnpi
}
}
}Sample BIF files for partial PDI with software images
In the below example, the Linux fit image will be loaded to the DDR location (0x10000000) by the PLM by decrypting/Authenticating the PDI image.
Non-Secure
bif:
{
id_code = 0x14ca8093
extended_id_code = 0x01
id = 0x2
partition
{
id = 0x1
destination_cpu = a72-0
load = 0x10000000, file = image.ub
}
}Secure AES
bif:
{
id_code = 0x14ca8093
extended_id_code = 0x1
id = 0x2
/*
* Uncomment meta header for the first time while building the image.
* Then compare image_ub.nky key0 with plm.nky key0, if different
* follow below procedure.
* Then comment the meta header and copy key0 from plm.nky & replace
* image_ub.nky key0 with plm.nky key0. Then rebuild the image again.
*/
/*
metaheader
{
encryption = aes, keysrc = bbram_red_key, dpacm_enable, aeskeyfile = plm.nky
}
*/
image
{
name = Linux
id = 0x1c000000
partition
{
id = 0xe
partition_type = raw,
encryption = aes, dpacm_enable, keysrc = bbram_red_key, aeskeyfile = image_ub.nky
load = 0x10000000, file = image.ub
}
}
}The aeskeyfile in the metaheader should be the same key which was programmed in the bbram.
Secure AES-RSA
bif:
{
[pskfile] PSK.pem
[sskfile] SSK.pem
id_code = 0x14ca8093
extended_id_code = 0x01
id = 0x2
/*
* Uncomment meta header for the first time while building the image.
* Then compare image_ub.nky key0 with plm.nky key0, if different
* follow below procedure.
* Then comment the meta header and copy key0 from plm.nky & replace
* image_ub.nky key0 with plm.nky key0. Then rebuild the image again.
*/
/*
metaheader
{
encryption = aes, authentication = rsa, keysrc = bbram_red_key, dpacm_enable, aeskeyfile = plm.nky
}
*/
image
{
name = Linux
id = 0x1c000000
partition
{
id = 0xe
partition_type = raw,
encryption = aes, dpacm_enable, keysrc = bbram_red_key, aeskeyfile = image_ub.nky
load = 0x10000000, file = image.ub
}
}
}Secure ECDSA
bif:
{
[pskfile] ecdsap384_ppk.pem
[sskfile] ecdsap384_ssk.pem
id_code = 0x14ca8093
extended_id_code = 0x01
id = 0x2
image
{
name = Linux
id = 0x1c000000
partition
{
id = 0xe
authentication = ecdsa
core = a72-0, load = 0x10000000, file = image.ub
}
}
}Related links
Related content
© Copyright 2019 - 2022 Xilinx Inc. Privacy Policy