UPGRADE YOUR BROWSER

We have detected your current browser version is not the latest one. Xilinx.com uses the latest web technologies to bring you the best online experience possible. Please upgrade to a Xilinx.com supported browser:Chrome, Firefox, Internet Explorer 11, Safari. Thank you!

cancel
Showing results for 
Search instead for 
Did you mean: 
Contributor
Contributor
235 Views
Registered: ‎04-03-2018

Missing BH signature

I am creating authenticated image which is  loaded from uboot via "secure" call ... essentially following #4 on here:

 

https://xilinx-wiki.atlassian.net/wiki/spaces/A/pages/18842432/Loading+authenticated+and+or+encrypted+image+partitions+from+u-boot

 

Since I have no PSK, I am using SSK and SPKsignature in my bif file. After I got the auth image, I ran bootgen_utility and the Heade Table AC is missing BH signature. It does have SPK and Paritition signature.

The partition Data AC (for single image paritition), has the BH Signature.

According to UG 1085,  BH AC should have BH Signature. 

 

What I am missing ... ????

 

thanks ...

 

 

 

 

 

0 Kudos
5 Replies
Xilinx Employee
Xilinx Employee
167 Views
Registered: ‎10-11-2011

Re: Missing BH signature

Which version of the tools? Can you please post your .bif file and the bootgen command you used?

-------------------------------------------------------------------------
Don’t forget to reply, kudo, and accept as solution.
-------------------------------------------------------------------------
0 Kudos
Contributor
Contributor
144 Views
Registered: ‎04-03-2018

Re: Missing BH signature

I am on 2018.3

This generates hashes :

bootgen -arch zynqmp -image hash.bif -generate_hashes -w on -log error

hash:
{
[auth_params] ppk_select=0; spk_select=spk-efuse; spk_id=0
[ppkfile] PPK0_pubkey.txt
[sskfile] SPK0_privkey.txt
[spksignature] SPK0_pubkey.pem.sha384.sig
[destination_device=ps,
authentication=rsa,
] temp.bin

I sign with openssl and then insert sig into certificate:

AC:
{
[auth_params] ppk_select=0; spk_select=spk-efuse; spk_id=0
[ppkfile] PPK0_pubkey.txt
[sskfile] SPK0_privkey.txt
[spksignature] SPK0_pubkey.pem.sha384.sig
[destination_device=ps,
authentication=rsa,
presign=temp.bin.0.sha384.sig
] temp.bin
}

using 

bootgen -arch zynqmp -image ac.bif -o temp.bin.auth -nonbooting -w on -log error

 

This gives me an image which "secure" is happy with i.e. no errors. I am finding it strange that BH sig is missing from Header AC. I know that "secure" is working as I tried changing SPK/ppk-select and it would fail for me...

 

 

0 Kudos
Xilinx Employee
Xilinx Employee
105 Views
Registered: ‎10-11-2011

Re: Missing BH signature

In the HSM flow described in UG1283 you have to add the BH signature explictly to the partititon using the attribute  [bhsignature]bootheader.sha384.sig. It's stage 7 in Figure 16 page 74.

Now for single independent partititon, teh BH signature might nor be used by XilSecure when loading since there's no BH to authenticate in that step.

 

-------------------------------------------------------------------------
Don’t forget to reply, kudo, and accept as solution.
-------------------------------------------------------------------------
0 Kudos
Contributor
Contributor
82 Views
Registered: ‎04-03-2018

Re: Missing BH signature

It is not just for the bif files I attached. I looked at my boot.bin which follows the HSM model, and the Header Table AC section does not have bhsignature as well.  I think it this is due to the fact that the header table partition signature is essentially bhsignature. 

0 Kudos
Xilinx Employee
Xilinx Employee
60 Views
Registered: ‎10-11-2011

Re: Missing BH signature

 you missing the bhsignature entry in your bif?

Stage7a:

{

   [fsbl_config] bh_auth_enable

   [ppkfile] primary.pub

   [spkfile] secondary.pub

   [spksignature]secondary.pub.sha384.sig

   [bhsignature]bootheader.sha384.sig

   [bootimage,authentication=rsa,presign=fsbl.elf.0.sha384.sig]fsbl_e.bin

}

-------------------------------------------------------------------------
Don’t forget to reply, kudo, and accept as solution.
-------------------------------------------------------------------------
0 Kudos