cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
user_name_
Visitor
Visitor
477 Views
Registered: ‎07-05-2021

PPK hash for RSA authentication

Jump to solution

Hello,

I've been trying to get RSA authentication working properly on a Zynq 7010 board, with no success. My experience has been very similar to that described in this post, which doesn't offer a means to resolve the issue for my situation.

I'll outline what I did, then ask some questions at the end.

I started by generating keys:

 

openssl genrsa -out psk.pem 2048 // generate primary secret key
openssl genrsa -out ssk.pem 2048 // generate secondary secret key
openssl rsa -pubout -in psk.pem -out ppk.pub // generate primary public key
openssl rsa -pubout -in ssk.pem -out spk.pub // generate secondary public key

 

 I then generated a hash using the example BIF from XAPP1175:

 

gen_hash_ppk:
{
    [pskfile]/path/to/keys/psk.pem
    [sskfile]/path/to/keys/ssk.pem
    [bootloader, authentication=rsa]zynq_fsbl.elf
}

 

 then running:

 

bootgen -image gen_hash_ppk.bif -efuseppkbits hash_ppk.txt.

 

 
I then created a BOOT.bin file from the xilskey_efuse_example.c. Here's how I configured the xilskey_input.h file:

 

//#define XSK_EFUSEPL_DRIVER // comment out this line as we are programming PS eFUSE only
#define XSK_EFUSEPS_DRIVER

...

#ifdef XSK_EFUSEPS_DRIVER

#define XSK_EFUSEPS_ENABLE_WRITE_PROTECT FALSE /**< Enable the eFUSE Array
* write protection
*/
#define XSK_EFUSEPS_ENABLE_RSA_AUTH TRUE /**< Enable the RSA
* Authentication eFUSE Bit
*/
#define XSK_EFUSEPS_ENABLE_ROM_128K_CRC FALSE /**< Enable the ROM
* code 128K crc  eFUSE Bit
*/
#define XSK_EFUSEPS_DISABLE_DFT_JTAG FALSE /**< DFT jtag
* Disable
*/
#define XSK_EFUSEPS_DISABLE_DFT_MODE FALSE /**< DFT mode
* Disable
*/
#define XSK_EFUSEPS_ENABLE_RSA_KEY_HASH TRUE /**< Enabling this
* RsaKeyHashValue[64] is
* written to eFUSE array
*/
 
#define XSK_EFUSEPS_RSA_KEY_HASH_VALUE "<PPK HASH VALUE>" // the actual PPK hash hex string went here

#endif /* End of XSK_EFUSEPS_DRIVER */

 

 

When I booted the device using the BOOT.bin I got the following output on the console:

 

EfusePS status bits : 0xC0000000
EfusePS status bits : Write protect disabled
EfusePS status bits : RSA authentication of fsbl disabled
EfusePS status bits : 128k CRC check on ROM disabled
EfusePS status bits : DFT JTAG is enabled
EfusePS status bits : DFT mode is enabled
Read RSA Key Hash:
<PPK HASH VALUE>

eFUSE operations exit status: 0000FFFF *****

 

This seems to indicate that the hash was programmed correctly into the eFUSE (the hash value printed to the console matches the desired value).

However the XSK_EFUSEPS_ENABLE_RSA_AUTH bit was not written as indicated by "RSA authentication of fsbl disabled" (I checked the source code; this will display "enabled" if that bit has been set). Booting again via JTag resulted in the bit being set. I believe this is expected behaviour, according to the comments in xilskey_input.h:

 

* #define XSK_EFUSEPS_ENABLE_RSA_AUTH FALSE
*
* TRUE to burn the RSA enable bit in PS eFUSE array. After enabling the bit,
* every successive boot must be RSA enabled apart from JTAG. Before burning
* this bit, make sure that eFUSE array has the valid PPK hash.If the PPK hash
* burning is enabled, only after writing the hash successfully, RSA enable
* bit will be blown. Note that, for RSA enable bit to take effect, POR reset
* is required.
* FALSE will not modify the RSA enable bit.

 

So at this point I have the hash burned into the eFUSE array and the RSA enable bit set. I created the following image:

 

//arch = zynq; split = false; format = BIN
the_ROM_image:
{
	[pskfile]/path/to/keys/psk.pem
	[sskfile]/path/to/keys/ssk.pem
        [bootloader, authentication=rsa]/path/to/fsbl/zynq_fsbl.elf
        [authentication=rsa]/path/to/bitstream/system.bit
        [authentication=rsa]/path/to/uboot/u-boot.elf
}

 

and tried booting it. Usually at this point I would see U-Boot dialogue in the serial monitor, but with this image, nothing. So it seems the boot is failing.

Here are my questions:

  1. I'm suspicious that the example BIF for generating the hash doesn't seem to use the PPK; my understanding is that it's the hash of the PPK that should be burned into the eFUSE array? EDIT: according to the Bootgen documentation the PPK is derived from the PSK and so the PPK does not need to be explicitly provided.
  2. Assuming the process described above is mostly correct, what do I need to do differently to get the authenticated image to boot?
  3. Can RSA authentication even be enabled without also having AES enabled? Note I've tried using RSA authentication both with and without AES encryption and had no success with either case, although I have had AES encryption only working just fine.
  4. What is the difference between 'Debug' and 'Release' modes (as mentioned in the documentation), and should I be using one instead of the other? As far as I can tell 'Debug' mode is simpler and is the recommended starting point, with 'Release' being an optional extra layer of security once the encryption and authentication is up and running.

Thanks!

0 Kudos
1 Solution

Accepted Solutions
user_name_
Visitor
Visitor
313 Views
Registered: ‎07-05-2021

Update: it turns out the issue was unrelated to the PPK hash; the steps described in the original post are fine. The actual problem was that RSA authentication is disabled by default in the FSBL. It would have been helpful if this information was documented somewhere other than buried in the comments of the FSBL source code.

To enable FSBL RSA support, open the following file (or create it if it doesn't exist already):

/petalinux/PROJECT_NAME/project-spec/meta-user/recipes-bsp/fsbl/fsbl_%.bbappend

and ensure the following lines are present:

#Enable RSA Support
YAML_COMPILER_FLAGS_append = " -DRSA_SUPPORT"

View solution in original post

1 Reply
user_name_
Visitor
Visitor
314 Views
Registered: ‎07-05-2021

Update: it turns out the issue was unrelated to the PPK hash; the steps described in the original post are fine. The actual problem was that RSA authentication is disabled by default in the FSBL. It would have been helpful if this information was documented somewhere other than buried in the comments of the FSBL source code.

To enable FSBL RSA support, open the following file (or create it if it doesn't exist already):

/petalinux/PROJECT_NAME/project-spec/meta-user/recipes-bsp/fsbl/fsbl_%.bbappend

and ensure the following lines are present:

#Enable RSA Support
YAML_COMPILER_FLAGS_append = " -DRSA_SUPPORT"

View solution in original post