cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Visitor
Visitor
340 Views
Registered: ‎09-18-2020

Partition Signature Verification Failed on Zynqmp using UG1283 MPSoC HSM mode

I'm currently running through the HSM example in ug1283 I have the script below:

when I run the bootgen verify command :

bootgen -arch zynqmp -verify final.bin

 

I get this:

 

****** Xilinx Bootgen v2019.1
**** Build date : May 24 2019-14:54:05
** Copyright 1986-2019 Xilinx, Inc. All Rights Reserved.

---------------------------------------------------------------------
Verifying Header Authentication Certificate
SPK Signature Verified
Header Signature Verified
---------------------------------------------------------------------
Verifying Partition 'fsbl.elf.0' Authentication Certificate
BootHeader Signature Verified
SPK Signature Verified
Partition Signature Verified
---------------------------------------------------------------------
Verifying Partition 'system.bit.0' Authentication Certificate
SPK Signature Verified
Partition Signature Verification Failed
[ERROR] : Authentication verification failed on bootimage final.bin

Questions:

1. why is the header signature verified and the bootheader signature verified, SPK signature verified but then the system.bit.0 partition signature failing verification?

The script stops there so do not know what happens afterwards.

 

 

-------------------------------------------------------------------------------------

scripts:

------------------------------------------------------------------------------------
# run stage0, bootgen to generate the hash
# this command should generate the .pub.sha384
echo running stage 0
bootgen -arch zynqmp -image stage0.bif -generate_hashes -w on -log error


# run stage1, openssl to geneate the signature
# this command output should be spk0.pub.sha384.sig
echo running stage 1
openssl rsautl -raw -sign -inkey psk0.pem -in spk0.pub.sha384 > spk0.pub.sha384.sig

# run stage 2a bootgen, encrypt the FSBL
echo running stage 2a
bootgen -arch zynqmp -image stage2a.bif -o fsbl_e.bin -w on -log error

# run stage 2b bootgen, encrypt the bitstream
echo running stage 2b
bootgen -arch zynqmp -image stage2b.bif -o system_e.bin -w on -log error

# run stage 3 bootgen; generate boot header hash
# this generates the .sha384 file
echo running stage 3
bootgen -arch zynqmp -image stage3.bif -generate_hashes -w on -log error

# step 4 (stage 4) , run open ssl
# Generate the boot header hash with the following OpenSSL command:
echo running stage 4
openssl rsautl -raw -sign -inkey ssk0.pem -in bootheader.sha384 > bootheader.sha384.sig

# run stage5
echo running stage 5
bootgen -arch zynqmp -image stage5.bif -generate_hashes -w on -log error

#stage6 sign hashes
# create the following files using openssl
echo running stage 6
openssl rsautl -raw -sign -inkey ssk0.pem -in fsbl.elf.0.sha384 > fsbl.elf.0.sha384.sig
openssl rsautl -raw -sign -inkey ssk0.pem -in system.bit.0.sha384 > system.bit.0.sha384.sig
openssl rsautl -raw -sign -inkey ssk0.pem -in system.bit.1.sha384 > system.bit.1.sha384.sig
openssl rsautl -raw -sign -inkey ssk0.pem -in system.bit.2.sha384 > system.bit.2.sha384.sig
openssl rsautl -raw -sign -inkey ssk0.pem -in system.bit.3.sha384 > system.bit.3.sha384.sig
openssl rsautl -raw -sign -inkey ssk0.pem -in u-boot.elf.0.sha384 > uboot.elf.0.sha384.sig
openssl rsautl -raw -sign -inkey ssk0.pem -in bl31.elf.0.sha384 > bl31.elf.0.sha384.sig
openssl rsautl -raw -sign -inkey ssk0.pem -in bl31.elf.1.sha384 > bl31.elf.1.sha384.sig

# stage 7 , Insert Partition Signatures into Authentication Certificate
# stage 7a insert the FSBL signalure by adding codd in bif then bootgen command
echo running stage 7a
bootgen -arch zynqmp -image stage7a.bif -o fsbl_e_ac.bin -efuseppkbits efuseppkbits.txt -nonbooting -w on -log error

# stage 7b
# insert the bitstream signature , see .bif
echo running stage 7b
bootgen -arch zynqmp -image stage7b.bif -o system_e_ac.bin -nonbooting -w on -log error

# run stage 7c
echo running stage 7c
bootgen -arch zynqmp -image stage7c.bif -o u-boot_ac.bin -nonbooting -w on -log error

# run stage 7d
echo running stage 7d
bootgen -arch zynqmp -image stage7d.bif -o bl31_ac.bin -nonbooting -w on -log error

# run stage 8
# combind partitions, get header table hash
echo running stage 8
bootgen -arch zynqmp -image stage8.bif -generate_hashes -o stage8.bin -w on -log error

# stage 9 sign header table hashes
echo running stage 9
openssl rsautl -raw -sign -inkey ssk0.pem -in ImageHeaderTable.sha384 > ImageHeaderTable.sha384.sig

# run stage 10 final , combing partitions, insert header table signature
echo running final stage 10
bootgen -arch zynqmp -image stage10.bif -o final.bin -w on -log error

-------------------------------------

bifs:

-------------------------------------

// from ug1283 , creatign a MPSoC device boot image using HSM mode
// see xilinx answer AR# 73089 ultrasScal+ MPSoC HSM flow loading signed FPGA from u-boot
stage0:
{
[ppkfile]ppk0.pub
[spkfile]spk0.pub
}
-bash-4.2$ cat stage2a.bif
// from ug1283 , creatign a MPSoC device boot image using HSM mode
// encrypt the fsbl using the red key
stage2a:
{
[keysrc_encryption] bbram_red_key
[pmufw_image] pmu_fw.elf
[bootloader,destination_cpu=a53-0,encryption=aes,aeskeyfile=aes0.nky]fsbl.elf
}
-bash-4.2$ cat stage2b.bif
// from ug1283 MPSoc Device Boot Image using HSM mode
stage2b:
{
[encryption=aes,aeskeyfile=aes1.nky,destination_device=pl,pid=1]system.bit
}
-bash-4.2$ cat stage3.bif
// from ug1283 , creatign a MPSoC device boot image using HSM mode
// see xilinx answer AR# 73089 ultrasScal+ MPSoC HSM flow loading signed FPGA from u-boot
stage3:
{
[fsbl_config] bh_auth_enable
[ppkfile] ppk0.pub
[spkfile] spk0.pub
[spksignature] spk0.pub.sha384.sig
[bootimage, authentication = rsa] fsbl_e.bin
}
-bash-4.2$ cat stage5.bif
// from ug1283 , creatign a MPSoC device boot image using HSM mode
// see xilinx answer AR# 73089 ultrasScal+ MPSoC HSM flow loading signed FPGA from u-boot
stage5:
{
[ppkfile] ppk0.pub
[spkfile] spk0.pub
[spksignature] spk0.pub.sha384.sig
[bhsignature] bootheader.sha384.sig
[bootimage, authentication = rsa] fsbl_e.bin
[bootimage, authentication = rsa] system_e.bin
[destination_cpu = a53-0, authentication = rsa, exception_level=el-3, trustzone=secure] bl31.elf
[destination_cpu = a53-0, authentication = rsa, exception_level=el-2] u-boot.elf
}
-bash-4.2$ cat stage7a.bif
// from ug1283 , creatign a MPSoC device boot image using HSM mode
//
stage7a:
{
[fsbl_config] bh_auth_enable
[ppkfile] ppk0.pub
[spkfile] spk0.pub
[spksignature] spk0.pub.sha384.sig
[bhsignature] bootheader.sha384.sig
[bootimage, authentication = rsa,presign=fsbl.elf.0.sha384.sig] fsbl_e.bin
}
-bash-4.2$ cat stage7b.bif
// ug1283 MPSoC device Boot Image using HSM Mode
// stage 7b: Insert the bitstream signature by adding the following to the BIF file:
stage7b:
{
[ppkfile]ppk0.pub
[spkfile]spk0.pub
[spksignature]spk0.pub.sha384.sig
[bhsignature]bootheader.sha384.sig
[bootimage,authentication=rsa,presign=system.bit.0.sha384.sig]system_e.bin
}
-bash-4.2$ cat stage7c.bif
// from ug1283 , creatign a MPSoC device boot image using HSM mode
// see xilinx answer AR# 73089 ultrasScal+ MPSoC HSM flow loading signed FPGA from u-boot
stage7c:
{
[ppkfile] ppk0.pub
[spkfile] spk0.pub
[spksignature] spk0.pub.sha384.sig
[bhsignature] bootheader.sha384.sig
[destination_cpu=a53-0, authentication = rsa, exception_level=el-2, presign=u-boot.elf.0.sha384.sig] u-boot.elf
}
-bash-4.2$ cat stage8.bif
// from ug1283 , creatign a MPSoC device boot image using HSM mode
// see xilinx answer AR# 73089 ultrasScal+ MPSoC HSM flow loading signed FPGA from u-boot
stage8:
{
[bootimage]fsbl_e_ac.bin
[bootimage]system_e_ac.bin
[bootimage]bl31_ac.bin
[bootimage]u-boot_ac.bin
}
-bash-4.2$ cat stage10.bif
// from ug1283 , creatign a MPSoC device boot image using HSM mode
// see xilinx answer AR# 73089 ultrasScal+ MPSoC HSM flow loading signed FPGA from u-boot
stage10:
{
[headersignature] ImageHeaderTable.sha384.sig
[bootimage] fsbl_e_ac.bin
[bootimage] system_e_ac.bin
[bootimage] bl31_ac.bin
[bootimage] u-boot_ac.bin
}

 

 

 

 

0 Kudos
Reply
3 Replies
Xilinx Employee
Xilinx Employee
271 Views
Registered: ‎10-11-2011

Try to compare the boot.bin generate with HSM with the equivalent boot.bin generated with one monolithic .bif.

Be sure they are 100% identical.

If not you can use bootgen -read to create text version of the two and see what is different.

That usually helps narrowing down which "step" is done wrong in the HSM flow.

-------------------------------------------------------------------------
Don’t forget to reply, kudo, and accept as solution.
-------------------------------------------------------------------------
0 Kudos
Reply
Visitor
Visitor
253 Views
Registered: ‎09-18-2020


I have created a non-HSM mode monolithic bif for creating boot.bin same issue.

see: Authentication Verification Failed on bootimage , on this forum section.  https://forums.xilinx.com/t5/ACAP-and-SoC-Boot-and/Authentication-verification-failed-on-bootimage/td-p/1154229

 

when the bitstream is authenticated if fails the bootgen verification.

Leonard

0 Kudos
Reply
Xilinx Employee
Xilinx Employee
230 Views
Registered: ‎10-11-2011

Investigating if this is a possible issue with verify.

-------------------------------------------------------------------------
Don’t forget to reply, kudo, and accept as solution.
-------------------------------------------------------------------------
0 Kudos
Reply