06-24-2020 07:17 AM
I am having a problem with RSA Authentication that I don't understand.
I have enabled Encryption and Authentication in my boot image bif file. I have burned an AES key and RSA Public Key SHA3 hashes to the PPK eFUSES. I can boot with ENC_ONLY set, but when I set RSA_ENABLE I don't even get to the FSBL.
If I set bh_auth_enable I can boot successfully and I see authentication is successful for each partition. If I do not have bh_auth_enable set and I do not have RSA_ENABLE set then the FSBL is authenticated and loads, but fails to verify the remaining partitions with an XFSBL_ERROR_SPK_RSA_DECRYPT error.
I am confused that when setting the RSA_ENABLE eFUSE I don't even get to the FSBL. I would have thought that if the PPK Hashes were incorrect somehow that I would have seen this behaviour in the previous tests with RSA_ENABLE unset and bh_auth_enable unset, basically I would not have expected to see the XFSBL_ERROR_SPK_RSA_DECRYPT error and for the FSBL to load if the PPK hash was bad.
Any thoughts on what I am doing wrong? Thanks!
06-26-2020 02:01 PM
RSA_EN and bh_auth_enable are mutually exclusive. One or the other.
Are you sure you have the RSA_EN eFUSE programmed?
06-26-2020 02:05 PM
Thanks for responding.
It looks like I programmed the wrong SHA3 hash into PPK0, I think I got PPK0 and PPK1 backwards. Either way, I started from scratch with new keys on a new board and it worked fine. The failure mode wasn't super obvious so that is why I was confused.
07-10-2020 02:29 PM
I am glad you sorted this out.
Please, mark your post with the solution.