02-08-2019 10:30 AM
Hello,
I'm attempting to boot from QSPI using an image that wasauthenticated with a PPK burned into eFuse, and encrypted using a RED key whose PUF-protected BLACK version is stored in eFuse. The boot fails and the error code given is 0x3949. The 0x49 error code is described in Table 11-9 of UG1085, but the 0x39 error code is not listed (it conveniently skips from 0x38 to 0x3A...). Does anyone have any idea what 0x39 represents? If so, can you please let me know? Thanks!
Take care.
Jim
02-15-2019 02:39 PM
Can I see your .bif? The error tells you there's no authentication in the image while using the PUF.
02-18-2019 06:33 AM
Hello dentist,
Here is my BIF:
//arch = zynqmp; split = false; format = BIN the_ROM_image: { [pskfile] C:\Xilinx\workspace\foobar\foobar.sdk\foobar_puf\bootimage\keys\psk0.pem [sskfile] C:\Xilinx\workspace\foobar\foobar.sdk\foobar_puf\bootimage\keys\ssk0.pem [auth_params] spk_id = 0; ppk_select = 0 [aeskeyfile] C:\Xilinx\workspace\foobar\foobar.sdk\foobar_puf\bootimage\keys\multiple_keys.nky [keysrc_encryption] efuse_blk_key [bh_key_iv] C:\Xilinx\workspace\foobar\foobar.sdk\foobar_puf\bootimage\keys\puf_iv.txt [fsbl_config] puf4kmode, shutter = 0x0100005E, opt_key [bootloader, destination_cpu=a53-0, encryption = aes, authentication = rsa] C:\Xilinx\workspace\foobar\foobar.sdk\foobar_fsbl\Debug\foobar_fsbl.elf [encryption = aes, authentication = rsa, destination_device = pl] C:\Xilinx\workspace\foobar\foobar.sdk\top_level_hw_platform_0\top_level.bit [encryption = aes, authentication = rsa, destination_cpu = a53-0] C:\Xilinx\workspace\foobar\foobar.sdk\foobar\Debug\foobar.elf }
I noticed that the above failure occurs (with bootROM error code 0x80003949) when I do NOT have RSA_EN blown (both the PPK0 efuse hash and BLACK efuse value are programmed). If I program RSA_EN then it boots. I had thought that programming the PPK0 efuse hash and using RSA authentication on the image would be sufficient to enable the PUF KEK to decrypt the BLACK key and decrypt the image, but apparently RSA_EN needs to be set as well.
Is there a more complete list of BootROM error codes somewhere that includes error code 0x39 (or 0x3C, 0x3F, or others missing from Table 11-9 in the current UG1085)?
Take care.
Jim
02-19-2019 10:40 AM
Yes RSA_EN must be programmed to enforced authentication OR you can try the attribute bh_auth_enable in the header. See bootgen guide for more details.
Sorry the public error codes are in UG1085 and I don't have any other list I can share.