Can I see your .bif? The error tells you there's no authentication in the image while using the PUF.

Hello dentist,

Here is my BIF:

//arch = zynqmp; split = false; format = BIN
the_ROM_image:
{
	[pskfile] C:\Xilinx\workspace\foobar\foobar.sdk\foobar_puf\bootimage\keys\psk0.pem
	[sskfile] C:\Xilinx\workspace\foobar\foobar.sdk\foobar_puf\bootimage\keys\ssk0.pem
	[auth_params] spk_id = 0; ppk_select = 0
	[aeskeyfile] C:\Xilinx\workspace\foobar\foobar.sdk\foobar_puf\bootimage\keys\multiple_keys.nky
	[keysrc_encryption] efuse_blk_key
	[bh_key_iv]  C:\Xilinx\workspace\foobar\foobar.sdk\foobar_puf\bootimage\keys\puf_iv.txt
	[fsbl_config] puf4kmode, shutter = 0x0100005E, opt_key
	[bootloader, destination_cpu=a53-0, encryption = aes, authentication = rsa] C:\Xilinx\workspace\foobar\foobar.sdk\foobar_fsbl\Debug\foobar_fsbl.elf
	[encryption = aes, authentication = rsa, destination_device = pl] C:\Xilinx\workspace\foobar\foobar.sdk\top_level_hw_platform_0\top_level.bit
	[encryption = aes, authentication = rsa, destination_cpu = a53-0] C:\Xilinx\workspace\foobar\foobar.sdk\foobar\Debug\foobar.elf
}

I noticed that the above failure occurs (with bootROM error code 0x80003949) when I do NOT have RSA_EN blown (both the PPK0 efuse hash and BLACK efuse value are programmed). If I program RSA_EN then it boots. I had thought that programming the PPK0 efuse hash and using RSA authentication on the image would be sufficient to enable the PUF KEK to decrypt the BLACK key and decrypt the image, but apparently RSA_EN needs to be set as well.

Is there a more complete list of BootROM error codes somewhere that includes error code 0x39 (or 0x3C, 0x3F, or others missing from Table 11-9 in the current UG1085)?

Take care.

  Jim

Yes RSA_EN must be programmed to enforced authentication OR you can try the attribute bh_auth_enable in the header. See bootgen guide for more details.

Sorry the public error codes are in UG1085 and I don't have any other list I can share.