ZynqMP, MPsoc fails to boot when boot.bin is both ...

leonard · ‎10-29-2020

I have a boot.bin image that is not booting when the partitions are both AES encrypted and RSA authenticated. The procedure used is based off of XAPP1319 the section on eFUSE AES and RSA functions. Using 2019.1 SDK the AES red key and PPK hash was written into the EFUSE of the device (Device = xczu3egsfvc784) Vivado and SDK version is 2019.1The boot.bin file is generated on a linux OS system

the AES keys all have the same Key 0 and IV 0 values. They all have different Key 1, IV 1 values. aes1.nky contains multiple unique keys and IV values.

Reference material is: XAPP1319, UG1209, xilskey.pdf, ug570, XAPP1344,

links: https://xilinx-wiki.atlassian.net/wiki/spaces/A/pages/18841708/Zynq+Ultrascale+MPSoC+Security+Features

https://xilinx-wiki.atlassian.net/wiki/spaces/A/pages/18841708/Zynq+Ultrascale+MPSoC+Security+Features

These where set to true in the .h file and nothing else.

XSK_EFUSEPS_WRITE_AES_KEY
XSK_EFUSEPS_WRITE_PPK0_HASH
XSK_EFUSEPS_WRITE_PPK1_HASH

The device still operates with boot.bin not encrypted and no authentication in boot.bin files for my application. The device operates normally and boots as expected when the FSBL and bitstream are AES encrypted but no authentication for my application. The device loads and operates normally with the "Hello World" app depicted in xapp1319 when encrypted and authenticated and operates normally.

When I use authentication and encryption on my application and bitstream it fails at what seems to be just after the FSBL load.

below is the linux script that is run to produce the boot.bin file:

Here is the example of script to build bif file that performs both AES and RSA.

--------------------------------------------------------

bifFile=efuseBootAll.bif
if ! test -f ./$bifFile ; then
  rm ./$bifFile
  echo removing $bifFile file.
fi

echo 'rebuilding .bif file.'
echo '
// this is from https://www.xilinx.com/html_docs/xilinx2020_1/vitis_doc/boottimesecurity.html//gez1533592770579
//arch = zynqmp; split = false; format = BIN
all:
{
[pskfile]psk0.pem
[sskfile]ssk0.pem
[auth_params]spk_id = 0; ppk_select = 0
[keysrc_encryption] efuse_red_key
[fsbl_config] a53_x64
[bootloader, destination_cpu=a53-0, encryption=aes, aeskeyfile=aes0.nky, authentication=rsa] fsbl.elf
// [pmufw_image] pmufw.elf
[destination_cpu=pmu, encryption = aes, authentication=rsa] pmufw.elf
[destination_device=pl, encryption=aes, aeskeyfile=aes1.nky, authentication=rsa] system.bit
[destination_cpu=a53-0, exception_level=el-3, trustzone=secure] bl31.elf
[destination_cpu=a53-0, exception_level=el-2] u-boot.elf
}' > $bifFile
bootgen -arch zynqmp -image $bifFile -o final.bin -w on -log error
bootgen -arch zynqmp -verify final.bin
cp final.bin BOOT.bin

This is the output of the console when both RSA and AES are used in boot.bin

Release 2019.1   Oct 28 2020  -  15:18:52
Reset Mode      :       System Reset
Platform: Silicon (4.0), Cluster ID 0x80000000
Running on A53-0 (64-bit) Processor, Device Name: XCZU3EG
Processor Initialization Done 
================= In Stage 2 ============ 
SD0 Boot Mode 
SD: rc= 0
File name is BOOT.BIN
Multiboot Reg : 0x0 
Image Header Table Offset 0x8C0 
*****Image Header Table Details******** 
Boot Gen Ver: 0x1020000 
No of Partitions: 0x7 
Partition Header Address: 0x440 
Partition Present Device: 0x0 
Initialization Success 
======= In Stage 3, Partition No:1 ======= 
UnEncrypted data Length: 0x5C5D 
Data word offset: 0x5C7D 
Total Data word length: 0x6030 
Destination Load Address: 0xFFDC0000 
Execution Address: 0xFFDCFF70 
Data word offset: 0x8AC0 
Partition Attributes: 0x88BE 
 Aes initialized 
Authentication Enabled
Auth: Partition Offset FFDC0000, PartitionLen 180C0, AcOffset FFFDF910, HashLen 30
XFsbl_SpkVer: Ppk Mod FFFDF440, Ppk Mod Ex FFFDF640, Ppk Exp 0
Ppk Modular START
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 

Ppk Modular END
Ppk ModularEx START
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 

Ppk ModularEx END
Ppk Exp = 0
XFsbl_SpkVer: XFSBL_ERROR_SPK_RSA_DECRYPT
Partition 1 Load Failed, 0x2F
================= In Stage Err ============ 
Fsbl Error Status: 0x0

----------------------------

leonard · ‎10-29-2020

Break down of what works and what does not work

The board is not bricked. Prior to burning the eFuse it worked when using BBRAM for AES (with and without DPA) and also using boot header authorization. Booted just fine. I tested all configurations, none, AES only, Authentication only, AES + authentication, AES +Authentication + DPA. Once all these worked I burned the EFUSE and that failed when both Auth + AES were used. AES only seems to work. Auth only seems to work without a bitstream, on the hello world example.

All the above used the same application (except hello world example) and same keys.

savula · ‎11-02-2020

Hi @leonard ,

This is expected when the RSA_EN efuse is not programmed. Please take a look at AR: https://www.xilinx.com/support/answers/68391.html

The device is expected to work properly after programming the RSA_EN efuse.

Best Regards,

Srikanth

ZynqMP, MPsoc fails to boot when boot.bin is both encrypted and authenticated