We have detected your current browser version is not the latest one. Xilinx.com uses the latest web technologies to bring you the best online experience possible. Please upgrade to a Xilinx.com supported browser:Chrome, Firefox, Internet Explorer 11, Safari. Thank you!

Showing results for 
Search instead for 
Did you mean: 
Visitor btmaas
Registered: ‎06-26-2013

Issues generating boot.bin for secure boot.

TL:DR then skip to bottom


I am trying to configure secure boot on my zynq zc706 board. Non-secure boot works perfectly fine for me. My non-secure boot.bif file looks like the following:


image : {

    [bootloader] fsbl.elf





For secure boot I had changed it to the following:


image : {


    [bootloader,encryption=aes] fsbl.elf





Then I ran (This is just for testing and so I'm not concerned with key strength right now.):


bootgen -image boot.bif -o i boot.bin -encrypt bbram StartCBC = 404142434445464748494A4B4C4D4E4F Key0 = 404142434445464748494A4B4C4D4E4F404142434445464748494A4B4C4D4E4F HMAC =
404142434445464748494A4B4C4D4E4F404142434445464748494A4B4C4D4E4F secret.nky -qSIWE


The only quasi-useful message received was, "child process exited abnormally". Wow! Real helpful bootgen! I think it is also worth noting that my secret.nky file is empty. I assumed bootgen would populate it. After searching all over the internet, xilinx forums, and xilinx documentation I cannot seem to find any documentation that the describes how the nky file is supposed to be formatted or even a step-by-step guide going through preparation for secure boot. I have only found high level design documents and specifications describing the process. (I have read UG585, UG821, UG585_ch33, WP426 as well)


To the point, I hope someone can answer these questions for me:


1.) Am I doing anything wrong above(barring secure practices). Are there any ideas as to what the problem might be?


2.) Does anyone know how the nky file is supposed to be formatted assuming bootgen doesn't create one?


3.) What does the HMAC field mean here (in either bootgen or SDKs boot tool, same right?) ? Do I provide the key or do I put in an actual HMAC? If it's the HMAC and not the key, then from which image do I generate the HMAC? From what I read, each image has an HMAC so I think this must be the key. Please advise.


Many thanks in advance!

0 Kudos
3 Replies
Registered: ‎09-21-2012

Re: Issues generating boot.bin for secure boot.

Please follow the below procedure.

It will not work for ES device.


Open SDK and create a new FSBL for a ZC706 project
Create an application project (or use the u-boot.elf file provided below)
Create a boot image
Select the FSBL, bit file (if you have one) and the application created in #2 (or U-boot)
Select the Advanced tab
Select Enable Encryption
Add an empty .nky file and add it to the key file (Bootgen will create the key file)
Create the boot image (we will use the binary file for SD)
The nky file needs to be modified for iMPACT
Add on the first line: Device xc7z045;
Turn on the board
Detect the JTAG chain
Program the key file
Close iMPACT
Turn off the board
Rename the binary file created in 3.5 to BOOT.BIN
Place the BOOT.BIN file on the SD card
Insert the SD card on the board
Turn on the board
An indication that the device is in secure mode is that JTAG is disabled. Trying to connect with XMD would fail.
0 Kudos
Visitor btmaas
Registered: ‎06-26-2013

Re: Issues generating boot.bin for secure boot.

Thanks for the response! I have made more progress but would you provide more instructions on using impact to flash the key? I also wish to use bbram and not efuse to store the key.

0 Kudos
Visitor btmaas
Registered: ‎06-26-2013

Re: Issues generating boot.bin for secure boot.

When I opened impact it initialized the device chain but I am not sure how to load the key at this point. It came up with...

[ ] [ ]
zynq7000_arm_dap --------> xc7z045
zynq7000_arm_dap.bsd bypass
0 Kudos