UPGRADE YOUR BROWSER

We have detected your current browser version is not the latest one. Xilinx.com uses the latest web technologies to bring you the best online experience possible. Please upgrade to a Xilinx.com supported browser:Chrome, Firefox, Internet Explorer 11, Safari. Thank you!

cancel
Showing results for 
Search instead for 
Did you mean: 
Observer dtyree_nam
Observer
202 Views
Registered: ‎02-19-2019

zynqmp uboot secure boot with image.ub

Jump to solution

I have the RSA and AES efuses programmed and trying to load a linux kernel/initramfs through uboot. When I run:

ZynqMP> fatload  mmc 0:1 0x10000000 image.bin
reading image.bin
12598784 bytes read in 814 ms (14.8 MiB/s)
ZynqMP> zynqmp secure 0x10000000  12598784  
Failed: secure op status:0x3416

I get an error code from the PMU that appears to be a bitfield with no map. How can I parse this into a readable error?

I’ve attached the bif files used to generate the images. I could use a little advice as to what needs to be done to use the KUP key in the second bin file.  Where does uboot get the kup key / address used by the zynqmp secure command?

0 Kudos
1 Solution

Accepted Solutions
Highlighted
Observer dtyree_nam
Observer
148 Views
Registered: ‎02-19-2019

Re: zynqmp uboot secure boot with image.ub

Jump to solution

Got it to work with the KUP key. Still no joy with the Efuse red key, but good enough to continue. 

ZynqMP> fatload  mmc 0:1 0x30000000 image.bin
reading image.bin
12598784 bytes read in 813 ms (14.8 MiB/s)
ZynqMP> zynqmp secure 0x30000000  12598784  0x1f000024  
Verified image at 0x30002800
ZynqMP> bootm 0x30002800

The attached bif files generate a valid bootable chain with KUP at 0x1f000024. 

generation command:

 1572  bootgen -image ./bifs/bootgen_enc.bif -arch zynqmp -generate_hashes -p xczu3eg -efuseppkbits perm/efusefile.txt -o BOOT.BIN -w -encrypt efuse -log trace
 1573  bootgen -image ./bifs/imagegen_enc.bif -arch zynqmp  -w -o image.bin  -p xczu3eg  -arch zynqmp   -log trace   -encrypt efuse
0 Kudos
3 Replies
Moderator
Moderator
171 Views
Registered: ‎06-27-2017

Re: zynqmp uboot secure boot with image.ub

Jump to solution

Hi @dtyree_nam ,

Usage:
zynqmp secure src len [key_addr] - verifies secure images of $len bytes
long at address $src. Optional key_addr
can be specified if user key needs to
be used for decryption.

Can you please give the length of the image in HEX bytes and also if you want to give the KUP key then 

copy the key to some .txt file and provide the DDR address as 3rd parameter.

 

Best Regards
Kranthi
--------------------------
Don't forget to reply, kudo, and accept as solution.
0 Kudos
Observer dtyree_nam
Observer
158 Views
Registered: ‎02-19-2019

Re: zynqmp uboot secure boot with image.ub

Jump to solution

Same file... this time with hex parameter as load legnth

ZynqMP> fatload  mmc 0:1 0x10000000 image.bin
reading image.bin
12598784 bytes read in 814 ms (14.8 MiB/s)
ZynqMP> zynqmp secure 0x10000000  0xC03e00   
Failed: secure op status:0x3416
ZynqMP>   

Still does not work with the files generated from the above biffs. Not using KUP at the moment. What is / where can I find the error code?

0 Kudos
Highlighted
Observer dtyree_nam
Observer
149 Views
Registered: ‎02-19-2019

Re: zynqmp uboot secure boot with image.ub

Jump to solution

Got it to work with the KUP key. Still no joy with the Efuse red key, but good enough to continue. 

ZynqMP> fatload  mmc 0:1 0x30000000 image.bin
reading image.bin
12598784 bytes read in 813 ms (14.8 MiB/s)
ZynqMP> zynqmp secure 0x30000000  12598784  0x1f000024  
Verified image at 0x30002800
ZynqMP> bootm 0x30002800

The attached bif files generate a valid bootable chain with KUP at 0x1f000024. 

generation command:

 1572  bootgen -image ./bifs/bootgen_enc.bif -arch zynqmp -generate_hashes -p xczu3eg -efuseppkbits perm/efusefile.txt -o BOOT.BIN -w -encrypt efuse -log trace
 1573  bootgen -image ./bifs/imagegen_enc.bif -arch zynqmp  -w -o image.bin  -p xczu3eg  -arch zynqmp   -log trace   -encrypt efuse
0 Kudos