WolfSSL
/
wolfBoot
mirror of https://github.com/wolfSSL/wolfBoot.git
1
0
Fork 0
Code Issues Releases Wiki Activity
wolfBoot/IDE/XilinxSDK
History
David Garske 490286be7d Support for sealing/unseal a secret based on an externally signed PCR policy. 
* Added new `WOLFBOOT_TPM_SEAL` and `WOLFBOOT_TPM_SEAL_NV_BASE` config options.
* Added new `tools/tpm/policy_create` tool for assisting with creation of a policy digest. The sign keytool `--policy=file` signs the policy.
* Added new `WOLFBOOT_TPM_VERIFY` option to enable offloading of the asymmetric verification to the TPM. By default wolfCrypt will be used.
* Added example seal/unseal to update_flash for ARCH_SIM.
* Renamed `WOLFBOOT_TPM_KEYSTORE_NV_INDEX` to `WOLFBOOT_TPM_KEYSTORE_NV_BASE` to support multiple public keys.
* Refactored most TPM code into tpm.c.
* Refactored the keystore ROT to use new `wolfBoot_check_rot` API.
* Refactored the sign keytool to have a sign_digest function to allow signing firmware and policy for sealing/unsealing.
* Fix for make distclean && make using the wrong key tools.
 		2023-09-12 12:26:48 +02:00
..
.cproject Peer review fixes. Fixes for SHA3 and RSA4096 in makefiles. Fixes for Xilinx SDK excludes. Cleanup of the printf to use the built-in facilities (`wolfBoot_printf`). 2020-11-12 10:47:32 +01:00
.project wolfBoot Aarch64 support (Xilinx Zynq and Raspberry Pi): 2020-03-04 12:04:46 -08:00
README.md Support for sealing/unseal a secret based on an externally signed PCR policy. 2023-09-12 12:26:48 +02:00
boot.bif Xilinx Zynq fixes and cleanups. Updated Xilinx SDK instructions for EL-1 / Hypervisor support. Updated the `zynq.ld` script to use 0x4000000 and only DDR0 region. Updated the example BIF files to use EL-1. Fix for cast warnings to `ext_flash_*` API's. 2020-03-30 07:52:07 -07:00
boot_auth.bif Xilinx Zynq fixes and cleanups. Updated Xilinx SDK instructions for EL-1 / Hypervisor support. Updated the `zynq.ld` script to use 0x4000000 and only DDR0 region. Updated the example BIF files to use EL-1. Fix for cast warnings to `ext_flash_*` API's. 2020-03-30 07:52:07 -07:00

README.md

Xilinx SDK wolfBoot Project

To use this example project:

  1. Copy .cproject and .project into the wolfBoot root.
  2. From the Xilinx SDK Import wolfBoot using "Import" -> "Existing Projects into Workspace".

Xilinx SDK BSP

This project uses a BSP named standalone_bsp_0, which must be configured to use "hypervisor guest" in the BSP configuration settings. This will enable the EL-1 support required with Bl31 (ARM Trusted Firmware). The BSP generates a include/bspconfig.h, which should have these defines set:

#define EL1_NONSECURE 1
#define HYP_GUEST 1

Note: This is a generated file from the BSP configurator tool, which is edited by opening the system.mss file.

wolfBoot Configuration

A build settings template for Zynq UltraScale+ can be found here ./config/examples/zynqmp.config. This file can be copied to wolfBoot root as .config for building from the command line. These template settings are also in this .cproject as preprocessor macros. These settings are loaded into the target.h.in template by the wolfBoot make. If not using the built-in make then the following defines will need to be manually created in target.h:

#define WOLFBOOT_SECTOR_SIZE                 0x20000
#define WOLFBOOT_PARTITION_BOOT_ADDRESS      0x800000
#define WOLFBOOT_LOAD_ADDRESS                0x10000000
#define WOLFBOOT_PARTITION_SIZE              0x2A00000
#define WOLFBOOT_PARTITION_UPDATE_ADDRESS    0x3A00000
#define WOLFBOOT_PARTITION_SWAP_ADDRESS      0x63E0000

#define WOLFBOOT_DTS_BOOT_ADDRESS            0x7E0000
#define WOLFBOOT_DTS_UPDATE_ADDRESS          0x39E0000
#define WOLFBOOT_LOAD_DTS_ADDRESS            0x11800000

Note: If not using Position Independent Code (PIC) the linker script ldscript.ld must have the start address offset to match the WOLFBOOT_LOAD_ADDRESS.

Signing Example

make keytools
./tools/keytools/sign --rsa4096 --sha3 ../helloworld/Debug/helloworld.elf ./rsa4096.der 1

Bootgen

Xilinx uses a bootgen tool for generating a boot binary image that has Xilinx headers, which the FSBL (First Stage Boot Loader) understands. See the boot.bif and boot_auth.bif as examples.

  • Use "partition_owner=uboot" to prevent a partition from being loaded into RAM.
  • Use "offset=" option to place the application into a specific location in flash.
  • Use "load=" option to have FSBL load into specific location in RAM.

Adding RSA Authentication

  1. Generate keys:

    • bootgen.exe -generate_keys auth pem -arch zynqmp -image boot.bif

  2. Create hash for primary key:

    • bootgen.exe -image boot.bif -arch zynqmp -w -o i BOOT.BIN -efuseppkbits ppkf_hash.txt

  3. Import example project for programming eFuses:

    • New BSP project (program efuses , ZCU102_hw_platform, standalone, CPU: PSU_cortexa53_0)
    • Goto Xilinx Board Support Packet Settings.
    • Scroll down to Supported Libraries and Check the xiskey library
    • In the system.mss pane, scroll down to Libraries and click Import Examples.
    • Check the xilskey_esfuseps_zynqmp_example

  4. Edit xilskey_efuseps_zynqmp_input.h

    • 433 #define XSK_EFUSEPS_WRITE_PPK0_HASH TRUE
    • 453 #define XSK_EFUSEPS_PPK0_IS_SHA3 TRUE
    • 454 `#define XSK_EFUSEPS_PPK0_HASH "0000000000000000000000000000000000000000000000000000000000000000" /* from ppkf_hash.txt */``

  5. Update boot.bif (see boot_auth.bif)

    [auth_params] ppk_select=0; spk_id=0x00000000
[pskfile] pskf.pem
[sskfile] sskf.pem
authentication=rsa

  6. Build “boot.bin” image:

    • bootgen.exe -image boot.bif -arch zynqmp -o i BOOT.BIN -w

Note: To generate a report of a boot.bin use the bootgen_utility: bootgen_utility -arch zynqmp -bin boot.bin -out boot.bin.txt

References: