U-Boot for Zynq is capable to authenticate and decrypt bitstream/images from the command line. Both zynqrsa/zynqaes commands works getting the image from the DDR memory, allowing the images be loaded from wide variety of sources (flash memory, TFTP sever...).

The images have to be generated using bootgen with proper authentication and encryption keys.

U-Boot configuration

By default this feature is disabled in the default U-Boot/Petalinux configurations, so both CONFIG_CMD_ZYNQ_RSA and CONFIG_CMD_ZYNQ_AES needs to be enabled in the U-Boot configuration file.
zynqaes - Zynq AES decryption
zynqaes zynqaes [operation type] <srcaddr> <srclen> <dstaddr> <dstlen>  -
Decrypts the encrypted image present in source address
and places the decrypted image at destination address
zynqaes operations:
   zynqaes <srcaddr> <srclen> <dstaddr> <dstlen>
   zynqaes load <srcaddr> <srclen>
   zynqaes loadp <srcaddr> <srclen>
if operation type is load or loadp, it loads the encrypted
full or partial bitstream on to PL respectively. If no valid
operation type specified then it loads decrypted image back
to memory and it doesnt support loading PL bistsream
Zynq> zynqrsa
zynqrsa - Zynq RSA verfication
zynqrsa zynqrsa <baseaddr>  - Verifies the authenticated and encrypted zynq images

Loading authenticated/encrypted bitstream

Encrypted bitstream

Create a BIF file to be used for the encrypted bitstream generation process and use bootgen to generate it.
   [aeskeyfile] key.nky
   [encryption = aes] download.bit
bootgen -image bitstream.bif -arch zynq-process_bitstream bin -encrypt efuse
Boot up to U-Boot and use the zynqaes command to load the encrypted bitstream
Zynq> fatload mmc 0 1000000 download.bit.bin
reading download.bit.bin
4044652 bytes read in 234 ms (16.5 MiB/s)
Zynq> zynqaes load 1000000 ${filesize}
zynq_decrypt_load: FPGA config done
Note: this feature does not work with eFUSE stored keys for U-Boot released bellow 2018.1

Authenticated bitstream

Content under development

Loading authenticated/encrypted images

Encrypted images

Create a BIF file to be used for the encrypted image generation process and use bootgen to generate it. Split option is required for bootgen in order to get encrypted image without boot header, this way the dummy partition will include the boot header and the image will be splited in a encrypted way.
   [aeskeyfile] key.nky
   [bootloader, encryption=aes] zynq_fsbl.elf
   [encryption = aes] image.ub
bootgen -w -image images.bif -arch zynq -o images.bin -encrypt efuse -split bin
Boot up to U-Boot and use the zynqaes command to decrypt the encrypted image.
Zynq> fatload mmc 0 0x1000000 image.ub.bin
reading image.ub.bin
10147564 bytes read in 565 ms (17.1 MiB/s)
Zynq> zynqaes 0x1000000 0x9ad6ec 0x2000000 0x9ad3d0
Note: This feature is not available 2018.1 release backwards

Authenticated images

Content under development

Related Links

  • Title 1 & Link 1
  • Title 1 & Link 1