.

This feature is supported from 2018.1 onwards.


This features provides support for authentication and/or decryption of single partition (Non-bitstream) image created by bootgen at U-boot prompt
Note: Will not support if image contains multiple partitions.

u-boot command for loading secure images:

zynqmp secure <srcaddr> <len> [key_addr] - verifies secure images of $len bytes\
long at address $src. Optional key_addr
can be specified if user key needs to
be used for decryption\n";

Only Authentication:

  • NOTE: Incase of authentication, system should boot till u-boot with authenticated(secure) BOOT.BIN primary image.
  • If the user wants to use only authentication at u-boot, then authenticated image has to be created using bif as shown in below example
    • Create a single partition image to be authenticated at u-boot
      Note: If you are providing elf, please make sure your elf doesn't contain multiple loadable sections.If your elf contains multiple loadable sections its user responsibility to convert to .bin format and provide .bin as input in bif.
    • example bif:
      //arch = zynqmp; split = false; format = BIN
      the_ROM_image:
      {
      [pskfile]rsa4096_private1.pem
      [sskfile]rsa4096_private2.pem
      [auth_params] ppk_select=1;spk_id=0x12345678
      [authentication = rsa]Data.bin
      }


  • Once the image is generated, download the authenticated image to DDR.(in below example DDR address is 100000).
  • Now, execute the u-boot command to authenticate the secure image as shown in below snapshot.
  • Example:
|| ZynqMP> zynqmp secure 100000 2d000
Verified image at 0x102800
||

  • u-boot returns the start address of actual partition after successful authentication. In case of failure, it prints one of the error codes mentioned at "Error codes" section below.
  • If RSA_EN eFSUE is programmed, Authentication of the image is compulsory. (Boot header authentication is not supported when eFUSE RSA enabled)

Only Encryption:

  • In case if image is only encrypted, then there is no support for device key when authentication is not enabled, only KUP key decryption is supported.
  • The bif to generate an encrypted images is shown below.
    • Create a single partition image to be decrypted at u-boot, if encryption is enabled and load address exists in boot image, decrypted image will be loaded at specified load address, if load address doen't exists the actual partition will be over written.
      Note: If you are providing elf, please make sure your elf doesn't contain multiple loadable sections.
    • example bif for using KUP key:
      arch = zynqmp; split = false; format = BIN
      the_ROM_image:
      {
      [aeskeyfile]aes.nky
      [keysrc_encryption]kup_key
      [encryption = aes,blocks = 1024;256(4), load=0x200000]BOOT.bin
      }


  • Once the image is generated, download the encrypted image to DDR.
  • Now, execute the same "zynqmp secure" command with proper arguments.
  • In case of decryption, one can specify the load address in bif as [encryption = aes,blocks = 1024;256(4), load=0x200000]BOOT.bin
    Then decrypted partition will be placed at specified load address and prints at u-boot console as shown in below snapshot 0x200000
  • If user is using KUP key then KUP key also has to be downloaded to some address and u-boot command would be as follows.
  • zynqmp secure <DDRaddrees> <size> <KUP key address>
Capture.PNG


Authentication + Encryption:

  • Device key is supported only when authentication is enabled.
  • Supports both KUP and device key decryption.
  • Incase of Decryption with device key, system should boot till u-boot, using BOOT.BIN which is encrypted with device key (eFUSE/BBRAM).
  • example bif for using BBRAM key: Same key should be selected in below bif which is used in primary boot image(BOOT.bin).
    • arch = zynqmp; split = false; format = BIN

      the_ROM_image:
      {
      [pskfile]rsa4096_private1.pem
      [sskfile]rsa4096_private1.pem
      [aeskeyfile]aes.nky
      [keysrc_encryption]bbram_red_key
      [auth_params] ppk_select=0;spk_id=0x12345678
      [encryption = aes,blocks = 1024;256(4), authentication = rsa, load=0xF0400000]Data.bin
      }


NOTE:
  • If ENC_ONLY eFUSE is programmed, the partition should be in encrypted format.
  • Bootgen and Software components should be from 2018.1 release only.

Bootgen usage:

bootgen -image Data.bif -w -o Output.bin -arch zynqmp

u-boot command for loading secure bitstreams:

" fpga loads [dev] [address] [size] [auth-OCM-0/DDR-1/noauth-2] [enc-devkey(0)/userkey(1)/nenc(2) ] [Userkey address]"

Help:
Loads the secure bitstreams (authenticated/encrypted/both encrypted and encrypted) of [size] from [address]. The auth-OCM/DDR flag specifies to perform authentication in OCM or in DDR.(0 for OCM, 1 for DDR, 2 for no authentication). The enc flag specifies which key to be used for decryption 0-device key, 1-user key, 2-no encryption. The optional User key address(KUP key address) specifies from which address key has to be used for decryption if user key(KUP key) is selected.
NOTE: the secure bitstream has to be created using xilinx bootgen tool only.


The secure bitstream image generation is same as exlained above for secure image except that user need not mention any load address in bif file.