The following link provides necessary background information about loading partial or full bitstream from Linux.
Additional details to load secure bitstream are going to be mentioned here.

This page explains about programming secure bitstream using XILFPGA

Supported features are:
    • Encrypted Bitstream loading with user key.
    • Authenticated Bitstream loading.
    • Authenticated and Encrypted Bitstream loading.

Unsupported features:
    • Encrypted only Bitstream loading with device key.
    • Authentication of only headers.


  • Build PMUFW by enabling secure mode
    goto pmufw Modify BSP's Settings → select xilfpga → Enable secure_ mode.external image image2018-3-7_15-4-57.png?version=1&modificationDate=1529928737164&api=v2
    Figure 1
  • To use device key either BBRAM/EFUSE key please follow the steps mentioned at ZynqMP security#Pre-requisites.1
  • To use authentication please follow the steps mentioned at ZynqMP security#Pre-requisites


Bitstream can be authenticated using OCM internal memory or by trusting external memory DDR, Xilinx recommends to use OCM memory to authenticate the bitstream which is more secure.
To authenticate bitstream using OCM, available OCM start address should be provided at bsp settings which is shown in second row of figure 1, for authentication of bitstream using internal memory requires 63KB of buffer, by default XilFPGA uses 0xfffc0000 address, in this case warm restart this address may not work as XilFPGA corrupts the 64 KB memory of OCM(where FSBL uses 0xfffc0000 as start address). To have warm restart feature as well please provide the free OCM memory which is not been using by FSBL or ATF. While providing OCM address to XILFPGA it should not overlap with the memory used by ATF.
To authenticate bitstream using DDR no need to provide any start address XilFPGA authenticates the bitstream directly from source address(.bin) provided by user.
  • Create a .bin using bootgen
    We have two options of PPK in eFUSE can select the valid PPK by providing correct input( ppk_select) in bif.
sample bifs:
    1. When SPK is selected as SPK efuse
      arch = zynqmp; split = false; format = BIN
      [auth_params] ppk_select=0
      [authentication = rsa,
      spk_select = spk-efuse,
      sskfile = SSK.pem]system.bit
    2. When SPK is selected as User efuse
      arch = zynqmp; split = false; format = BIN
      [auth_params] ppk_select=1
      [authentication = rsa,
      spk_select = user-efuse,
      sskfile = SSK.pem]system.bit

Note: When RSA is not enabled in efuse, for authentication of bitstream for development purpose one can use boot header authentication this is not recommended for field as it skips PPK and SPK eFUSE verification.
To enable boot header authentication add "[fsbl_config]bh_auth_enable" field to the above bif.


Bitstream can either be decrypted using device key or KUP key (key should be provided externally)
For more information of decryption support in ZynqMP please refer to ZynqMP security#Decryption
Pre-requisites for decryption of bitstream can be find at ZynqMP security#Pre-requisites.1
  • Create a encrypted bitstream image (.bin) using bootgen
    Sample bif for encryption
    1. Where it selects the KUP key as source and also enabled key rolling by opting blocks option.
      arch = zynqmp; split = false; format = BIN

      [encryption = aes, blocks = 1024(10)]system.bit
    2. Where it selects device key BBRAM red key as source and also authentication is enabled along with encryption
      arch = zynqmp; split = false; format = BIN
    • [keysrc_encryption] bbram_red_key

    • [

[sskfile] secondary_4096.pem
[auth_params] ppk_select=1; spk_id=0x12345678
[encryption = aes, authentication = rsa]system.bit
Note: There are different options for choosing key source please refer to the section ZynqMP security#Keysources
Decryption of bitstream with Device key is possible only when authentication is enabled, but for KUP key authentication is not compulsory

Steps to load secure bitstream from Linux

    • After creating encrypted and/or authenticated bitstream (.bin) using bootgen
    • Please follow the steps mentioned
      • To load encrypted bitstream with KUP key extra step required is loading key prior to .bin
        echo 2584B3F7844A0A0AECD36F0E511DA724E38492277D71192462AFC6975936EED0 > /sys/class/fpga_manager/fpga0/key
      • Flags for secure bitstream will be as below

      • || 0x1 || Partial bitstream ||
      • || 0x2 || Authentication using DDR ||
      • || 0x4 || Authentication using OCM ||
      • || 0x8 || Encryption using User(KUP) key ||
      • || 0x10 || Encryption using Device key ||
For example to load encrypted bitstream using KUP key and authenticate the bitstream using DDR the flags to be set are 0x8 OR with 0x2 which is 0xA
      • ORing of above flags gives proper flag value to be set while loading bitstream from Linux.