Introduction

This LibXilSecure library provides APIs to access secure hardware to encrypt/decrypt the data using AES-GCM algorithm and generating hash on the input data, where SHA-3 hash will be generated using SHA hardware and SHA-2 hash is generated using software algorithm and this library also supports unsymmetric decryption and encryption using RSA hardware accelerator.

How to enable


xilsecure library can be found at
https://github.com/Xilinx/embeddedsw/tree/master/lib/sw_services/xilsecure

xilsecure
|
- data - Provides the API and data structure details
|
- src - Driver source files which are further organised into
|
- examples - Contains example applications demonstrating the use of xilsecure library

Features Supported

  • SHA
    • SHA3
      • Hash of 384 bit output using SHA-3 hardware engine.
      • By default uses NIST SHA3 padding
      • User can choose for Keccak SHA3 padding by calling XSecure_Sha3PadSelection() API after XSecure_Sha3Initialize().
    • SHA2
      • Hash of 256 bit output using SHA-2 software algorithm.
  • AES-GCM
    • Encryption or decryption of the data is done using AES engine
    • Operation using KUP or device key (256 bit) and IV(96bit)
    • Encryption and decryption of word aligned data. ()
      • While encryption GCM tag is appended to encrypted data.
      • GCM tag matching is checked while decryption of the data.(GCM tag should be provided explicitly)
    • Decryption of boot image partition(Created by bootgen provided by Xilinx)
      • Supports operational key.
      • Support for key rolling enabled partition.
      • Checks for GCM tag matching.
  • RSA- hardware accelerator
    • Supports for RSA-4096 and RSA-2048 key sizes
    • RSA encryption with public key, where padding should be taken care by application
    • RSA decryption with private key, where padding should be taken care by application
    • Inputs are key parameters modulus, exponent and exponentiation values.

Features not supported

AES-GCM
  • AES encryption with keyrolling and chunking
  • Supports only word aligned data and each update should not be more than 512MB
SHA3
  • Supports only word aligned data and each update should not be more than 512MB

RSA
  • RSA 3072

Test Cases:

There are examples which will illustrate the xilsecure usage. They can be found at
https://github.com/Xilinx/embeddedsw/tree/master/lib/sw_services/xilsecure/examples

Documentation:

For more details please refer to library documentation
https://github.com/Xilinx/embeddedsw/blob/master/lib/sw_services/xilsecure/doc/xilsecure.pdf

Changelog

2016.3

  • Provided SHA2 hash support, and also an example to illustrate the SHA2 hash generation

2017.1

  • Xilsecure is made support for PMU
  • Added comments with .nky fields for aes encryption example.
  • Provided genric APIs for encryption and decryption of data.
  • Support for calculation of exponential value can also be done internally while doing RSA decryption, for this user needs to pass NULL pointer.
  • Modified AES APIs such that, data passed to APIs should be in little endian format

2017.2

  • Added new version and modified pre-compiled binary file to support hard floating point.

2017.3

  • Added RSA APIs for private key decryption.
  • Added support for RSA- 2048 key size.

2017.4

  • None

2018.1

  • Added support for NIST SHA3 padding.
  • Added API to select NIST/KECCAK SHA3 padding of choice
  • Modified XSecure_AesDecrypt() API to fix Secure key and IV vulnerabilities.