02-12-2019 11:38 AM
I have a question about AES-GCM bitstream encryption support for the Zynq UltraScale+.
I understand that Zynq has a PS-PL that requires a special method for configuring the PL from the PS. Therefore, the Vivado GUI does not support generating an encrypted bitstream targeted for the Zynq.
Furthermore, I understand that the stand-alone application Bootgen is used for generating an encrypted bitstream file for the Zynq.
According to page 38 of the Bootgen User Guide UG1283 (v2018.2), there is a command line option "encryption" that has the following description:
"Specifies the partition to be encrypted. Encryption algorithms are: zynq uses AES-CBC, and zynqmp uses AES-GCM."
For the Zynq UltraScale+, Bootgen didn’t work with an AES-GCM nky file. It only worked with an AES-CBC-HMAC nky file.
I am using Vivado version 2018.1 which is earlier than the version of the Bootgen manual. Do I need to upgrade to version 2018.2 in order to get AES-GCM support on the ZynqMP?
Or is there some other way I can get the AES-GCM bitstream encryption for the ZynqMP?
Thanks for your help!
02-15-2019 02:53 PM
As far as I know the nky format doesn't need to know the AES type.
Can you share the file that gives you problems in MPSoC?
02-19-2019 07:40 AM
The NKY key file may not know the AES type, but for some reason it is not working for us when we try to use AES-GCM.
See the description below of the problem from the software engineer on my project.
Do you see any reason why the NKY file would not work for AES-GCM for generating a bitsream file when it worked fine for a BOOT.BIN file?
"The NKY key file specifies the device key. Using bootgen (2018.1), the error I receive indicates bootgen does not understand the NKY file format I provide when using it to encrypt a PL bitstream. I have used this NKY format for generating a secure BOOT.BIN image with AES-GCM encryption so I know it works. In fact, I used bootgen (2018.1) to generate this NKY file for me to use for secure boot (AES-GCM encryption). Therefore, I know that this NKY file has the correct AES-GCM format. Unfortunately, the bootgen source code is not available so I cannot look for myself and figure out what format the NKY file should be in when using it to encrypt a PL bitstream.
The AES-GCM NKY file I tried to use (not actual data values):
Key 0 0123456789012345678901234567890123456789012345678901234567890123;
IV 0 6F33837E1A4E1BB65A2D93B5;
However, here is an experiment I did:
Using bootgen 2018.1, when attempting to encrypt a PL bitstream, if the developer does not provide an NKY file, then bootgen will generate one for you. When I tried this method, the NKY file format generated by bootgen was based on AES-CBC-HMAC. I then took this new NKY file and used it as my NKY file to encrypt the PL bitstream and it seemed to work as there were no errors.
The AES-CBC-HMAC NKY file that worked looks something like this (not actual data values):
Key 0 12345678ABCDDCBA12345678ABCDDCBA12345678ABCDDCBA12345678ABCDDCBA;
Key StartCBC 7115e9aa80085ea3ed65d26d3a8ab608;
Key HMAC d293d51c6058430262b05521f8f67279c9abce27d5fcafcf839bbe1af46713cc;"
02-21-2019 09:17 AM
Are you sure you specificed the "-arch zynqmp" in the bootgen comamnd that generated that .nky file?
02-25-2019 08:06 AM
Actually, the command looked like this:
`bootgen –arch fpga –p zynqmp –image secure-pl.bif –w –o secure.bit –log trace`
`bootgen –arch fpga –p zcu9eg –image secure-pl.bif –w –o secure.bit –log trace`
It would be nice if you can verify the instructions on page 81 of UG1283 for the Ultrascale+ and let me know exactly what to use in Vivado version 2018.1.
02-26-2019 08:55 AM
For MPSoC you must be using "-arch zynqmp".
In the bootgen guide you should look at "Encrypting Zynq MPSoC Device Partitions" at page 49.
Chapter 6 is for FPGAs, not for SoCs.
02-26-2019 02:03 PM
Page 49 references how to encrypt a partition, but I would like to encrypt a bitstream that will be used for configuring the PL. Is there a way to use "Bootgen" to generate such an encrypted bitstream?
02-27-2019 10:27 AM
How do you intend to load this encrypted bitstream?
In MPSoC you cannot load such a encrypted bitstream usign JTAG so you must need SW to load it.
This page gives some examples:
As long as your bif is correct you need this simple bootgen comamnd to create the image:
bootgen -image Data.bif -w -o Output.bin -arch zynqmp