cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted
Adventurer
Adventurer
821 Views
Registered: ‎09-12-2007

AES-GCM Bitstream Encryption Support For ZynqMP

I have a question about AES-GCM bitstream encryption support for the Zynq UltraScale+.

I understand that Zynq has a PS-PL that requires a special method for configuring the PL from the PS. Therefore, the Vivado GUI does not support generating an encrypted bitstream targeted for the Zynq.

Furthermore, I understand that the stand-alone application Bootgen is used for generating an encrypted bitstream file for the Zynq.

According to page 38 of the Bootgen User Guide UG1283 (v2018.2), there is a command line option "encryption" that has the following description:
"Specifies the partition to be encrypted. Encryption algorithms are: zynq uses AES-CBC, and zynqmp uses AES-GCM."

For the Zynq UltraScale+, Bootgen didn’t work with an AES-GCM nky file.  It only worked with an AES-CBC-HMAC nky file.

I am using Vivado version 2018.1 which is earlier than the version of the Bootgen manual. Do I need to upgrade to version 2018.2 in order to get AES-GCM support on the ZynqMP?

Or is there some other way I can get the AES-GCM bitstream encryption for the ZynqMP?

Thanks for your help!
John

0 Kudos
7 Replies
Highlighted
Xilinx Employee
Xilinx Employee
764 Views
Registered: ‎10-11-2011

As far as I know the nky format doesn't need to know the AES type.

Can you share the file that gives you problems in MPSoC?

 

-------------------------------------------------------------------------
Don’t forget to reply, kudo, and accept as solution.
-------------------------------------------------------------------------
0 Kudos
Highlighted
Adventurer
Adventurer
741 Views
Registered: ‎09-12-2007

Hi denist,

The NKY key file may not know the AES type, but for some reason it is not working for us when we try to use AES-GCM.

See the description below of the problem from the software engineer on my project.

Do you see any reason why the NKY file would not work for AES-GCM for generating a bitsream file when it worked fine for a BOOT.BIN file?

Thanks!
John

"The NKY key file specifies the device key.  Using bootgen (2018.1), the error I receive indicates bootgen does not understand the NKY file format I provide when using it to encrypt a PL bitstream.  I have used this NKY format for generating a secure BOOT.BIN image with AES-GCM encryption so I know it works.  In fact, I used bootgen (2018.1) to generate this NKY file for me to use for secure boot (AES-GCM encryption).  Therefore, I know that this NKY file has the correct AES-GCM format.  Unfortunately, the bootgen source code is not available so I cannot look for myself and figure out what format the NKY file should be in when using it to encrypt a PL bitstream.

 The AES-GCM NKY file I tried to use (not actual data values):

 Device zcu9eg;

 Key 0       0123456789012345678901234567890123456789012345678901234567890123;

IV 0         6F33837E1A4E1BB65A2D93B5;

 However, here is an experiment I did:

Using bootgen 2018.1, when attempting to encrypt a PL bitstream, if the developer does not provide an NKY file, then bootgen will generate one for you.  When I tried this method, the NKY file format generated by bootgen was based on AES-CBC-HMAC.  I then took this new NKY file and used it as my NKY file to encrypt the PL bitstream and it seemed to work as there were no errors. 

 The AES-CBC-HMAC NKY file that worked looks something like this (not actual data values):

 Device zcu9eg;
Key 0 12345678ABCDDCBA12345678ABCDDCBA12345678ABCDDCBA12345678ABCDDCBA;

Key StartCBC 7115e9aa80085ea3ed65d26d3a8ab608;
Key HMAC d293d51c6058430262b05521f8f67279c9abce27d5fcafcf839bbe1af46713cc;"

0 Kudos
Highlighted
Xilinx Employee
Xilinx Employee
721 Views
Registered: ‎10-11-2011

 Are you sure you specificed the "-arch zynqmp" in the bootgen comamnd that generated that .nky file?

-------------------------------------------------------------------------
Don’t forget to reply, kudo, and accept as solution.
-------------------------------------------------------------------------
0 Kudos
Highlighted
Adventurer
Adventurer
696 Views
Registered: ‎09-12-2007

Actually, the command looked like this:

`bootgen –arch fpga –p zynqmp –image secure-pl.bif –w –o secure.bit –log trace`

Also tried:

`bootgen –arch fpga –p zcu9eg –image secure-pl.bif –w –o secure.bit –log trace`

It would be nice if you can verify the instructions on page 81 of UG1283 for the Ultrascale+ and let me know exactly what to use in Vivado version 2018.1.

 

0 Kudos
Highlighted
Xilinx Employee
Xilinx Employee
673 Views
Registered: ‎10-11-2011

For MPSoC you must be using "-arch zynqmp".

In the bootgen guide you should look at "Encrypting Zynq MPSoC Device Partitions" at page 49.

Chapter 6 is for FPGAs, not for SoCs.

-------------------------------------------------------------------------
Don’t forget to reply, kudo, and accept as solution.
-------------------------------------------------------------------------
0 Kudos
Highlighted
Adventurer
Adventurer
659 Views
Registered: ‎09-12-2007

Page 49 references how to encrypt a partition, but I would like to encrypt a bitstream that will be used for configuring the PL. Is there a way to use "Bootgen" to generate such an encrypted bitstream?

0 Kudos
Highlighted
Xilinx Employee
Xilinx Employee
647 Views
Registered: ‎10-11-2011

How do you intend to load this encrypted bitstream?

In MPSoC you cannot load such a encrypted bitstream usign JTAG so you must need SW to load it.

This page gives some examples:

https://xilinx-wiki.atlassian.net/wiki/spaces/A/pages/18842432/Authentication+and+decryption+at+u-boot

As long as your bif is correct you need this simple bootgen comamnd to create the image:

bootgen -image Data.bif -w -o Output.bin -arch zynqmp

-------------------------------------------------------------------------
Don’t forget to reply, kudo, and accept as solution.
-------------------------------------------------------------------------
0 Kudos