cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted
Adventurer
Adventurer
793 Views
Registered: ‎09-12-2007

AES-GCM Bitstream Encryption Support For ZynqMP

I have a question about AES-GCM bitstream encryption support for the Zynq UltraScale+.

I understand that Zynq has a PS-PL that requires a special method for configuring the PL from the PS. Therefore, the Vivado GUI does not support generating an encrypted bitstream targeted for the Zynq.

Furthermore, I understand that the stand-alone application Bootgen is used for generating an encrypted bitstream file for the Zynq.

According to page 38 of the Bootgen User Guide UG1283 (v2018.2), there is a command line option "encryption" that has the following description:
"Specifies the partition to be encrypted. Encryption algorithms are: zynq uses AES-CBC, and zynqmp uses AES-GCM."

For the Zynq UltraScale+, Bootgen didn’t work with an AES-GCM nky file.  It only worked with an AES-CBC-HMAC nky file.

I am using Vivado version 2018.1 which is earlier than the version of the Bootgen manual. Do I need to upgrade to version 2018.2 in order to get AES-GCM support on the ZynqMP?

Or is there some other way I can get the AES-GCM bitstream encryption for the ZynqMP?

Thanks for your help!
John

0 Kudos
7 Replies
Highlighted
Xilinx Employee
Xilinx Employee
736 Views
Registered: ‎10-11-2011

Re: AES-GCM Bitstream Encryption Support For ZynqMP

As far as I know the nky format doesn't need to know the AES type.

Can you share the file that gives you problems in MPSoC?

 

-------------------------------------------------------------------------
Don’t forget to reply, kudo, and accept as solution.
-------------------------------------------------------------------------
0 Kudos
Highlighted
Adventurer
Adventurer
713 Views
Registered: ‎09-12-2007

Re: AES-GCM Bitstream Encryption Support For ZynqMP

Hi denist,

The NKY key file may not know the AES type, but for some reason it is not working for us when we try to use AES-GCM.

See the description below of the problem from the software engineer on my project.

Do you see any reason why the NKY file would not work for AES-GCM for generating a bitsream file when it worked fine for a BOOT.BIN file?

Thanks!
John

"The NKY key file specifies the device key.  Using bootgen (2018.1), the error I receive indicates bootgen does not understand the NKY file format I provide when using it to encrypt a PL bitstream.  I have used this NKY format for generating a secure BOOT.BIN image with AES-GCM encryption so I know it works.  In fact, I used bootgen (2018.1) to generate this NKY file for me to use for secure boot (AES-GCM encryption).  Therefore, I know that this NKY file has the correct AES-GCM format.  Unfortunately, the bootgen source code is not available so I cannot look for myself and figure out what format the NKY file should be in when using it to encrypt a PL bitstream.

 The AES-GCM NKY file I tried to use (not actual data values):

 Device zcu9eg;

 Key 0       0123456789012345678901234567890123456789012345678901234567890123;

IV 0         6F33837E1A4E1BB65A2D93B5;

 However, here is an experiment I did:

Using bootgen 2018.1, when attempting to encrypt a PL bitstream, if the developer does not provide an NKY file, then bootgen will generate one for you.  When I tried this method, the NKY file format generated by bootgen was based on AES-CBC-HMAC.  I then took this new NKY file and used it as my NKY file to encrypt the PL bitstream and it seemed to work as there were no errors. 

 The AES-CBC-HMAC NKY file that worked looks something like this (not actual data values):

 Device zcu9eg;
Key 0 12345678ABCDDCBA12345678ABCDDCBA12345678ABCDDCBA12345678ABCDDCBA;

Key StartCBC 7115e9aa80085ea3ed65d26d3a8ab608;
Key HMAC d293d51c6058430262b05521f8f67279c9abce27d5fcafcf839bbe1af46713cc;"

0 Kudos
Highlighted
Xilinx Employee
Xilinx Employee
693 Views
Registered: ‎10-11-2011

Re: AES-GCM Bitstream Encryption Support For ZynqMP

 Are you sure you specificed the "-arch zynqmp" in the bootgen comamnd that generated that .nky file?

-------------------------------------------------------------------------
Don’t forget to reply, kudo, and accept as solution.
-------------------------------------------------------------------------
0 Kudos
Highlighted
Adventurer
Adventurer
668 Views
Registered: ‎09-12-2007

Re: AES-GCM Bitstream Encryption Support For ZynqMP

Actually, the command looked like this:

`bootgen –arch fpga –p zynqmp –image secure-pl.bif –w –o secure.bit –log trace`

Also tried:

`bootgen –arch fpga –p zcu9eg –image secure-pl.bif –w –o secure.bit –log trace`

It would be nice if you can verify the instructions on page 81 of UG1283 for the Ultrascale+ and let me know exactly what to use in Vivado version 2018.1.

 

0 Kudos
Highlighted
Xilinx Employee
Xilinx Employee
645 Views
Registered: ‎10-11-2011

Re: AES-GCM Bitstream Encryption Support For ZynqMP

For MPSoC you must be using "-arch zynqmp".

In the bootgen guide you should look at "Encrypting Zynq MPSoC Device Partitions" at page 49.

Chapter 6 is for FPGAs, not for SoCs.

-------------------------------------------------------------------------
Don’t forget to reply, kudo, and accept as solution.
-------------------------------------------------------------------------
0 Kudos
Highlighted
Adventurer
Adventurer
631 Views
Registered: ‎09-12-2007

Re: AES-GCM Bitstream Encryption Support For ZynqMP

Page 49 references how to encrypt a partition, but I would like to encrypt a bitstream that will be used for configuring the PL. Is there a way to use "Bootgen" to generate such an encrypted bitstream?

0 Kudos
Highlighted
Xilinx Employee
Xilinx Employee
619 Views
Registered: ‎10-11-2011

Re: AES-GCM Bitstream Encryption Support For ZynqMP

How do you intend to load this encrypted bitstream?

In MPSoC you cannot load such a encrypted bitstream usign JTAG so you must need SW to load it.

This page gives some examples:

https://xilinx-wiki.atlassian.net/wiki/spaces/A/pages/18842432/Authentication+and+decryption+at+u-boot

As long as your bif is correct you need this simple bootgen comamnd to create the image:

bootgen -image Data.bif -w -o Output.bin -arch zynqmp

-------------------------------------------------------------------------
Don’t forget to reply, kudo, and accept as solution.
-------------------------------------------------------------------------
0 Kudos