08-09-2018 09:52 AM - edited 08-09-2018 01:42 PM
First let's talk about the Zynq's normal (multi)boot process. Assume that the boot mode is QSPI. Here's how I think it works. Please correct me if I'm wrong:
Is this correct so far?
Now I would like to have 2 application images in the QSPI, each with it's own FSBL. This seems possible.
I have multiple questions:
08-10-2018 01:50 PM
I am assuming zynq-7000 without security involved (no encryption).
08-14-2018 07:12 AM - edited 08-14-2018 07:16 AM
Yes, I am using a Zynq 7000. Sorry for not mentioning that in my first post. Also, I do not intend to use encryption.
So what happens if the BootROM finds a valid bootloader header, but the code of the bootloader is actually corrupt? As far as I understand, the BootROM will still load the bootloader into OCM (RAM) and try to execute it. The (corrupted) bootloader code could go into an infinite loop or put the CPU in some bad state. What happens then?
Also, as far as I understand, the FSBL includes the ps7_init() code. So any firmware update for my device would have to come with its own FSBL. This means that, during a firmware update, there is the potential to end up with a corrupted bootloader (valid header, but broken code) and the system will not boot. In particular the BootROM would not even look for the golden image, since it finds the (valid) header of the corrupted bootloader first.
How can I protect my system from this problem?
08-15-2018 08:39 AM
For the upgrade, you should always have two images on your system. When you upgrade the first one, the suggestion is always to write the synchword in the boot header at the end, after a valid verification that the rest of the copy was successful.
Without the synchword, you will always be able to fallback to the second (golden) image.
For FSBL integrity, can you check the md5 option in bootgen. I know it works for MPSoC but I don't recall if that's supported for FSBL in zynq-7000.
08-15-2018 08:59 AM - edited 08-15-2018 09:01 AM
I tried to enable md5 for the FSBL, but bootgen says that md5 is not supported for the bootloader on Zynq.
Writing the synchword in the end seems a good solution to minimize the chance of ending up with corrupted bootloader.
08-16-2018 08:36 AM
I was afraid about that on md5 and zynq-7000. I think the only option is to use an RSA only flow to guarantee full integrity of the image.