cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted
Visitor
Visitor
166 Views
Registered: ‎06-27-2019

Is it possible to decrypt a regular data partition using PCAP in Zynq 7000 AP SoC

Hello, everyone!

Our company is developing a new product, which must strictly comply to new security requirements. We're using our own proprietary format of boot images, which are managed by derivative of common the fsbl project. One of the requirements posed to us by our security department is to retain keys and certificates used for decryption and authentication separately from the software uses them. In our particular case it was decided to just put them in encrypted partition next to fsbl (it is authenticated and encrypted as well). We name it "vault".

To get data our of there I use functions I found in image_mover.c and pcap.c modules plus some wrapping. It look like this:

static s32 ReadoutAndDecryptVaultContents( TSecuredVault *vaultContents )
{
    s32 result = -1;

    if ( QspiAccess( securedVaultInstance.offsetInQspi,
                              (u32) vaultContents,
                              securedVaultInstance.cipherTextSize ) == 0 ) {

        if ( DecryptPartition( (u32) vaultContents,
                                          PartitionHeader[ SECURED_VAULT_PARTITION ].DataWordLen,
                                          PartitionHeader[ SECURED_VAULT_PARTITION ].ImageWordLen) == XST_SUCCESS ) {

            result = 0;
        }
    }

    return result;
}

As you see it is pretty simple. It just reads encrypted partition from QSPI and then triggers PCAP DMA transaction routed through AES/HMAC engine. And it works perfectly until the following event.

In our image we have module, which contains a conventional Xilinx boot image, generated by bootgen. It contains unencrypted bitstream and application (these are protected by higher levels). If image is fine, then we just pass it (through some intermediate function though) to LoadBootImage function, which does the rest of the job.

Problem is after application starts I can't decrypt data from the vault anymore. DMA transaction hangs and either never returns, or returns in (literally) some minutes, reporting timeout. Here are registers dump for successful and failed transaction respectively:

Successfull:

  PCAP register dump:
  PCAP CTRL            0xF8007000: 0x4E80FE80
  PCAP LOCK            0xF8007004: 0x00000012
  PCAP CONFIG          0xF8007008: 0x00000508
  PCAP ISR             0xF800700C: 0x00033000
  PCAP IMR             0xF8007010: 0xFFFFFFFF
  PCAP STATUS          0xF8007014: 0x50000A30
  PCAP DMA SRC ADDR    0xF8007018: 0xFFFF6D41
  PCAP DMA DEST ADDR   0xF800701C: 0xFFFF6D41
  PCAP DMA SRC LEN     0xF8007020: 0x0000018B
  PCAP DMA DEST LEN    0xF8007024: 0x000000C0
  PCAP ROM SHADOW CTRL 0xF8007028: 0xFFFFFFFF
  PCAP MBOOT           0xF800702C: 0x0000C002
  PCAP SW ID           0xF8007030: 0x00000000
  PCAP UNLOCK          0xF8007034: 0x757BDF0D
  PCAP MCTRL           0xF8007080: 0x34800100

  DMA Done !

Failed:

  PCAP register dump:
  PCAP CTRL            0xF8007000: 0x4E80FE80
  PCAP LOCK            0xF8007004: 0x00000012
  PCAP CONFIG          0xF8007008: 0x00000508
  PCAP ISR             0xF800700C: 0x00820005
  PCAP IMR             0xF8007010: 0xFFFFFFFF
  PCAP STATUS          0xF8007014: 0x00000F20
  PCAP DMA SRC ADDR    0xF8007018: 0xFFFF77C1
  PCAP DMA DEST ADDR   0xF800701C: 0xFFFF77C1
  PCAP DMA SRC LEN     0xF8007020: 0x0000018B
  PCAP DMA DEST LEN    0xF8007024: 0x000000C0
  PCAP ROM SHADOW CTRL 0xF8007028: 0xFFFFFFFF
  PCAP MBOOT           0xF800702C: 0x0000C002
  PCAP SW ID           0xF8007030: 0x00000000
  PCAP UNLOCK          0xF8007034: 0x757BDF0D
  PCAP MCTRL           0xF8007080: 0x34800100
  ................................................................................
  ...................

So my question is whether it's possible to use PCAP and AES/HMAC engine to decrypt a piece of data at some point a runtime? Or they were designed specifically for managing boot process and are not expected to be use as general-purpose tool?

 

Thanks' in advance!

Tags (3)
0 Kudos
1 Reply
Highlighted
Xilinx Employee
Xilinx Employee
90 Views
Registered: ‎10-11-2011

Re: Is it possible to decrypt a regular data partition using PCAP in Zynq 7000 AP SoC

xapp1226:

"

In the decrypt on demand method, encrypted partitions are copied to DDR at boot time. A partition can contain software, hardware (bitstream), or a data file. Because it is encrypted, the partition is not exposed as plaintext in DDR. When used, the partition is decrypted using the Zynq-7000 AP SoC device’s AES decryptor and placed into the Zynq-7000 device’s secure storage. The sensitive code is executed from secure storage. If the decrypted partition is data, the data is accessed from secure storage.

"

-------------------------------------------------------------------------
Don’t forget to reply, kudo, and accept as solution.
-------------------------------------------------------------------------
0 Kudos