cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
miloserdin
Contributor
Contributor
596 Views
Registered: ‎02-20-2016

Loading encrypted bitstreams from baremetal application to Zynq UltraScale+ MPSoC failed

Jump to solution

Hello!
I'm working with Zynq UltraScale+ MPSoC XCZU19EG using Xilinx SDK 2019.1.
I'd like to load encrypted bitstreams from baremetal application at run time and I'd like to use AES key previously loaded to BBRAM for decryption.
I created an application to write AES key to BBRAM using XilSKey library as described in xapp1319 (xilskey_bbramps_zynqmp_example.c).
I successfully wrote AES key to BBRAM using this application.

Then I created boot image using bootgen which contains only bitstream encrypted by the same AES key as I wrote to BBRAM.
Here is BIF file:

 

the_ROM_image:
{
	[keysrc_encryption] bbram_red_key
	[encryption = aes,aeskeyfile=aes.nky] bitstream.bit 
} 

 

I uploaded the boot image to DDR memory and tried to load it to PL using XilFpga library XFpga_PL_BitStream_Load() function call.
But it's failed with error XSECURE_CSU_AES_GCM_TAG_MISMATCH in XSecure_AesDecryptBlk() function.

Please tell me what am I doing wrong?

 
 

 

 

0 Kudos
Reply
1 Solution

Accepted Solutions
denist
Xilinx Employee
Xilinx Employee
444 Views
Registered: ‎10-11-2011

Correct. You need to boot with FSBL encrypted if you want to be able to use the device ley (BBRAM or eFUSE).

-------------------------------------------------------------------------
Don’t forget to reply, kudo, and accept as solution.
-------------------------------------------------------------------------

View solution in original post

0 Kudos
Reply
3 Replies
denist
Xilinx Employee
Xilinx Employee
536 Views
Registered: ‎10-11-2011

What's the bootgen command you are using? Have you tried the same flow with unencrypted bitstream to be sure you have the correct steps?

-------------------------------------------------------------------------
Don’t forget to reply, kudo, and accept as solution.
-------------------------------------------------------------------------
0 Kudos
Reply
miloserdin
Contributor
Contributor
512 Views
Registered: ‎02-20-2016

Hi denist!

I'm using the following bootgen command to create boot image:

 

bootgen -arch zynqmp -image bootimage.bif -p xczu19eg -o securebitfile.bin -w on -log trace

I don't use encrypted FSBL in my BOOT.BIN image and thus, I suppose, I couldn't use AES key in BBRAM according to this statement in UG1085 Zynq UltraScale+ TRM:

 

 

The CSU automatically locks out the AES key, stored in either BBRAM or eFUSEs, as a key 
source to the AES engine if the FSBL is not encrypted. This prevents using the BBRAM or 
eFUSE as the key source to the AES engine during run-time applications.

Is it true?

 

0 Kudos
Reply
denist
Xilinx Employee
Xilinx Employee
445 Views
Registered: ‎10-11-2011

Correct. You need to boot with FSBL encrypted if you want to be able to use the device ley (BBRAM or eFUSE).

-------------------------------------------------------------------------
Don’t forget to reply, kudo, and accept as solution.
-------------------------------------------------------------------------

View solution in original post

0 Kudos
Reply