Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
mgarrick
Participant
Participant

‎10-12-2018 08:52 AM

1,607 Views
Registered: ‎08-13-2018

Unable to reprogram FPGA with Authentication enabled

Jump to solution

Hello,

 

Using PetaLinux 2018.2, I am trying to verify the authentication functionality on a ZCU106 board.

 

I have programmed PPK0 and PPK1 into the eFUSEs, but have NOT turned on RSA authentication within the eFUSE.

 

I am instead using the BH Authorization option when I generate my images.

 

I have successfully got U-Boot and Linux being verified and booted in this manner.

 

However, when using this BH authentication, Linux will not boot if the FPGA is not programmed. I have been told this is a feature, and part of the security chain of trust.

 

So I am having the FSBL program an authorized, default FPGA image (i.e. the one provided by Xilinx) at boot time.

 

At run time, I would like to reprogram the FPGA with a different, authorized image. I'd like to do this from Linux if possible, but I could do it from U-Boot if absolutely necessary.

 

Unfortunately, when I try to generate my authorized FPGA .bin file (from the .bit file), the reprogramming in Linux always fails.

 

I have also tried programming the authorized FPGA .bin file from U-Boot, and that also fails.

 

NOTE: Programming the FPGA image in U-Boot or reprogramming within Linux always works IF the image is NOT authorized.

 

My question is, is it possible to reprogram the FPGA (in Linux) when authorization is used (both through the eFUSE or using BH Authorization), and if so, what is the process to do this?

 

I have followed the instructions in the Full Bitstream Using sysfs interface section in :

https://xilinx-wiki.atlassian.net/wiki/spaces/A/pages/18841847/Solution+ZynqMP+PL+Programming#SolutionZynqMPPLProgramming-FullBitstreamUsingsysfsinterface

 

including trying to echo the values of 2 & 4 into /sys/class/fpga_manager/fpga0/flags.

 

In that case, I get the errors:

[  893.216430] fpga_manager fpga0: writing fpga.bin to Xilinx ZynqMP FPGA Manager
Fail to load: Enable secure mode and try...
[  893.319547] fpga_manager fpga0: Error while writing image data to FPGA
-sh: echo: write error: Invalid argument

 

I have also followed the instructions in:

https://xilinx-wiki.atlassian.net/wiki/spaces/A/pages/18842505/Zynq+Ultrascale+plus+secure+bitstream+programming+from+Linux

 

with no success.

 

Finally, I noticed while looking at:

https://xilinx-wiki.atlassian.net/wiki/spaces/A/pages/18841645/Solution+Zynq+PL+Programming+With+FPGA+Manager

 

That the following two lines are present:

Under HW IP Features: Encrypted and Authenticated Bitstream loading.

Under Missing Features, Known Issues and Limitations: No support for Authenticated and Encrypted Bitstream loading

 

These two lines seem to contradict each other in the same document ... 

 

I appreciate any assistance you can offer.

 

Thanks.

0 Kudos
Reply
1 Solution

Accepted Solutions
smarell
Community Manager
Community Manager

‎10-15-2018 10:09 PM

1,494 Views
Registered: ‎07-23-2012

Jump to solution
Setting PMUFW in secure mode is mandatory though you have the authentication as part of bootheader or in eFUSE. I'm not aware of how to set this parameter in PetaLinux.
-----------------------------------------------------------------------------------------------
Please mark the post as "Accept as solution" if the information provided answers your query/resolves your issue.

Give Kudos to a post which you think is helpful.

View solution in original post

0 Kudos
Reply
5 Replies
denist
Xilinx Employee
Xilinx Employee

‎10-12-2018 11:06 AM

1,584 Views
Registered: ‎10-11-2011

Jump to solution

Programming the bitstream in Linux is complicated and required an OS expert (devicetree overlay concept which I am not familiar with).

From u-boot, are you using the command at the bottom of this page?

https://xilinx-wiki.atlassian.net/wiki/spaces/A/pages/18842432/Authentication+and+decryption+at+u-boot

" fpga loads [dev] [address] [size] [auth-OCM-0/DDR-1/noauth-2] [enc-devkey(0)/userkey(1)/nenc(2) ] [Userkey address]"

 

That should work and the DONE signal should go high. Linux should be booting ok because at this point doesn't know that the bitstream has been loaded by a trusted u-boot rather than the FSBL.

 

-------------------------------------------------------------------------
Don’t forget to reply, kudo, and accept as solution.
-------------------------------------------------------------------------
0 Kudos
Reply
mgarrick
Participant
Participant

‎10-12-2018 11:21 AM

1,579 Views
Registered: ‎08-13-2018

Jump to solution

Thanks for your reply.

 

Yes, I have tried using the "fpga loads" instruction.

 

Specifically, I have used:

load mmc 0 ${netstart} <binary file name>

fpga loads ${netstart} ${filesize} 0 2

 

I've also tried:

fpga loads ${netstart} ${filesize} 1 2

 

NOTE: At the moment I am only using authorization ... NOT encryption.

 

Also note I am using BH Authority, not eFUSE authority.

 

When I use either of the above commands I get the response:

Fail to load: Enable secure mode and try...
PL FPGA LOAD fail

 

If I try this with the command:

fpga load ${netstart} ${filesize}

(i.e. using load, not loads)

 

with the BH Authorized image, I get the response:

zynqmp_validate_bitstream: Bitstream is not validated yet (diff b8)
fpga - loadable FPGA image support

 

If I use the load (not loads) command with an image which is NOT authorized, it programs just fine and Linux does boot fine.

 

But I need to do this with authorization enabled.

 

Thanks.

 

 

 

0 Kudos
Reply
smarell
Community Manager
Community Manager

‎10-14-2018 11:24 PM

1,534 Views
Registered: ‎07-23-2012

Jump to solution
While building PMUFW you should enable SECURE_MODE in BSP settings for XILFPGA. Please refer to Pre-requisites @ http://www.wiki.xilinx.com/Zynq+Ultrascale+plus+secure+bitstream+programming
-----------------------------------------------------------------------------------------------
Please mark the post as "Accept as solution" if the information provided answers your query/resolves your issue.

Give Kudos to a post which you think is helpful.
Reply
mgarrick
Participant
Participant

‎10-15-2018 09:53 AM

1,524 Views
Registered: ‎08-13-2018

Jump to solution

 

Thank you, smarell,

 

This seems to have done the trick.

 

I am currently running this test using the BH Authority, NOT the authority enabled in the eFUSE.

 

Can you please confirm that this change to the PMUFW is required once I enable authority in the eFUSE?

 

Also, I tried to make a change to the PMUFW via petalinux-config -c pmufw, but this command does not present a menu as other -c options do (i.e. kernel, rfs, etc).

 

I ended up doing this through the SDK GUI ... is there any way to do this via the petalinux-config tool?

 

Thanks.

 

0 Kudos
Reply
smarell
Community Manager
Community Manager

‎10-15-2018 10:09 PM

1,495 Views
Registered: ‎07-23-2012

Jump to solution
Setting PMUFW in secure mode is mandatory though you have the authentication as part of bootheader or in eFUSE. I'm not aware of how to set this parameter in PetaLinux.
-----------------------------------------------------------------------------------------------
Please mark the post as "Accept as solution" if the information provided answers your query/resolves your issue.

Give Kudos to a post which you think is helpful.

View solution in original post

0 Kudos
Reply