Zynq UltraScale+ MP SOC: Load encrypted FSBL on reboot
I'm working with a Xilinx Zynq UltraScale+ MP SOC and I would like to encrypt FSBL partition of the BOOT image, storing the AES key on BBRAM.
I first load an unencrypted binary which writes the key on BBRAM: the operation completes succesfully. Then an encrypted image is loaded on the boot device (we usually do it with unencrypted images) and a reboot is triggered by Linux. No power cycle is performed.
Unfortunately the board stucks immediately. Checking with Vivado tool I noticed REGISTER.JTAG_ERROR_STATUS.BIT104_CSU_BR_ERR_TYPE 0x5353, which is, according to TRM, "Changing the state from non-secure to secure is not allowed.".
Why is it happening? Is a power cycle mandatory to perform such transition?