cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Highlighted
Visitor
Visitor
353 Views
Registered: ‎11-06-2018

Zynq ZC706 EVK secure boot

Jump to solution

Hello all,

I have been working on zc706evk secure boot. I am running bare-metal software and so far I have been able to securely boot my software from QSPI with AES key programmed in the BBRAM. The next step obviously is to program the eFUSE array for production. But before I move to program eFUSE array, I want to ask a few questions:

1) I programmed BBRAM using Vivado. Can I use Xilinx secure key driver to program BBRAM?

2) Is there a Xilinx secure key driver example application available for zc706evk?

3) After storing AES keys in BBRAM, I was still able to boot non-secure images. Would I be able to do so after eFUSE programming as well?

4) After eFUSE programming, would the JTAG boot mode work? Just want to confirm if my board will be available for development using JTAG.

Thank you very much and BR,
Umair

0 Kudos
1 Solution

Accepted Solutions
Highlighted
Moderator
Moderator
248 Views
Registered: ‎10-30-2017

Hi @umair_khan 

1. If you are booting with a non secure image the JTAG is available even the eFUSE are blown. 

2. Yes, if you set boot mode to JTAG, then there is no need to configure any register, JTAG available directly.


Best Regards,
Srikanth
----------------------------------------------------------------------------------------------
Kindly note- Please mark the Answer as "Accept as solution" if information provided is helpful.

Give Kudos to a post which you think is helpful and reply oriented.

View solution in original post

4 Replies
Highlighted
Moderator
Moderator
283 Views
Registered: ‎10-30-2017

Hi @umair_khan ,

Please check my inline answers:

1) I programmed BBRAM using Vivado. Can I use Xilinx secure key driver to program BBRAM?

Srikanth: Yes, you can use Xilskey driver to program the BBRAM, refer this:https://github.com/Xilinx/embeddedsw/blob/master/lib/sw_services/xilskey/examples/xilskey_bbram_example.c

2) Is there a Xilinx secure key driver example application available for zc706evk?

Srikanth: Yes, please check here: https://github.com/Xilinx/embeddedsw/tree/master/lib/sw_services/xilskey

3) After storing AES keys in BBRAM, I was still able to boot non-secure images. Would I be able to do so after eFUSE programming as well?

Srikanth: Yes, you can do non-secure boot even after programming the BBRAM. Yes, for eFUSE also but you should not program XSK_EFUSEPL_FORCE_USE_AES_ONLY efuse.

4) After eFUSE programming, would the JTAG boot mode work? Just want to confirm if my board will be available for development using JTAG.

Srikanth: yes, still you can use the JTAG but need to configure some registers, please refer it: https://www.xilinx.com/support/answers/64275.html


Best Regards,
Srikanth
----------------------------------------------------------------------------------------------
Kindly note- Please mark the Answer as "Accept as solution" if information provided is helpful.

Give Kudos to a post which you think is helpful and reply oriented.

Highlighted
Visitor
Visitor
253 Views
Registered: ‎11-06-2018

Hi Srikanth,

Thank you. I appreciate the brief and to the point answers. However, I need some clarification regarding answer 4. Please find my additional questions below:

4.1) I believe the JTAG is disabled, by default, only when the image being booted is AES signed or, in other words, secure. What if I boot non-secure image with eFUSEs blown as I described in question 3? Will JTAG still be disabled upon boot up?

4.2) And what if I change boot mode to JTAG? I believe in this scenario, there won't be any need to configure those registers, that you referred to in your answer, and JTAG will be usable right after power-up. Can you please confirm if this understanding is correct?

Thanks and BR,
Umair Khan

0 Kudos
Highlighted
Moderator
Moderator
249 Views
Registered: ‎10-30-2017

Hi @umair_khan 

1. If you are booting with a non secure image the JTAG is available even the eFUSE are blown. 

2. Yes, if you set boot mode to JTAG, then there is no need to configure any register, JTAG available directly.


Best Regards,
Srikanth
----------------------------------------------------------------------------------------------
Kindly note- Please mark the Answer as "Accept as solution" if information provided is helpful.

Give Kudos to a post which you think is helpful and reply oriented.

View solution in original post

Highlighted
Visitor
Visitor
241 Views
Registered: ‎11-06-2018

Thanks for the quick response. This answered my question.

Thanks and BR,
Umair Khan

0 Kudos