UPGRADE YOUR BROWSER

We have detected your current browser version is not the latest one. Xilinx.com uses the latest web technologies to bring you the best online experience possible. Please upgrade to a Xilinx.com supported browser:Chrome, Firefox, Internet Explorer 11, Safari. Thank you!

cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted
Visitor ccastell
Visitor
261 Views
Registered: ‎06-10-2019

Ultra Scale plus BOOT.bin encrypting using aes key

Hi,

I'm using a partname xczu7eg (Ultra Scale plus) and I have just generated an encrypted BOOT.bin by running the tcl script:

exec bootgen -arch zynqmp -image ./Hercules_2.bif -w -o ./BOOT.bin -encrypt bbram -p xczu7eg

where the bif file is as follows:

the_ROM_image:
{
 [fsbl_config]a53_x64
 [aeskeyfile] bbram.nky
 [bootloader, encryption=aes] Hercules_2_FSBL.elf
 [destination_device = pl, encryption=aes] Hercules2_top.bit
 [destination_cpu = a53-0, encryption=aes] Hercules_2.elf
}

Well, I'm trying to write the bbram.nky by using Vivado Hardware Manager via JTAG connection, but I can't find the corresponding menu (Program BBR Key).

Any suggestion?

 

Thanks in advance.

 

 

0 Kudos
14 Replies
Moderator
Moderator
224 Views
Registered: ‎03-19-2014

Re: Ultra Scale plus BOOT.bin encrypting using aes key

To program the keys (BBRAM and eFuse) in Zynq UltraScale+ refer to XAPP 1319.  The programming is done via the XilSkey library.

-------------------------------------------------------------------------
Don’t forget to reply, kudo, and accept as solution.
-------------------------------------------------------------------------
0 Kudos
Visitor ccastell
Visitor
212 Views
Registered: ‎06-10-2019

Re: Ultra Scale plus BOOT.bin encrypting using aes key

Hi glena,

thanks for your response.

The chapter "Programming the AES Key in BBRAM" in XAPP1319 (v1.0) suggests to use the Hardware platform ZCU102_hw_platform(pre-defined).

Is it strictly necessary to use that platform? Or it is possible to use the hw_platform of the project?

 

0 Kudos
Moderator
Moderator
196 Views
Registered: ‎03-19-2014

Re: Ultra Scale plus BOOT.bin encrypting using aes key

XAPP1319 uses the ZCU102 as a demonstration platform.   You should be using the HDF that represents your specific hardware since you are using a custom board.

-------------------------------------------------------------------------
Don’t forget to reply, kudo, and accept as solution.
-------------------------------------------------------------------------
0 Kudos
Visitor ccastell
Visitor
182 Views
Registered: ‎06-10-2019

Re: Ultra Scale plus BOOT.bin encrypting using aes key

Glena,

thanks for you response.

According to the XAPP1319, the unique way to load the aes key into the BBRAM is to create a specific BOOT.bin, save it on SD and re-boot the board from the SD itself.

Well, I'm in a situation in which the board booting from SD is not an easy operation, so I'm wondering if there is an alternative way to upload the aes key into the BBRAM.

 

 

0 Kudos
Moderator
Moderator
175 Views
Registered: ‎03-19-2014

Re: Ultra Scale plus BOOT.bin encrypting using aes key

You can put the boot.bin into any flash boot - QSPI, SD, eMMC, etc.

-------------------------------------------------------------------------
Don’t forget to reply, kudo, and accept as solution.
-------------------------------------------------------------------------
0 Kudos
Visitor ccastell
Visitor
168 Views
Registered: ‎06-10-2019

Re: Ultra Scale plus BOOT.bin encrypting using aes key

Glena,

thanks. I've tried by rpogramming BOOT.bin into QSPI and it works as you say: at the reboot the QSPI content is loaded into BBRAM.

Well, i'm wondering if there is a way to create a unique BOOT.bin containig both key and project in order to avoid the two uploads (KEY and PROJECT).

 

0 Kudos
Moderator
Moderator
135 Views
Registered: ‎03-19-2014

Re: Ultra Scale plus BOOT.bin encrypting using aes key

If a key does not exist, it will be generated in the first run, the boot.bin will be generated witht that key in the second run.   There is no means to generate a key and build a boot.bin with that new key in one pass.  

-------------------------------------------------------------------------
Don’t forget to reply, kudo, and accept as solution.
-------------------------------------------------------------------------
0 Kudos
Visitor ccastell
Visitor
66 Views
Registered: ‎06-10-2019

Re: Ultra Scale plus BOOT.bin encrypting using aes key

Glena, I have noticed that if I use the JTAG to load into QSPI the BOOT.bin for the key and then the BOOT.bin for the encrypted project, no other encrypted projects can be loaded into QSPI via JTAG. The unique way it seems to use the SD card. Can you confirm this behavior? In the case the SD slot is broken, there is an alternative to the SD?

0 Kudos
Moderator
Moderator
63 Views
Registered: ‎03-19-2014

Re: Ultra Scale plus BOOT.bin encrypting using aes key

When you boot secured, JTAG is disabled.  This is a security feature, and the board is working as designed.   If you want to have JTAG accessibility in secure boot, refer to AR6839

-------------------------------------------------------------------------
Don’t forget to reply, kudo, and accept as solution.
-------------------------------------------------------------------------
0 Kudos
Visitor ccastell
Visitor
48 Views
Registered: ‎06-10-2019

Re: Ultra Scale plus BOOT.bin encrypting using aes key

Glena, thanks a lot for your answers. Let me ask another question. Is there a way to write in QSPI more than one BOOT.bin (at different addresses) and to decide what of the BOOTs to load at the board rebooting?

0 Kudos
Visitor ccastell
Visitor
42 Views
Registered: ‎06-10-2019

Re: Ultra Scale plus BOOT.bin encrypting using aes key

In the  AR6839 is suggested to add some lines to the FSBL. What is the file that must be modified? xfsbl_initialization.c? xfsbl_misc_drivers.c?

0 Kudos
Moderator
Moderator
34 Views
Registered: ‎03-19-2014

Re: Ultra Scale plus BOOT.bin encrypting using aes key

In many ways it depends on when you want to have JTAG access restored.   I have typically re-enable JTAG in the XFsbl_HookBeforeHandoff section in xfsbl_hooks.c 

-------------------------------------------------------------------------
Don’t forget to reply, kudo, and accept as solution.
-------------------------------------------------------------------------
0 Kudos
Visitor ccastell
Visitor
31 Views
Registered: ‎06-10-2019

Re: Ultra Scale plus BOOT.bin encrypting using aes key

I need to write QSPI via JTAG with an uncrypted project after I have written an encrypted one. Adding lines of AR6839 in xfsbl_hooks.c file is the way?
0 Kudos
Moderator
Moderator
19 Views
Registered: ‎03-19-2014

Re: Ultra Scale plus BOOT.bin encrypting using aes key

If you are booting encrypted, JTAG is disabled by the BootROM.   To re-enable JTAG follow AR6839

-------------------------------------------------------------------------
Don’t forget to reply, kudo, and accept as solution.
-------------------------------------------------------------------------
0 Kudos