UPGRADE YOUR BROWSER

We have detected your current browser version is not the latest one. Xilinx.com uses the latest web technologies to bring you the best online experience possible. Please upgrade to a Xilinx.com supported browser:Chrome, Firefox, Internet Explorer 11, Safari. Thank you!

cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted
Explorer
Explorer
1,308 Views
Registered: ‎02-18-2014

Secure Key Driver linker script

Jump to solution

While following xapp1175_zynq_secure_boot.pdf, there's an instruction that doesn't go into any details why its significant.

 

It reads: "Change the location of the sections to ps7_ram_0_S_AXI_BASE_ADDR" presumably from ps7_ddr_0_S_AXI_BASEADDR.

 

Can the secure_key_driver standalone application not run from DDR? What if I don't have enough OCM for this application?

 

Thanks!

 

DDRvRAM.png
0 Kudos
1 Solution

Accepted Solutions
Moderator
Moderator
1,993 Views
Registered: ‎10-06-2016

Re: Secure Key Driver linker script

Jump to solution

Hi @justinlh

 

I just give a quick view to the secure_key_driver example of the XAPP and seems to be just and application to write/read Keys, no not related to the final application. The fact of using OCM in this case seems to not have a big reason, appart from not using DDR allows to create a BIF file without FSBL.

 

The FSBL is not included in the BIF when the Secure Key Driver is executed from OCM. The
FSBL is included in the BIF when the driver is executed from DDR. When executed from OCM,
the base address of the OCM must be used.

Regarding the OCM/DDR being volatile memory, you are right, but the point is that OCM is silicon internal memory so you can prevent the access with security features (JTAG disable,...) but for DDR on run-time attacker can access easily.

 

Regards

Ibai

 

 


Ibai
Don’t forget to reply, kudo, and accept as solution.
4 Replies
Moderator
Moderator
1,265 Views
Registered: ‎10-06-2016

Re: Secure Key Driver linker script

Jump to solution

Hi @justinlh

 

If not wrong the idea of running the application from the OCM is that this code is not accessible from the outside so is considered as a secure storage. There are multiple references to this fact in the XAPP by itself. i.e:

 

To protect sensitive software and data, the destination address needs to be within the Zynq
device's security perimeter, typically OCM or AXI BRAM

I did not read all the XAPP by I think that is the idea. So technically you could place your code in DDR but you have to ensure that you do not broke you security chain.

 

Regards,

Ibai


Ibai
Don’t forget to reply, kudo, and accept as solution.
Explorer
Explorer
1,262 Views
Registered: ‎02-18-2014

Re: Secure Key Driver linker script

Jump to solution

Thank you for the response.

 

So still a little hazy on this, the application I want to run (secure_key_driver); in my case, loads the RSA hash. I don't understand the benefit of "protect software and data" if my end goal is to have the application load my hash in the same place in memory regardless of where the application is ran from. Besides OCM or DDR are both volatile memory, so I'm clearly not trying to protect my app. I totally get wanting to protect what the hash is, but I guess I still don't understand why it matters where I run it. 

0 Kudos
Moderator
Moderator
1,994 Views
Registered: ‎10-06-2016

Re: Secure Key Driver linker script

Jump to solution

Hi @justinlh

 

I just give a quick view to the secure_key_driver example of the XAPP and seems to be just and application to write/read Keys, no not related to the final application. The fact of using OCM in this case seems to not have a big reason, appart from not using DDR allows to create a BIF file without FSBL.

 

The FSBL is not included in the BIF when the Secure Key Driver is executed from OCM. The
FSBL is included in the BIF when the driver is executed from DDR. When executed from OCM,
the base address of the OCM must be used.

Regarding the OCM/DDR being volatile memory, you are right, but the point is that OCM is silicon internal memory so you can prevent the access with security features (JTAG disable,...) but for DDR on run-time attacker can access easily.

 

Regards

Ibai

 

 


Ibai
Don’t forget to reply, kudo, and accept as solution.
Explorer
Explorer
1,254 Views
Registered: ‎02-18-2014

Re: Secure Key Driver linker script

Jump to solution

Makes must better sense now! I think I understand it now, thank you for the patience. This was very helpful!

0 Kudos