cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
vanmierlo
Mentor
Mentor
9,591 Views
Registered: ‎06-10-2008

Can petalinux-package use an efuse key?

Hello,

 

I'm trying to find out how to build an encrypted BOOT.BIN for a zynq with the petalinux tools (2015.2.1). As far as I can tell I need to use petalinux-package to build the BOOT.BIN, but I cannot find how to pass my encryption key and how to tell on which files to use it. Do I just have to resort to not using petalinux-package and use bootgen directly?

 

Thanks,

Maarten

0 Kudos
10 Replies
austin
Scholar
Scholar
9,584 Views
Registered: ‎02-27-2008

0 Kudos
vanmierlo
Mentor
Mentor
9,561 Views
Registered: ‎06-10-2008

But XAPP1175 hardly mentions petalinux at all and certainly not the petalinux-package command.

 

So does petalinux-package support encryption? And if so what command line options are required?

0 Kudos
austin
Scholar
Scholar
9,554 Views
Registered: ‎02-27-2008

v,

 

You may use the efuse to boot both the PS and the PL.  What you run once booted is up to you.

 

Once booted, you are assurred that you have started from a known, authenticated and encrypted start point.  After that, the rest is up to you (anti-tamper, use of trust zone, prevention from loading malicious code or bitstreams).

 

What are you trying to do?  What do you think that loading encrypted petalinux is somehow going to provide you with?

 

What attacks are you attempting to prevent?

 

In any system, you should have clear security goals, the attack models, and so forth.  Encryption, efuse keys are tools.  What you build with them may not (in fact often not) meet your goals.

 

 

Austin Lesea
Principal Engineer
Xilinx San Jose
0 Kudos
vanmierlo
Mentor
Mentor
9,549 Views
Registered: ‎06-10-2008

Hello Austin,

 

Thanks for trying to answer my question. Still, I have the feeling I need an answer from the people who created the petalinux tools.

 

The goal is to create a product which uses petalinux, which cannot be easily copied, but should be easy to update with new software. We think the efuse can help with that, mostly by protecting the PL image without which the hardware should be useless.

 

We don't think it is hard for anyone determined enough to copy our hardware design. All software will be loaded from SD-card so it's easily distributable. By encrypting the BOOT.BIN contents and thus the PL image with a unique key for every product it should be impossible (improbable?) to use this code on a different Zynq.

 

So, it's not petalinux itself that we necessarily want to encrypt.

 

Now back to your first statement:


@austin wrote:

You may use the efuse to boot both the PS and the PL.

 


How? I don't see how I should tell petalinux-package that the files should be encrypted.

 

I want to follow the petalinux workflow and only stray from that if absolutely necessary. Everything we add or do differently we have to documentas well. I'm sure I could compile my own fsbl, my own u-boot, my own kernel, my own glibc, my own busybox, my own ramdisk, etc. But that is just too much work and awfully complicated. It is hard enough to get the kernel drivers in and working and to write the PL code.

 

Maarten

0 Kudos
austin
Scholar
Scholar
9,545 Views
Registered: ‎02-27-2008

Figure 15 on page 25 of the document that I referenced describes how both the PL and the PS (and OS in your case) is encrypted and placed in the FSBL.  On power on, the FSBL is accessed, and decrypted.

 

I agree that use of the efuse key presents a defense against simple cloning.  The attacker would need to destory a device (perhaps many devices) to discover the efuse programming, and that is pretty tough to do (decap, grind down, expose efuses, discover which ones are mapped to the key, interpret how they are used, etc.).

 

If the PL is the "secret sauce" that is your value, remaining in secure mode (not having code or logic to provide any back-doors:  no use of PCAP, and no use of ICAP by a user) means that while running, the PL image cannot be read out (through JTAG or any other method).

 

Your specific OS configuration, code, is also protected by encryption, but depending on what you do with trust zone (tm ARM) you have to be careful that a user cannot just examine memory to get the decrypted image of the OS in memory once you are running.  If no trust zones are established, then reading memory is easy to do.

 

 

 

 

Austin Lesea
Principal Engineer
Xilinx San Jose
0 Kudos
barco2
Adventurer
Adventurer
9,508 Views
Registered: ‎02-13-2009

Hi Maarten,

 

I was just googling the same topic. Did you find a way to make petalinux encrypt the bitstream which is packaged into the BOOT.BIN? Did you make any modifications to the petalinux-scripts or could you find any documentation on how to use the petalinux flow with encryption?

 

Thanks in advance for any hint...

Martin

0 Kudos
linnj
Xilinx Employee
Xilinx Employee
9,501 Views
Registered: ‎09-10-2008

Hi Martin,

What about the -bif option of petalinux-package and then provide your own bif file which is about the same as just using bootgen manually, but does stay in the petalinux tool flow?

I'm not an expert in the secure stuff at all (full disclosure :)).

It looks like there are also switches for file-attribute and bif-attribute* such that you can override small parts of the bif file without specifying an entirely different bif file.

Thanks
John
0 Kudos
vanmierlo
Mentor
Mentor
9,495 Views
Registered: ‎06-10-2008

I've given up on petalinux-pacakge and use bitgen with my own .bif-file.

 

But it would have been nice if someone had just said that it isn't supported.

0 Kudos
barco2
Adventurer
Adventurer
9,434 Views
Registered: ‎02-13-2009

Hi John,

 

I could not find any -bif option for petalinux-package.

 

Hi Maarten,

 

I succesfully built a BOOT.BIN using bootgen and a bif-file. Also removed the petalinux-package tool from my usual design-flow. Thanks for your help.

 

However, though everything works fine with the key stored in BBRAM, it did not have success with the efuse. When trying to program the AES key, I get the error message:

 

ERROR: [Labtools 27-3105] HW Server Error: Could not program property key bits 0x3DBC9F41

 

Any idea on this?

 

Thanks
Martin

0 Kudos
barco2
Adventurer
Adventurer
6,951 Views
Registered: ‎02-13-2009

Ok, just found, that I can program the efuse after the PL has been programmed. This is odd, since all documentation says the PL should not be programmed during efuse programming...

0 Kudos