09-30-2015 09:09 AM
I'm trying to find out how to build an encrypted BOOT.BIN for a zynq with the petalinux tools (2015.2.1). As far as I can tell I need to use petalinux-package to build the BOOT.BIN, but I cannot find how to pass my encryption key and how to tell on which files to use it. Do I just have to resort to not using petalinux-package and use bootgen directly?
09-30-2015 09:36 AM - edited 09-30-2015 09:56 AM
Yes (you may use efuse key). Please consult xapp1175:
10-01-2015 12:17 AM
But XAPP1175 hardly mentions petalinux at all and certainly not the petalinux-package command.
So does petalinux-package support encryption? And if so what command line options are required?
10-01-2015 07:05 AM
You may use the efuse to boot both the PS and the PL. What you run once booted is up to you.
Once booted, you are assurred that you have started from a known, authenticated and encrypted start point. After that, the rest is up to you (anti-tamper, use of trust zone, prevention from loading malicious code or bitstreams).
What are you trying to do? What do you think that loading encrypted petalinux is somehow going to provide you with?
What attacks are you attempting to prevent?
In any system, you should have clear security goals, the attack models, and so forth. Encryption, efuse keys are tools. What you build with them may not (in fact often not) meet your goals.
10-01-2015 08:49 AM
Thanks for trying to answer my question. Still, I have the feeling I need an answer from the people who created the petalinux tools.
The goal is to create a product which uses petalinux, which cannot be easily copied, but should be easy to update with new software. We think the efuse can help with that, mostly by protecting the PL image without which the hardware should be useless.
We don't think it is hard for anyone determined enough to copy our hardware design. All software will be loaded from SD-card so it's easily distributable. By encrypting the BOOT.BIN contents and thus the PL image with a unique key for every product it should be impossible (improbable?) to use this code on a different Zynq.
So, it's not petalinux itself that we necessarily want to encrypt.
Now back to your first statement:
You may use the efuse to boot both the PS and the PL.
How? I don't see how I should tell petalinux-package that the files should be encrypted.
I want to follow the petalinux workflow and only stray from that if absolutely necessary. Everything we add or do differently we have to documentas well. I'm sure I could compile my own fsbl, my own u-boot, my own kernel, my own glibc, my own busybox, my own ramdisk, etc. But that is just too much work and awfully complicated. It is hard enough to get the kernel drivers in and working and to write the PL code.
10-01-2015 09:11 AM - edited 10-01-2015 09:12 AM
Figure 15 on page 25 of the document that I referenced describes how both the PL and the PS (and OS in your case) is encrypted and placed in the FSBL. On power on, the FSBL is accessed, and decrypted.
I agree that use of the efuse key presents a defense against simple cloning. The attacker would need to destory a device (perhaps many devices) to discover the efuse programming, and that is pretty tough to do (decap, grind down, expose efuses, discover which ones are mapped to the key, interpret how they are used, etc.).
If the PL is the "secret sauce" that is your value, remaining in secure mode (not having code or logic to provide any back-doors: no use of PCAP, and no use of ICAP by a user) means that while running, the PL image cannot be read out (through JTAG or any other method).
Your specific OS configuration, code, is also protected by encryption, but depending on what you do with trust zone (tm ARM) you have to be careful that a user cannot just examine memory to get the decrypted image of the OS in memory once you are running. If no trust zones are established, then reading memory is easy to do.
10-09-2015 09:24 AM
I was just googling the same topic. Did you find a way to make petalinux encrypt the bitstream which is packaged into the BOOT.BIN? Did you make any modifications to the petalinux-scripts or could you find any documentation on how to use the petalinux flow with encryption?
Thanks in advance for any hint...
10-09-2015 02:17 PM
10-09-2015 04:45 PM
I've given up on petalinux-pacakge and use bitgen with my own .bif-file.
But it would have been nice if someone had just said that it isn't supported.
10-13-2015 05:59 AM - edited 10-13-2015 06:00 AM
I could not find any -bif option for petalinux-package.
I succesfully built a BOOT.BIN using bootgen and a bif-file. Also removed the petalinux-package tool from my usual design-flow. Thanks for your help.
However, though everything works fine with the key stored in BBRAM, it did not have success with the efuse. When trying to program the AES key, I get the error message:
ERROR: [Labtools 27-3105] HW Server Error: Could not program property key bits 0x3DBC9F41
Any idea on this?
10-13-2015 06:25 AM
Ok, just found, that I can program the efuse after the PL has been programmed. This is odd, since all documentation says the PL should not be programmed during efuse programming...