UPGRADE YOUR BROWSER

We have detected your current browser version is not the latest one. Xilinx.com uses the latest web technologies to bring you the best online experience possible. Please upgrade to a Xilinx.com supported browser:Chrome, Firefox, Internet Explorer 11, Safari. Thank you!

cancel
Showing results for 
Search instead for 
Did you mean: 
Visitor jwsheppa
Visitor
537 Views
Registered: ‎10-04-2017

How to ensure only secure load of encrypted bitstreams from kernel? (zc706)

I have securely booted up using AES encryption (stroring key in BBRAM). From the kernel, I want to only be able to load in secure encrypted bitstreams, doing something like "cp < bitstream.bit, /devCfg".

 

I have found that despite setting all of the proper register values in devcfg's CTRL (0x4e80ee80), PL bitstreams that are not encrypted are able to be successfully loaded into the PL. I can disable the PCAP so that no bitstreams can be loaded in, but that is not what I am looking for.

 

Is there any way to make all bitstreams that are sent to devcfg during runtime be sent to the AES decryption engine?

0 Kudos
1 Reply
Highlighted
Visitor jwsheppa
Visitor
529 Views
Registered: ‎10-04-2017

Re: How to ensure only secure load of encrypted bitstreams from kernel? (zc706)

 

For example, showing figure 6.2 from ug585...

6.2.PNG

I have PCAP_PR and PCAP_MODE set to 1 to create the path from devc. Now my question is... is there a way I can make sure the bitstream going into the PL config module will always be sent to the AES/HMAC engine to ensure only an encrypted bitstream can be loaded?

 

0 Kudos