How to ensure only secure load of encrypted bitstreams from kernel? (zc706)
I have securely booted up using AES encryption (stroring key in BBRAM). From the kernel, I want to only be able to load in secure encrypted bitstreams, doing something like "cp < bitstream.bit, /devCfg".
I have found that despite setting all of the proper register values in devcfg's CTRL (0x4e80ee80), PL bitstreams that are not encrypted are able to be successfully loaded into the PL. I can disable the PCAP so that no bitstreams can be loaded in, but that is not what I am looking for.
Is there any way to make all bitstreams that are sent to devcfg during runtime be sent to the AES decryption engine?
I have PCAP_PR and PCAP_MODE set to 1 to create the path from devc. Now my question is... is there a way I can make sure the bitstream going into the PL config module will always be sent to the AES/HMAC engine to ensure only an encrypted bitstream can be loaded?