cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Highlighted
Visitor
Visitor
597 Views
Registered: ‎10-04-2017

How to ensure only secure load of encrypted bitstreams from kernel? (zc706)

I have securely booted up using AES encryption (stroring key in BBRAM). From the kernel, I want to only be able to load in secure encrypted bitstreams, doing something like "cp < bitstream.bit, /devCfg".

 

I have found that despite setting all of the proper register values in devcfg's CTRL (0x4e80ee80), PL bitstreams that are not encrypted are able to be successfully loaded into the PL. I can disable the PCAP so that no bitstreams can be loaded in, but that is not what I am looking for.

 

Is there any way to make all bitstreams that are sent to devcfg during runtime be sent to the AES decryption engine?

0 Kudos
1 Reply
Highlighted
Visitor
Visitor
589 Views
Registered: ‎10-04-2017

 

For example, showing figure 6.2 from ug585...

6.2.PNG

I have PCAP_PR and PCAP_MODE set to 1 to create the path from devc. Now my question is... is there a way I can make sure the bitstream going into the PL config module will always be sent to the AES/HMAC engine to ensure only an encrypted bitstream can be loaded?

 

0 Kudos