UPGRADE YOUR BROWSER

We have detected your current browser version is not the latest one. Xilinx.com uses the latest web technologies to bring you the best online experience possible. Please upgrade to a Xilinx.com supported browser:Chrome, Firefox, Internet Explorer 11, Safari. Thank you!

cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted
Visitor anotter
Visitor
8,314 Views
Registered: ‎09-08-2015

Secure boot with u-boot on Zynq

Hi,

 

 

We have Zynq 7045 based board where a secure boot process with two boot images is foreseen.

The first boot image contains the FSBL & u-boot and is stored in a QSPI flash.

The second boot image contains the PL bitstream & OS and shall be loaded over Ethernet by u-boot.

All partitions shall be encrypted and signed.

 

 

I found the two commands zynqaes and zynqrsa in u-boot which are intended for secure boot.

I managed to decrypt partitions with the zynqaes command and also to configure the PL by specifying the destination address as 0xFFFFFFFF.

But since a also want to sign the partitions I have to use zynqrsa (which does decryption too).

The problem with the zynqrsa is that it doesn't support PL bitstreams, as can be seen in the code:

if (part_attr & ZYNQ_ATTRIBUTE_PL_IMAGE_MASK) {
	printf("Bitstream\r\n");
	return -1;
}

from https://github.com/Xilinx/u-boot-xlnx/blob/master/common/cmd_zynq_rsa.c#L476

 

Does anyone know why PL bitstreams are explicitly not supported by the zynqrsa command in u-boot?

 

Furthermore, I dislike that the first two partitions are skipped in any case, as defined here:

/* Skip the first two partitions FSBL and u-boot */
partition_num = 2;

from https://github.com/Xilinx/u-boot-xlnx/blob/master/common/cmd_zynq_rsa.c#L453

 

I don't have the FSBL and u-boot inside the boot image which I use the zynqrsa command for.

Anyway, I think starting from partition 0 will not harm, because only partitions with u-boot as partition owner are processed.

Does anyone agree or disagree with not skipping the first two partitions?

 

Regards Allen

0 Kudos
4 Replies
Xilinx Employee
Xilinx Employee
8,245 Views
Registered: ‎09-10-2008

Re: Secure boot with u-boot on Zynq

Hi Allen,

 

Did you ever get any resolve on this topic?  I'm interested also.  Did you find any docs on the zynqrsa and zynqaes commands in u-boot (maybe I missed it somewhere other than in the source code)?

 

Thanks

John

0 Kudos
Visitor anotter
Visitor
7,030 Views
Registered: ‎09-08-2015

Re: Secure boot with u-boot on Zynq

Hi John

 

Sorry, I just saw your post right now.

No, I never got any answer.

I solved the problem by changing the u-boot source code on my own.

No, unfortunately there are no docs describing the zynqrsa or zynqaes commands (Xilinx support confirmed this).

 

Regards

Allen

 

310 Views
Registered: ‎10-18-2018

Re: Secure boot with u-boot on Zynq

Hello from the future,

Are there any further improvements and news on this topic?

Also, could you please share your modified u-boot?

Kind regards,

Dosto

0 Kudos
Visitor anotter
Visitor
244 Views
Registered: ‎01-22-2019

Re: Secure boot with u-boot on Zynq

Hi Dosto

It's been awhile...

From my side there are no news about this topic. But I did not really follow up on this topic since we did not go any further with secure boot. 

Nevertheless, I attached the patch which worked back then.

Loading PL bitstreams from u-boot worked with the patch. The trick was to set the load addr to 0xffffffff. But I also had to copy some code from the FSBL.

Regards

Allen

0 Kudos