cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted
Anonymous
Not applicable
8,624 Views

Secure boot with u-boot on Zynq

Hi,

 

 

We have Zynq 7045 based board where a secure boot process with two boot images is foreseen.

The first boot image contains the FSBL & u-boot and is stored in a QSPI flash.

The second boot image contains the PL bitstream & OS and shall be loaded over Ethernet by u-boot.

All partitions shall be encrypted and signed.

 

 

I found the two commands zynqaes and zynqrsa in u-boot which are intended for secure boot.

I managed to decrypt partitions with the zynqaes command and also to configure the PL by specifying the destination address as 0xFFFFFFFF.

But since a also want to sign the partitions I have to use zynqrsa (which does decryption too).

The problem with the zynqrsa is that it doesn't support PL bitstreams, as can be seen in the code:

if (part_attr & ZYNQ_ATTRIBUTE_PL_IMAGE_MASK) {
	printf("Bitstream\r\n");
	return -1;
}

from https://github.com/Xilinx/u-boot-xlnx/blob/master/common/cmd_zynq_rsa.c#L476

 

Does anyone know why PL bitstreams are explicitly not supported by the zynqrsa command in u-boot?

 

Furthermore, I dislike that the first two partitions are skipped in any case, as defined here:

/* Skip the first two partitions FSBL and u-boot */
partition_num = 2;

from https://github.com/Xilinx/u-boot-xlnx/blob/master/common/cmd_zynq_rsa.c#L453

 

I don't have the FSBL and u-boot inside the boot image which I use the zynqrsa command for.

Anyway, I think starting from partition 0 will not harm, because only partitions with u-boot as partition owner are processed.

Does anyone agree or disagree with not skipping the first two partitions?

 

Regards Allen

0 Kudos
4 Replies
Highlighted
Xilinx Employee
Xilinx Employee
8,555 Views
Registered: ‎09-10-2008

Re: Secure boot with u-boot on Zynq

Hi Allen,

 

Did you ever get any resolve on this topic?  I'm interested also.  Did you find any docs on the zynqrsa and zynqaes commands in u-boot (maybe I missed it somewhere other than in the source code)?

 

Thanks

John

0 Kudos
Highlighted
Anonymous
Not applicable
7,340 Views

Re: Secure boot with u-boot on Zynq

Hi John

 

Sorry, I just saw your post right now.

No, I never got any answer.

I solved the problem by changing the u-boot source code on my own.

No, unfortunately there are no docs describing the zynqrsa or zynqaes commands (Xilinx support confirmed this).

 

Regards

Allen

 

Highlighted
620 Views
Registered: ‎10-18-2018

Re: Secure boot with u-boot on Zynq

Hello from the future,

Are there any further improvements and news on this topic?

Also, could you please share your modified u-boot?

Kind regards,

Dosto

0 Kudos
Highlighted
Visitor
Visitor
554 Views
Registered: ‎01-22-2019

Re: Secure boot with u-boot on Zynq

Hi Dosto

It's been awhile...

From my side there are no news about this topic. But I did not really follow up on this topic since we did not go any further with secure boot. 

Nevertheless, I attached the patch which worked back then.

Loading PL bitstreams from u-boot worked with the patch. The trick was to set the load addr to 0xffffffff. But I also had to copy some code from the FSBL.

Regards

Allen

0 Kudos