UPGRADE YOUR BROWSER

We have detected your current browser version is not the latest one. Xilinx.com uses the latest web technologies to bring you the best online experience possible. Please upgrade to a Xilinx.com supported browser:Chrome, Firefox, Internet Explorer 11, Safari. Thank you!

cancel
Showing results for 
Search instead for 
Did you mean: 
Visitor sadik.arslan
Visitor
350 Views
Registered: ‎02-18-2019

Zynq Configuration Read Back

Hi,

I'am using 2070 serie Zynq with linux with a project.  Some of PL codes which should be protected are loaded partially at runtime. I have a couple of guestions. Thanks in advance.

Security is a fairly important issue for the project. As I have understood till now from the documents I can read the code back somehow. As yet I didn't use the aes engine provided in Zynq, but I'm planning.  If I use encrypted configuration or not, in both case I can read the plain configuration (unencrypted), right?

The second question is that: The encryption key has a fuse to prevent to read back. Why there is no a fuse mechanism for configuration code and will Xilinx do it in later times  (or verisons)?     

0 Kudos
4 Replies
Adventurer
Adventurer
341 Views
Registered: ‎02-12-2016

Re: Zynq Configuration Read Back

I hate to just refer to a document, but I've had a similar project on the Zynq UltraScale+ and have simply learned the whole documentation by heart.
ZAPP1084 should have what you need concerning what's supported by the 7-series Zynq.
"Whenever an encrypted bitstream is loaded into the FPGA, readback of the internal
configuration memory cannot be performed by any of the external interfaces (including JTAG). "

So no, you cannot read back the configuration with a secure boot, i.e. with an encrypted or authenticated bitstream.

Here you have all the eFUSE regs: https://www.xilinx.com/support/answers/65110.html
Two interesting ones are :
DFT JTAG Disable
DFT Mode Disable (final eFUSE you'll write).
Make sure you have a quiet environment for writing the eFUSEs as this is a sensitive process.
0 Kudos
Visitor sadik.arslan
Visitor
330 Views
Registered: ‎02-18-2019

Re: Zynq Configuration Read Back

Thank you for reply and  precious information.

Ok, I cannot read the configuration from JTAG interface provided that the code is encrypted - that is also important-, but I am not sure whether I can read PS's programming port (via PCAP) by a software.I mean that  when I get a third party encrypted configuration code, I can read it unauthorizedly, moreover wth unencrypted condition. That's what I don't want to do.   

 

0 Kudos
Adventurer
Adventurer
305 Views
Registered: ‎02-12-2016

Re: Zynq Configuration Read Back

So you want to disable PCAP because you will run potentially unsafe SW on the PS? So the Zynq 7 base all trust in the PS as it controls the ICAP PCAP mux. There seem to be a register for disabling PCAP until next configuration. XDcfg_DisablePCAP
You can also disable partial reconfiguration.
0 Kudos
Visitor sadik.arslan
Visitor
287 Views
Registered: ‎02-18-2019

Re: Zynq Configuration Read Back

The answer of your question is yes. SW running on the PS has not to read back the unencrypted configuration, but only write encrypted state of it for deploying to the PL, that is the proplem. It is acceptable If I read the configuration back, the code would encrypted again. But I think the configuration read back is unencrypted!
0 Kudos