UPGRADE YOUR BROWSER

We have detected your current browser version is not the latest one. Xilinx.com uses the latest web technologies to bring you the best online experience possible. Please upgrade to a Xilinx.com supported browser:Chrome, Firefox, Internet Explorer 11, Safari. Thank you!

cancel
Showing results for 
Search instead for 
Did you mean: 
433 Views
Registered: ‎05-23-2018

Bootfile/memory authentication for Zynq US+

Jump to solution

Hi,

 

Is it possible to verify that the bootfile and/or boot memory has not been tampered with (e.g. the bootfile has been replaced)? We need to make sure that the Zynq does not run another program than it was intended for originally - is this possible to verify somehow?

 

Best regards,

Erasmus Cedernaes

0 Kudos
1 Solution

Accepted Solutions
Xilinx Employee
Xilinx Employee
382 Views
Registered: ‎06-06-2018

Re: Bootfile/memory authentication for Zynq US+

Jump to solution

Hi @erasmus.cedernaes.saab,

Zynq Ultrascale+ will only check for CRC errors in Bitstream. If you perform readback, you should only verify that. for more information on verify please refer page 185 of UG570 (v1.9.1).

Another suggestion for your issue :

So in your case, please encrypt the Bitstream, so that a 256Bit key will be generated for your bitstream. And you need to program that key in FPGA (BBRAM or efuse). Then if you try to program the FPGA with corresponding Encrypted bitstream your FPGA will get programmed. Or if you try to program with an other Encrypted bitstream. FPGA will not get configured. So key will protect your FPGA from incorrect encrypted Bitstream.

For more information of AES(Advanced Encrytpion Standard), please refer page 123 of UG570 (v1.9.1). And regarding how to perform AES please refer page 71 of UG908 (v2018.3).

Note : an unencrypted Bitstream can be programmed to FPGA, even though key is present and readback cannot be performed if you use AES.

Regards,

Deepak D N

-------------------------------------------------------------------------------------------

Please reply or Give Kudo or Mark it as an Accepted Solution.

------------------------------------------------------------------------------------------

 

0 Kudos
3 Replies
Highlighted
Xilinx Employee
Xilinx Employee
421 Views
Registered: ‎06-06-2018

Re: Bootfile/memory authentication for Zynq US+

Jump to solution

Hi @erasmus.cedernaes.saab,

you can verify the bootfile dumped in memory by using this Tcl Command as shown below:

rd1.JPG

 

For more information please refer page 67 of UG908.

 

In this way you can verify that bootfile has been tampered or changed.

Hope this helps.

 

Regards,

Deepak D N

---------------------------------------------------------------------------------

Please reply or Give Kudo or mark it as an Accepted Solution.

----------------------------------------------------------------------------------

0 Kudos
390 Views
Registered: ‎05-23-2018

Re: Bootfile/memory authentication for Zynq US+

Jump to solution

Hi,

Thank you for the answer.

I should clarify: can the Zynq authenticate the bootfile in field? We want to make sure that the bootfile is not switched by a customer since the hardware will process sensitive information.

Best regards,

Erasmus Cedernaes

0 Kudos
Xilinx Employee
Xilinx Employee
383 Views
Registered: ‎06-06-2018

Re: Bootfile/memory authentication for Zynq US+

Jump to solution

Hi @erasmus.cedernaes.saab,

Zynq Ultrascale+ will only check for CRC errors in Bitstream. If you perform readback, you should only verify that. for more information on verify please refer page 185 of UG570 (v1.9.1).

Another suggestion for your issue :

So in your case, please encrypt the Bitstream, so that a 256Bit key will be generated for your bitstream. And you need to program that key in FPGA (BBRAM or efuse). Then if you try to program the FPGA with corresponding Encrypted bitstream your FPGA will get programmed. Or if you try to program with an other Encrypted bitstream. FPGA will not get configured. So key will protect your FPGA from incorrect encrypted Bitstream.

For more information of AES(Advanced Encrytpion Standard), please refer page 123 of UG570 (v1.9.1). And regarding how to perform AES please refer page 71 of UG908 (v2018.3).

Note : an unencrypted Bitstream can be programmed to FPGA, even though key is present and readback cannot be performed if you use AES.

Regards,

Deepak D N

-------------------------------------------------------------------------------------------

Please reply or Give Kudo or Mark it as an Accepted Solution.

------------------------------------------------------------------------------------------

 

0 Kudos