[U-Boot] [RFC PATCH 1/2] fpga: xilinx: zynq: Add support to decrypt images

Stefan Herbrechtsmeier stefan at herbrechtsmeier.net
Thu Apr 19 18:47:53 UTC 2018 

Am 02.04.2018 um 08:15 schrieb Siva Durga Prasad Paladugu:
> This patch adds support to decrypt an encrypted bitstream
> or image. This zynq aes command can either load decrypted
> image back to DDR or it can load an encrypted bitsream to
> PL directly by decrypting it. The image has to be encrypted
> using xilinx bootgen tool and to get only the encrypted
> image from tool use -split option while invoking bootgen.
>
> Signed-off-by: Siva Durga Prasad Paladugu <sivadur at xilinx.com>
> ---
>   arch/arm/Kconfig          |   1 +
>   board/xilinx/zynq/Kconfig |  14 ++++
>   drivers/fpga/zynqpl.c     | 158 ++++++++++++++++++++++++++++++++++++++++++++++
>   include/zynqpl.h          |   5 ++
>   4 files changed, 178 insertions(+)
>   create mode 100644 board/xilinx/zynq/Kconfig
>
> diff --git a/arch/arm/Kconfig b/arch/arm/Kconfig
> index 068ea1e..e0cd1d8 100644
> --- a/arch/arm/Kconfig
> +++ b/arch/arm/Kconfig
> @@ -1360,6 +1360,7 @@ source "board/toradex/colibri_pxa270/Kconfig"
>   source "board/vscom/baltos/Kconfig"
>   source "board/woodburn/Kconfig"
>   source "board/work-microwave/work_92105/Kconfig"
> +source "board/xilinx/zynq/Kconfig"
>   source "board/xilinx/zynqmp/Kconfig"
>   source "board/zipitz2/Kconfig"
>
> diff --git a/board/xilinx/zynq/Kconfig b/board/xilinx/zynq/Kconfig
> new file mode 100644
> index 0000000..f8f8a7f
> --- /dev/null
> +++ b/board/xilinx/zynq/Kconfig
> @@ -0,0 +1,14 @@
> +# Copyright (c) 2018, Xilinx, Inc.
> +#
> +# SPDX-License-Identifier: GPL-2.0
> +
> +if ARCH_ZYNQ
> +
> +config CMD_ZYNQ_AES
> +       bool "Zynq AES"
> +       default y
> +       help
> +         Decrypts the encrypted image present in source address
> +         and places the decrypted image at destination address.
> +
> +endif
> diff --git a/drivers/fpga/zynqpl.c b/drivers/fpga/zynqpl.c
> index db9bd12..fcffc2d 100644
> --- a/drivers/fpga/zynqpl.c
> +++ b/drivers/fpga/zynqpl.c
> @@ -18,6 +18,7 @@
>
>   #define DEVCFG_CTRL_PCFG_PROG_B                0x40000000
>   #define DEVCFG_CTRL_PCFG_AES_EFUSE_MASK        0x00001000
> +#define DEVCFG_CTRL_PCAP_RATE_EN_MASK  0x02000000
>   #define DEVCFG_ISR_FATAL_ERROR_MASK    0x00740040
>   #define DEVCFG_ISR_ERROR_FLAGS_MASK    0x00340840
>   #define DEVCFG_ISR_RX_FIFO_OV          0x00040000
> @@ -498,3 +499,160 @@ struct xilinx_fpga_op zynq_op = {
>          .loadfs = zynq_loadfs,
>   #endif
>   };
> +
> +#ifdef CONFIG_CMD_ZYNQ_AES
> +/*
> + * Load the encrypted image from src addr and decrypt the image and
> + * place it back the decrypted image into dstaddr.
> + */
> +int zynq_decrypt_load(u32 srcaddr, u32 srclen, u32 dstaddr, u32 dstlen,
> +                     u8 bstype)
> +{
> +       u32 isr_status, ts;
> +
> +       if ((srcaddr < SZ_1M) || (dstaddr < SZ_1M)) {
> +               printf("%s: src and dst addr should be > 1M\n",
> +                      __func__);
> +               return FPGA_FAIL;
> +       }
> +
> +       if (zynq_dma_xfer_init(bstype)) {
> +               printf("%s: zynq_dma_xfer_init FAIL\n", __func__);
> +               return FPGA_FAIL;
> +       }
> +
> +       writel((readl(&devcfg_base->ctrl) | DEVCFG_CTRL_PCAP_RATE_EN_MASK),
> +              &devcfg_base->ctrl);
> +
> +       debug("%s: Source = 0x%08X\n", __func__, (u32)srcaddr);
> +       debug("%s: Size = %zu\n", __func__, srclen);
> +
> +       /* flush(clean & invalidate) d-cache range buf */
> +       flush_dcache_range((u32)srcaddr, (u32)srcaddr +
> +                       roundup(srclen << 2, ARCH_DMA_MINALIGN));
> +       /*
> +        * Flush destination address range only if image is not
> +        * bitstream.
> +        */
> +       if (bstype == BIT_NONE)
> +               flush_dcache_range((u32)dstaddr, (u32)dstaddr +
> +                               roundup(dstlen << 2, ARCH_DMA_MINALIGN));
> +
> +       if (zynq_dma_transfer(srcaddr | 1, srclen, dstaddr | 1, dstlen))
> +               return FPGA_FAIL;
> +
> +       if (bstype == BIT_FULL) {
> +               isr_status = readl(&devcfg_base->int_sts);
> +               /* Check FPGA configuration completion */
> +               ts = get_timer(0);
> +               while (!(isr_status & DEVCFG_ISR_PCFG_DONE)) {
> +                       if (get_timer(ts) > CONFIG_SYS_FPGA_WAIT) {
> +                               printf("%s: Timeout wait for FPGA to config\n",
> +                                      __func__);
> +                               return FPGA_FAIL;
> +                       }
> +                       isr_status = readl(&devcfg_base->int_sts);
> +               }
> +
> +               printf("%s: FPGA config done\n", __func__);
> +
> +               if (bstype != BIT_PARTIAL)
> +                       zynq_slcr_devcfg_enable();
> +       }
> +
> +       return FPGA_SUCCESS;
> +}

This function repeats much code of the existing zynq_load function.

Furthermore the existing function could be adapted to auto detect an 
encrypted image. This allows the usage of encrypted FPGA images even in 
fit images and doesn't introduces a second function zynqaes for fpga load.

Best regards
   Stefan

More information about the U-Boot mailing list