FIT image: load secure FPGA
Adrian Fiergolski
adrian.fiergolski at fastree3d.com
Wed Jan 19 17:03:26 CET 2022
Hi Jorge,
Have you succeeded to enable secure boot on ZynqMP with SPL (not
Xilinx's FSBL)? Is it documented somewhere? Any configuration
files/yocto recipes? Have you managed to resolve problem of the
bitstream loaded in such a case by SPL?
I need to use an encrypted bitstream. However, it required the use of
DeviceKeys in post-boot state which eventually requires secure boot.
Regards,
Adrian
On 04.10.2021 22:32, Jorge Ramirez-Ortiz, Foundries wrote:
> Hello,
>
> We are enabling secure boot on Zynqmp with SPL.
>
> The issue however is that during secure boot, the bootrom not only
> validates the first loader (SPL and PMUFW combo) but it will also
> expect a signed bitstream during load(FPGA).
>
> Since currently the SPL load of an FPGA image from FIT does not
> support loading images for authentication (fpga_loads), I'd like to
> discuss how to best implement such support.
>
> A pretty standard file.its description of the FPGA loadable looks like
> this:
>
> fpga {
> description = "FPGA binary";
> data = /incbin/("${DEPLOY_DIR_IMAGE}/${SPL_FPGA_BINARY}");
> type = "fpga";
> arch = "${UBOOT_ARCH}";
> compression = "none";
> load = <${fpgaloadaddr}>;
> hash-1 {
> algo = "${FIT_HASH_ALG}";
> };
> };
>
> We could extend imagetool.h struct image_tool_params to add more
> params or perhpas just define different 'types' of fpga?
>
> Something like:
> "fpga"
> "fpga-auth" : authenticated
> "fpga-enc" : encrypted
> "fpga-sec" : encrypted and authenticated
>
> Then it would be a matter of modifying
> https://github.com/u-boot/u-boot/blob/master/common/spl/spl_fit.c#L572
>
> any thoughts?
>
> TIA
> Jorge
More information about the U-Boot
mailing list