Hi Jorge,
Have you succeeded to enable secure boot on ZynqMP with SPL (not
Xilinx's FSBL)? Is it documented somewhere? Any configuration
files/yocto recipes? Have you managed to resolve problem of the
bitstream loaded in such a case by SPL?
I need to use an encrypted bitstream. However, it required the use of
DeviceKeys in post-boot state which eventually requires secure boot.
Regards,
Adrian
On 04.10.2021 22:32, Jorge Ramirez-Ortiz, Foundries wrote:
Hello,
We are enabling secure boot on Zynqmp with SPL.
The issue however is that during secure boot, the bootrom not only
validates the first loader (SPL and PMUFW combo) but it will also
expect a signed bitstream during load(FPGA).
Since currently the SPL load of an FPGA image from FIT does not
support loading images for authentication (fpga_loads), I'd like to
discuss how to best implement such support.
A pretty standard file.its description of the FPGA loadable looks like
this:
fpga {
description = "FPGA binary";
data = /incbin/("${DEPLOY_DIR_IMAGE}/${SPL_FPGA_BINARY}");
type = "fpga";
arch = "${UBOOT_ARCH}";
compression = "none";
load = <${fpgaloadaddr}>;
hash-1 {
algo = "${FIT_HASH_ALG}";
};
};
We could extend imagetool.h struct image_tool_params to add more
params or perhpas just define different 'types' of fpga?
Something like:
"fpga"
"fpga-auth" : authenticated
"fpga-enc" : encrypted
"fpga-sec" : encrypted and authenticated
Then it would be a matter of modifying
https://github.com/u-boot/u-boot/blob/master/common/spl/spl_fit.c#L572
any thoughts?
TIA
Jorge
