I have programed the XSK_EFUSEPL_FORCE_USE_AES_ONLY( CFG_AES_Only) eFuse bit in Vivado Hardware manager.
Non-secure boot of the device should be not allowed.
However I can still boot with a non-AES key image.
Why is this the case?
(UG585) Table 32-2 indicates that XSK_EFUSEPL_FORCE_USE_AES_ONLY is referred to as CFG_AES_Only in (UG470).
This information is incorrect, the PL CFG_AES_Only bit is not used for Zynq and must not be programmed by the user.
The correct bit is bit of FUSE_CNTL.
The latest version of Vivado is aware of Zynq and gives a correct bit setting.