AR# 69383

2017.1/2 Zynq UltraScale+ MPSoC: U-Boot support to load encrypted bitstream


How do I load an encrypted bitstream using U-Boot?


Test Procedure:

  1. Create an encrypted bit stream image
  2. Copy the encrypted image (created from bootgen) along with key.bin and iv.bin onto an SD card and insert it onto the ZCU102 board.
  3. At XSDB, download until u-boot in JTAG using the script zcu102.tcl (contained in the attached file) as "source zcu102.tcl;uboot".
  4. At the U-boot prompt press enter, and then enter the commands in sequence as shown in the following log:

Example log:

Xilinx Zynq MP First Stage Boot Loader
Release 2017.1 Feb 8 2017 - 11:39:26
NOTICE: ATF running on XCZU9EG/silicon v1/RTL5.1 at 0xfffea000, with PMU firmware
NOTICE: BL31: Secure code at 0x60000000
NOTICE: BL31: Non secure code at 0x8000000
NOTICE: BL31: v1.3(release):2ab88e5
NOTICE: BL31: Built : 20:30:57, Feb 1 2017
PMUFW: v0.3

U-Boot 2017.01-03126-g91f8f25-dirty (Feb 10 2017 - 15:16:45 +0530) Xilinx ZynqMP ZCU102

I2C: ready
EL Level: EL2
Chip ID: xczu9eg
MMC: sdhci@ff170000: 0
** Bad device size - mmc 0 **
Using default environment

In: serial@ff000000
Out: serial@ff000000
Err: serial@ff000000
Bootmode: JTAG_MODE
Net: ZYNQ GEM: ff0e0000, phyaddr 15, interface rgmii-id

Warning: ethernet@ff0e0000 (eth0) using random MAC address - 0a:f4:c5:21:72:fc
eth0: ethernet@ff0e0000
Hit any key to stop autoboot: 0
ZynqMP> mmc info
Device: sdhci@ff170000
Manufacturer ID: 3
OEM: 5344
Name: SL16G
Tran Speed: 50000000
Rd Block Len: 512
SD version 3.0
High Capacity: Yes
Capacity: 14.8 GiB
Bus Width: 4-bit
Erase Group Size: 512 Bytes
ZynqMP> load mmc 0 100000 design_1_wrapper.bit.bin
reading design_1_wrapper.bit.bin
26510908 bytes read in 1772 ms (14.3 MiB/s)
ZynqMP> load mmc 0 2000000 key.bin
reading key.bin
64 bytes read in 9 ms (6.8 KiB/s)
ZynqMP> load mmc 0 2100000 iv.bin
reading iv.bin
24 bytes read in 9 ms (2 KiB/s)
ZynqMP> fpga loads 0 100000 194863c 2000000:40 2100000:18 0

Steps to program the Device-key into the BBRAM (from XSDB):

  1. connect 
  2. connect to the a53 target 
  3. download the zynqmp_fsbl.elf.
  4. con
  5. download the  xilskey_bbramps_zynqmp_example_1.elf ( for more info look here:
  6. con
  7. stop

Loading the encrypted bit streams using the Device Key:

Note: The procedure mentioned above uses the user key for loading encrypted bitstreams.

If we want to use the device key then in the above command add keyaddr and size as 0xFFFFFFFF as below.

fpga loads 0 100000 194863c ffffffff:ffffffff 2100000:18 0

The device key feature is not available as a part of 2017.1 and will be added in xilfpga as a part of the 2017.3 release.

There will be Answer Records created for the same for 2017.1 and 2017.2.

Attached below are the u-boot patches for the same which can be applied on top of 2017.1 or 2017.2 ( This feature works only if xilfpga in the PMU firmware supports this).


Associated Attachments

AR# 69383
Date 07/03/2017
Status Active
Type General Article
Boards & Kits