AR# 71293

Design Advisory for Zynq UltraScale+ MPSoC: 2017.x FSBL performs the security operations on the partitions based on the content of the partition headers.

Description

This Design Advisory covers two issues with the 2017.x versions of the Zynq UltraScale+ MPSoC FSBL.

Issue 1:

In versions prior to 2018.1, the FSBL is not authenticating the boot header even if the Hardware Root of Trust is enabled (i.e. RSA_EN is programmed).

The boot header contains parameters that are used in cryptographic operations.

Unauthenticated boot headers leave open the possibility that an adversary could tamper with them without detection.

Issue 2:

Prior to the 2018.1 version, the FSBL was not checking the ENC_ONLY eFUSE.

This is only an issue in the "Encrypt Only" secure boot mode. This is not an issue when the Hardware Root of Trust is used.

In the "Encrypt Only" secure boot mode, the ENC_ONLY eFUSE commands the CSU ROM and the FSBL to decrypt the FSBL and all partitions in the boot image.

The ROM correctly checks the ENC_ONLY eFuse, however the FSBL does not.

As the FSBL does not check the ENC_ONLY eFuse, an adversary could modify the partition headers without the change being detected and an unencrypted partition could be loaded.

Solution

Both issues are resolved by using the Vivado 2018.1 FSBL or later versions.

AR# 71293
Date 08/14/2018
Status Active
Type Design Advisory
Devices
Tools More Less