AR# 71436

Design Advisory for Zynq-7000: 2018.2 (and earlier) U-Boot does not use the PPK verified by BootROM and stored in OCM when loading partitions.

Description

In Zynq-7000, U-Boot does not use the RSA Primary Public Key (PPK) that was authenticated by the BootROM and stored in OCM, to authenticate the SPK (Secondary Public Key) when loading partitions.

This results in a situation where an adversary could substitute their PPK/SPK pair and have U-Boot successfully authenticate an image that should not have been authenticated.

Solution

This issue is fixed in the 2018.3 release.

AR# 71436
Date 09/12/2018
Status Active
Type Design Advisory
Devices