* [U-Boot] [RFC PATCH] fpga: zynq: Add encrypted bitstream support with auto detect
@ 2018-06-08 11:58 stefan at herbrechtsmeier.net
2018-06-11 11:39 ` Siva Durga Prasad Paladugu
2018-06-19 7:15 ` Siva Durga Prasad Paladugu
0 siblings, 2 replies; 6+ messages in thread
From: stefan at herbrechtsmeier.net @ 2018-06-08 11:58 UTC (permalink / raw)
To: u-boot
From: Stefan Herbrechtsmeier <stefan.herbrechtsmeier@weidmueller.com>
Signed-off-by: Stefan Herbrechtsmeier <stefan.herbrechtsmeier@weidmueller.com>
---
drivers/fpga/zynqpl.c | 73 ++++++++++++++++++++++++++++++++++++++++-----------
1 file changed, 57 insertions(+), 16 deletions(-)
diff --git a/drivers/fpga/zynqpl.c b/drivers/fpga/zynqpl.c
index fd37d18..6622750 100644
--- a/drivers/fpga/zynqpl.c
+++ b/drivers/fpga/zynqpl.c
@@ -17,6 +17,7 @@
#define DEVCFG_CTRL_PCFG_PROG_B 0x40000000
#define DEVCFG_CTRL_PCFG_AES_EFUSE_MASK 0x00001000
+#define DEVCFG_CTRL_PCAP_RATE_EN_MASK 0x02000000
#define DEVCFG_ISR_FATAL_ERROR_MASK 0x00740040
#define DEVCFG_ISR_ERROR_FLAGS_MASK 0x00340840
#define DEVCFG_ISR_RX_FIFO_OV 0x00040000
@@ -38,18 +39,16 @@
#define CONFIG_SYS_FPGA_PROG_TIME (CONFIG_SYS_HZ * 4) /* 4 s */
#endif
+#define NOP_WORD 0x20000000
+#define CTRL0_WORD 0x3000a001
+#define MASK_WORD 0x3000c001
#define DUMMY_WORD 0xffffffff
+#define CTRL0_DEC_MASK BIT(6)
+
/* Xilinx binary format header */
+#define MAX_DUMMY_WORD_COUNT 8
static const u32 bin_format[] = {
- DUMMY_WORD, /* Dummy words */
- DUMMY_WORD,
- DUMMY_WORD,
- DUMMY_WORD,
- DUMMY_WORD,
- DUMMY_WORD,
- DUMMY_WORD,
- DUMMY_WORD,
0x000000bb, /* Sync word */
0x11220044, /* Sync word */
DUMMY_WORD,
@@ -85,7 +84,23 @@ static u32 load_word(const void *buf, u32 swap)
return word;
}
-static u32 check_header(const void *buf)
+static void *skip_dummy_words(const void *buf)
+{
+ u32 *test = (u32 *)buf;
+ u32 i;
+
+ for (i = 0; i < MAX_DUMMY_WORD_COUNT; i++) {
+ if (load_word(&test[i], SWAP_NO) != DUMMY_WORD) {
+ debug("%s: Found no dummy word at position %d/%x\n",
+ __func__, i, (u32)&test[i]);
+ return &test[i];
+ }
+ }
+
+ return &test[i];
+}
+
+static u32 check_header(const void *buf, bool *encrypted)
{
u32 i, pattern;
int swap = SWAP_NO;
@@ -93,6 +108,8 @@ static u32 check_header(const void *buf)
debug("%s: Let's check bitstream header\n", __func__);
+ test = (u32 *)skip_dummy_words(buf);
+
/* Checking that passing bin is not a bitstream */
for (i = 0; i < ARRAY_SIZE(bin_format); i++) {
pattern = load_word(&test[i], swap);
@@ -112,18 +129,34 @@ static u32 check_header(const void *buf)
debug("%s: %d/%x: pattern %x/%x bin_format\n", __func__, i,
(u32)&test[i], pattern, bin_format[i]);
+
if (pattern != bin_format[i]) {
debug("%s: Bitstream is not recognized\n", __func__);
return 0;
}
}
- debug("%s: Found bitstream header at %x %s swapinng\n", __func__,
- (u32)buf, swap == SWAP_NO ? "without" : "with");
+
+ test = &test[i];
+
+ /* Checking if passing bin is an encrypted bitstream */
+ if ((load_word(&test[0], swap) == NOP_WORD) &&
+ (load_word(&test[1], swap) == MASK_WORD) &&
+ (load_word(&test[2], swap) & CTRL0_DEC_MASK) &&
+ (load_word(&test[3], swap) == CTRL0_WORD) &&
+ (load_word(&test[4], swap) & CTRL0_DEC_MASK) &&
+ (load_word(&test[5], swap) == NOP_WORD))
+ *encrypted = true;
+ else
+ *encrypted = false;
+
+ debug("%s: Found %sencrypted bitstream header at %x %s swapping\n",
+ __func__, *encrypted ? "" : "un", (u32)buf,
+ swap == SWAP_NO ? "without" : "with");
return swap;
}
-static void *check_data(u8 *buf, size_t bsize, u32 *swap)
+static void *check_data(u8 *buf, size_t bsize, u32 *swap, bool *encrypted)
{
u32 word, p = 0; /* possition */
@@ -136,7 +169,7 @@ static void *check_data(u8 *buf, size_t bsize, u32 *swap)
if (word == DUMMY_WORD) {
debug("%s: Found dummy word@position %x/%x\n",
__func__, p, (u32)&buf[p]);
- *swap = check_header(&buf[p]);
+ *swap = check_header(&buf[p], encrypted);
if (*swap) {
/* FIXME add full bitstream checking here */
return &buf[p];
@@ -191,7 +224,7 @@ static int zynq_dma_transfer(u32 srcbuf, u32 srclen, u32 dstbuf, u32 dstlen)
return FPGA_SUCCESS;
}
-static int zynq_dma_xfer_init(bitstream_type bstype)
+static int zynq_dma_xfer_init(bitstream_type bstype, bool encrypted)
{
u32 status, control, isr_status;
unsigned long ts;
@@ -291,6 +324,13 @@ static int zynq_dma_xfer_init(bitstream_type bstype)
writel(DEVCFG_STATUS_DMA_DONE_CNT_MASK, &devcfg_base->status);
}
+ control = readl(&devcfg_base->ctrl);
+ if (encrypted)
+ control |= DEVCFG_CTRL_PCAP_RATE_EN_MASK;
+ else
+ control &= ~DEVCFG_CTRL_PCAP_RATE_EN_MASK;
+ writel(control, &devcfg_base->ctrl);
+
return FPGA_SUCCESS;
}
@@ -336,10 +376,11 @@ static int zynq_validate_bitstream(xilinx_desc *desc, const void *buf,
size_t bsize, u32 blocksize, u32 *swap,
bitstream_type *bstype)
{
+ bool encrypted = false;
u32 *buf_start;
u32 diff;
- buf_start = check_data((u8 *)buf, blocksize, swap);
+ buf_start = check_data((u8 *)buf, blocksize, swap, &encrypted);
if (!buf_start)
return FPGA_FAIL;
@@ -358,7 +399,7 @@ static int zynq_validate_bitstream(xilinx_desc *desc, const void *buf,
return FPGA_FAIL;
}
- if (zynq_dma_xfer_init(*bstype))
+ if (zynq_dma_xfer_init(*bstype, encrypted))
return FPGA_FAIL;
return 0;
--
2.7.4
^ permalink raw reply related [flat|nested] 6+ messages in thread
* [U-Boot] [RFC PATCH] fpga: zynq: Add encrypted bitstream support with auto detect
2018-06-08 11:58 [U-Boot] [RFC PATCH] fpga: zynq: Add encrypted bitstream support with auto detect stefan at herbrechtsmeier.net
@ 2018-06-11 11:39 ` Siva Durga Prasad Paladugu
2018-06-11 16:03 ` Stefan.Herbrechtsmeier at weidmueller.com
2018-06-19 7:15 ` Siva Durga Prasad Paladugu
1 sibling, 1 reply; 6+ messages in thread
From: Siva Durga Prasad Paladugu @ 2018-06-11 11:39 UTC (permalink / raw)
To: u-boot
Hi Stefan,
Interesting, I got your point. First of all, Could you please let me know on how do you created the encrypted bitstream?
I hope this is not the Xilinx bootgen flow(may be through other Xilinx flow) because, I don't think bootgen will update these fields while creating encrypted bitstream( need to re confirm on this) and my flow targets the Xilinx bootgen flow.
Please let know your comments on this, based on which, will try to review and test your patch.
Thanks,
Siva
> -----Original Message-----
> From: stefan at herbrechtsmeier.net [mailto:stefan at herbrechtsmeier.net]
> Sent: Friday, June 08, 2018 5:29 PM
> To: Siva Durga Prasad Paladugu <sivadur@xilinx.com>
> Cc: Stefan Herbrechtsmeier <stefan.herbrechtsmeier@weidmueller.com>;
> u-boot at lists.denx.de; Michal Simek <michal.simek@xilinx.com>;
> monstr at monstr.eu
> Subject: [RFC PATCH] fpga: zynq: Add encrypted bitstream support with
> auto detect
>
> From: Stefan Herbrechtsmeier
> <stefan.herbrechtsmeier@weidmueller.com>
>
> Signed-off-by: Stefan Herbrechtsmeier
> <stefan.herbrechtsmeier@weidmueller.com>
>
> ---
>
> drivers/fpga/zynqpl.c | 73
> ++++++++++++++++++++++++++++++++++++++++-----------
> 1 file changed, 57 insertions(+), 16 deletions(-)
>
> diff --git a/drivers/fpga/zynqpl.c b/drivers/fpga/zynqpl.c index
> fd37d18..6622750 100644
> --- a/drivers/fpga/zynqpl.c
> +++ b/drivers/fpga/zynqpl.c
> @@ -17,6 +17,7 @@
>
> #define DEVCFG_CTRL_PCFG_PROG_B 0x40000000
> #define DEVCFG_CTRL_PCFG_AES_EFUSE_MASK 0x00001000
> +#define DEVCFG_CTRL_PCAP_RATE_EN_MASK 0x02000000
> #define DEVCFG_ISR_FATAL_ERROR_MASK 0x00740040
> #define DEVCFG_ISR_ERROR_FLAGS_MASK 0x00340840
> #define DEVCFG_ISR_RX_FIFO_OV 0x00040000
> @@ -38,18 +39,16 @@
> #define CONFIG_SYS_FPGA_PROG_TIME (CONFIG_SYS_HZ * 4) /* 4 s
> */
> #endif
>
> +#define NOP_WORD 0x20000000
> +#define CTRL0_WORD 0x3000a001
> +#define MASK_WORD 0x3000c001
> #define DUMMY_WORD 0xffffffff
>
> +#define CTRL0_DEC_MASK BIT(6)
> +
> /* Xilinx binary format header */
> +#define MAX_DUMMY_WORD_COUNT 8
> static const u32 bin_format[] = {
> - DUMMY_WORD, /* Dummy words */
> - DUMMY_WORD,
> - DUMMY_WORD,
> - DUMMY_WORD,
> - DUMMY_WORD,
> - DUMMY_WORD,
> - DUMMY_WORD,
> - DUMMY_WORD,
> 0x000000bb, /* Sync word */
> 0x11220044, /* Sync word */
> DUMMY_WORD,
> @@ -85,7 +84,23 @@ static u32 load_word(const void *buf, u32 swap)
> return word;
> }
>
> -static u32 check_header(const void *buf)
> +static void *skip_dummy_words(const void *buf) {
> + u32 *test = (u32 *)buf;
> + u32 i;
> +
> + for (i = 0; i < MAX_DUMMY_WORD_COUNT; i++) {
> + if (load_word(&test[i], SWAP_NO) != DUMMY_WORD) {
> + debug("%s: Found no dummy word at position
> %d/%x\n",
> + __func__, i, (u32)&test[i]);
> + return &test[i];
> + }
> + }
> +
> + return &test[i];
> +}
> +
> +static u32 check_header(const void *buf, bool *encrypted)
> {
> u32 i, pattern;
> int swap = SWAP_NO;
> @@ -93,6 +108,8 @@ static u32 check_header(const void *buf)
>
> debug("%s: Let's check bitstream header\n", __func__);
>
> + test = (u32 *)skip_dummy_words(buf);
> +
> /* Checking that passing bin is not a bitstream */
> for (i = 0; i < ARRAY_SIZE(bin_format); i++) {
> pattern = load_word(&test[i], swap);
> @@ -112,18 +129,34 @@ static u32 check_header(const void *buf)
>
> debug("%s: %d/%x: pattern %x/%x bin_format\n",
> __func__, i,
> (u32)&test[i], pattern, bin_format[i]);
> +
> if (pattern != bin_format[i]) {
> debug("%s: Bitstream is not recognized\n",
> __func__);
> return 0;
> }
> }
> - debug("%s: Found bitstream header at %x %s swapinng\n",
> __func__,
> - (u32)buf, swap == SWAP_NO ? "without" : "with");
> +
> + test = &test[i];
> +
> + /* Checking if passing bin is an encrypted bitstream */
> + if ((load_word(&test[0], swap) == NOP_WORD) &&
> + (load_word(&test[1], swap) == MASK_WORD) &&
> + (load_word(&test[2], swap) & CTRL0_DEC_MASK) &&
> + (load_word(&test[3], swap) == CTRL0_WORD) &&
> + (load_word(&test[4], swap) & CTRL0_DEC_MASK) &&
> + (load_word(&test[5], swap) == NOP_WORD))
> + *encrypted = true;
> + else
> + *encrypted = false;
> +
> + debug("%s: Found %sencrypted bitstream header at %x %s
> swapping\n",
> + __func__, *encrypted ? "" : "un", (u32)buf,
> + swap == SWAP_NO ? "without" : "with");
>
> return swap;
> }
>
> -static void *check_data(u8 *buf, size_t bsize, u32 *swap)
> +static void *check_data(u8 *buf, size_t bsize, u32 *swap, bool
> +*encrypted)
> {
> u32 word, p = 0; /* possition */
>
> @@ -136,7 +169,7 @@ static void *check_data(u8 *buf, size_t bsize, u32
> *swap)
> if (word == DUMMY_WORD) {
> debug("%s: Found dummy word at position
> %x/%x\n",
> __func__, p, (u32)&buf[p]);
> - *swap = check_header(&buf[p]);
> + *swap = check_header(&buf[p], encrypted);
> if (*swap) {
> /* FIXME add full bitstream checking here */
> return &buf[p];
> @@ -191,7 +224,7 @@ static int zynq_dma_transfer(u32 srcbuf, u32
> srclen, u32 dstbuf, u32 dstlen)
> return FPGA_SUCCESS;
> }
>
> -static int zynq_dma_xfer_init(bitstream_type bstype)
> +static int zynq_dma_xfer_init(bitstream_type bstype, bool encrypted)
> {
> u32 status, control, isr_status;
> unsigned long ts;
> @@ -291,6 +324,13 @@ static int zynq_dma_xfer_init(bitstream_type
> bstype)
> writel(DEVCFG_STATUS_DMA_DONE_CNT_MASK,
> &devcfg_base->status);
> }
>
> + control = readl(&devcfg_base->ctrl);
> + if (encrypted)
> + control |= DEVCFG_CTRL_PCAP_RATE_EN_MASK;
> + else
> + control &= ~DEVCFG_CTRL_PCAP_RATE_EN_MASK;
> + writel(control, &devcfg_base->ctrl);
> +
> return FPGA_SUCCESS;
> }
>
> @@ -336,10 +376,11 @@ static int zynq_validate_bitstream(xilinx_desc
> *desc, const void *buf,
> size_t bsize, u32 blocksize, u32 *swap,
> bitstream_type *bstype)
> {
> + bool encrypted = false;
> u32 *buf_start;
> u32 diff;
>
> - buf_start = check_data((u8 *)buf, blocksize, swap);
> + buf_start = check_data((u8 *)buf, blocksize, swap, &encrypted);
>
> if (!buf_start)
> return FPGA_FAIL;
> @@ -358,7 +399,7 @@ static int zynq_validate_bitstream(xilinx_desc
> *desc, const void *buf,
> return FPGA_FAIL;
> }
>
> - if (zynq_dma_xfer_init(*bstype))
> + if (zynq_dma_xfer_init(*bstype, encrypted))
> return FPGA_FAIL;
>
> return 0;
> --
> 2.7.4
^ permalink raw reply [flat|nested] 6+ messages in thread
* [U-Boot] [RFC PATCH] fpga: zynq: Add encrypted bitstream support with auto detect
2018-06-11 11:39 ` Siva Durga Prasad Paladugu
@ 2018-06-11 16:03 ` Stefan.Herbrechtsmeier at weidmueller.com
2018-06-12 3:48 ` Siva Durga Prasad Paladugu
0 siblings, 1 reply; 6+ messages in thread
From: Stefan.Herbrechtsmeier at weidmueller.com @ 2018-06-11 16:03 UTC (permalink / raw)
To: u-boot
Hi Siva,
> -----Ursprüngliche Nachricht-----
> Von: Siva Durga Prasad Paladugu [mailto:sivadur at xilinx.com]
> Gesendet: Montag, 11. Juni 2018 13:40
> An: stefan at herbrechtsmeier.net
> Cc: Herbrechtsmeier Dr.-Ing. , Stefan
> <Stefan.Herbrechtsmeier@weidmueller.com>; u-boot at lists.denx.de;
> Michal Simek <michal.simek@xilinx.com>; monstr at monstr.eu
> Betreff: RE: [RFC PATCH] fpga: zynq: Add encrypted bitstream support with
> auto detect
>
> Interesting, I got your point. First of all, Could you please let me know on
> how do you created the encrypted bitstream?
I use bootgen with the split option and the following bif file:
bootgen -image u-boot-spl-aes.bif -o i u-boot-spl-aes.bin -w on -encrypt efuse -split bin
image:
{
[aeskeyfile]efuse.nky
[pskfile]psk.pem
[sskfile]ssk.pem
[bootloader, encryption=aes, authentication=rsa]u-boot-spl.elf
[encryption=aes]fpga.bit
}
> I hope this is not the Xilinx bootgen flow(may be through other Xilinx flow)
To my knowledge you could only use bootgen because Xilinx doesn't documented the encryption even if I would like to integrate the encryption into mkimage.
> because, I don't think bootgen will update these fields while creating
> encrypted bitstream( need to re confirm on this) and my flow targets the
> Xilinx bootgen flow.
This fields are part of the encrypted binary bitstream and are needed for the fpga configuration via the pcap. They are documented inside the 'ug470_7Series_Config.pdf'.
> Please let know your comments on this, based on which, will try to review
> and test your patch.
Let me know if you need more information or help.
Regards
Stefan Herbrechtsmeier
Software Developer Embedded Systems
Weidmüller - Your partner in Industrial Connectivity
We look forward to sharing ideas with you - Let's connect.
Weidmueller Interface GmbH & Co. KG
Klingenbergstraße 16, 32758 Detmold, Germany
Email: Stefan.Herbrechtsmeier at weidmueller.com - Web: www.weidmueller.com
________________________________
Kommanditgesellschaft - Sitz: Detmold - Amtsgericht Lemgo HRA 2790 -
Komplementärin: Weidmüller Interface Führungsgesellschaft mbH -
Sitz: Detmold - Amtsgericht Lemgo HRB 3924;
Geschäftsführer: José Carlos Álvarez Tobar, Elke Eckstein, Jörg Timmermann;
USt-ID-Nr. DE124599660
^ permalink raw reply [flat|nested] 6+ messages in thread
* [U-Boot] [RFC PATCH] fpga: zynq: Add encrypted bitstream support with auto detect
2018-06-11 16:03 ` Stefan.Herbrechtsmeier at weidmueller.com
@ 2018-06-12 3:48 ` Siva Durga Prasad Paladugu
2018-06-19 7:08 ` Siva Durga Prasad Paladugu
0 siblings, 1 reply; 6+ messages in thread
From: Siva Durga Prasad Paladugu @ 2018-06-12 3:48 UTC (permalink / raw)
To: u-boot
Hi Stefan,
> -----Original Message-----
> From: Stefan.Herbrechtsmeier at weidmueller.com
> [mailto:Stefan.Herbrechtsmeier at weidmueller.com]
> Sent: Monday, June 11, 2018 9:33 PM
> To: Siva Durga Prasad Paladugu <sivadur@xilinx.com>;
> stefan at herbrechtsmeier.net
> Cc: u-boot at lists.denx.de; michal.simek at xilinx.com; monstr at monstr.eu
> Subject: AW: [RFC PATCH] fpga: zynq: Add encrypted bitstream support
> with auto detect
>
> Hi Siva,
>
> > -----Ursprüngliche Nachricht-----
> > Von: Siva Durga Prasad Paladugu [mailto:sivadur at xilinx.com]
> > Gesendet: Montag, 11. Juni 2018 13:40
> > An: stefan at herbrechtsmeier.net
> > Cc: Herbrechtsmeier Dr.-Ing. , Stefan
> > <Stefan.Herbrechtsmeier@weidmueller.com>; u-boot at lists.denx.de;
> Michal
> > Simek <michal.simek@xilinx.com>; monstr at monstr.eu
> > Betreff: RE: [RFC PATCH] fpga: zynq: Add encrypted bitstream support
> > with auto detect
> >
> > Interesting, I got your point. First of all, Could you please let me
> > know on how do you created the encrypted bitstream?
>
> I use bootgen with the split option and the following bif file:
>
> bootgen -image u-boot-spl-aes.bif -o i u-boot-spl-aes.bin -w on -encrypt
> efuse -split bin
>
> image:
> {
> [aeskeyfile]efuse.nky
> [pskfile]psk.pem
> [sskfile]ssk.pem
> [bootloader, encryption=aes, authentication=rsa]u-boot-spl.elf
> [encryption=aes]fpga.bit
> }
>
> > I hope this is not the Xilinx bootgen flow(may be through other Xilinx
> > flow)
>
> To my knowledge you could only use bootgen because Xilinx doesn't
> documented the encryption even if I would like to integrate the encryption
> into mkimage.
>
> > because, I don't think bootgen will update these fields while creating
> > encrypted bitstream( need to re confirm on this) and my flow targets
> > the Xilinx bootgen flow.
>
> This fields are part of the encrypted binary bitstream and are needed for the
> fpga configuration via the pcap. They are documented inside the
> 'ug470_7Series_Config.pdf'.
>
> > Please let know your comments on this, based on which, will try to
> > review and test your patch.
>
> Let me know if you need more information or help.
Thanks for the clarity, let me check on it and come back.
Let me also look in to modify secure patch if required as per this.
Thanks,
Siva
>
> Regards
>
> Stefan Herbrechtsmeier
> Software Developer Embedded Systems
>
> Weidmüller - Your partner in Industrial Connectivity We look forward to
> sharing ideas with you - Let's connect.
>
> Weidmueller Interface GmbH & Co. KG
> Klingenbergstraße 16, 32758 Detmold, Germany
> Email: Stefan.Herbrechtsmeier at weidmueller.com - Web:
> www.weidmueller.com
>
>
> ________________________________
> Kommanditgesellschaft - Sitz: Detmold - Amtsgericht Lemgo HRA 2790 -
> Komplementärin: Weidmüller Interface Führungsgesellschaft mbH -
> Sitz: Detmold - Amtsgericht Lemgo HRB 3924;
> Geschäftsführer: José Carlos Álvarez Tobar, Elke Eckstein, Jörg
> Timmermann; USt-ID-Nr. DE124599660
^ permalink raw reply [flat|nested] 6+ messages in thread
* [U-Boot] [RFC PATCH] fpga: zynq: Add encrypted bitstream support with auto detect
2018-06-12 3:48 ` Siva Durga Prasad Paladugu
@ 2018-06-19 7:08 ` Siva Durga Prasad Paladugu
0 siblings, 0 replies; 6+ messages in thread
From: Siva Durga Prasad Paladugu @ 2018-06-19 7:08 UTC (permalink / raw)
To: u-boot
Hi Stefan,
Yes, I checked and it looks fine functionally, I even tested it. Otherthan this, I have few comments on this which I am going to reply to your RFC patch mail.
Thanks,
Siva
> -----Original Message-----
> From: Siva Durga Prasad Paladugu
> Sent: Tuesday, June 12, 2018 9:18 AM
> To: Stefan.Herbrechtsmeier at weidmueller.com;
> stefan at herbrechtsmeier.net
> Cc: u-boot at lists.denx.de; michal.simek at xilinx.com; monstr at monstr.eu
> Subject: RE: [RFC PATCH] fpga: zynq: Add encrypted bitstream support with
> auto detect
>
> Hi Stefan,
>
> > -----Original Message-----
> > From: Stefan.Herbrechtsmeier at weidmueller.com
> > [mailto:Stefan.Herbrechtsmeier at weidmueller.com]
> > Sent: Monday, June 11, 2018 9:33 PM
> > To: Siva Durga Prasad Paladugu <sivadur@xilinx.com>;
> > stefan at herbrechtsmeier.net
> > Cc: u-boot at lists.denx.de; michal.simek at xilinx.com; monstr at monstr.eu
> > Subject: AW: [RFC PATCH] fpga: zynq: Add encrypted bitstream support
> > with auto detect
> >
> > Hi Siva,
> >
> > > -----Ursprüngliche Nachricht-----
> > > Von: Siva Durga Prasad Paladugu [mailto:sivadur at xilinx.com]
> > > Gesendet: Montag, 11. Juni 2018 13:40
> > > An: stefan at herbrechtsmeier.net
> > > Cc: Herbrechtsmeier Dr.-Ing. , Stefan
> > > <Stefan.Herbrechtsmeier@weidmueller.com>; u-boot at lists.denx.de;
> > Michal
> > > Simek <michal.simek@xilinx.com>; monstr at monstr.eu
> > > Betreff: RE: [RFC PATCH] fpga: zynq: Add encrypted bitstream support
> > > with auto detect
> > >
> > > Interesting, I got your point. First of all, Could you please let
> > > me know on how do you created the encrypted bitstream?
> >
> > I use bootgen with the split option and the following bif file:
> >
> > bootgen -image u-boot-spl-aes.bif -o i u-boot-spl-aes.bin -w on
> > -encrypt efuse -split bin
> >
> > image:
> > {
> > [aeskeyfile]efuse.nky
> > [pskfile]psk.pem
> > [sskfile]ssk.pem
> > [bootloader, encryption=aes, authentication=rsa]u-boot-spl.elf
> > [encryption=aes]fpga.bit
> > }
> >
> > > I hope this is not the Xilinx bootgen flow(may be through other
> > > Xilinx
> > > flow)
> >
> > To my knowledge you could only use bootgen because Xilinx doesn't
> > documented the encryption even if I would like to integrate the
> > encryption into mkimage.
> >
> > > because, I don't think bootgen will update these fields while
> > > creating encrypted bitstream( need to re confirm on this) and my
> > > flow targets the Xilinx bootgen flow.
> >
> > This fields are part of the encrypted binary bitstream and are needed
> > for the fpga configuration via the pcap. They are documented inside
> > the 'ug470_7Series_Config.pdf'.
> >
> > > Please let know your comments on this, based on which, will try to
> > > review and test your patch.
> >
> > Let me know if you need more information or help.
>
> Thanks for the clarity, let me check on it and come back.
> Let me also look in to modify secure patch if required as per this.
>
> Thanks,
> Siva
>
> >
> > Regards
> >
> > Stefan Herbrechtsmeier
> > Software Developer Embedded Systems
> >
> > Weidmüller - Your partner in Industrial Connectivity We look forward
> > to sharing ideas with you - Let's connect.
> >
> > Weidmueller Interface GmbH & Co. KG
> > Klingenbergstraße 16, 32758 Detmold, Germany
> > Email: Stefan.Herbrechtsmeier at weidmueller.com - Web:
> > www.weidmueller.com
> >
> >
> > ________________________________
> > Kommanditgesellschaft - Sitz: Detmold - Amtsgericht Lemgo HRA 2790 -
> > Komplementärin: Weidmüller Interface Führungsgesellschaft mbH -
> > Sitz: Detmold - Amtsgericht Lemgo HRB 3924;
> > Geschäftsführer: José Carlos Álvarez Tobar, Elke Eckstein, Jörg
> > Timmermann; USt-ID-Nr. DE124599660
^ permalink raw reply [flat|nested] 6+ messages in thread
* [U-Boot] [RFC PATCH] fpga: zynq: Add encrypted bitstream support with auto detect
2018-06-08 11:58 [U-Boot] [RFC PATCH] fpga: zynq: Add encrypted bitstream support with auto detect stefan at herbrechtsmeier.net
2018-06-11 11:39 ` Siva Durga Prasad Paladugu
@ 2018-06-19 7:15 ` Siva Durga Prasad Paladugu
1 sibling, 0 replies; 6+ messages in thread
From: Siva Durga Prasad Paladugu @ 2018-06-19 7:15 UTC (permalink / raw)
To: u-boot
Hi Stefan,
> -----Original Message-----
> From: stefan at herbrechtsmeier.net [mailto:stefan at herbrechtsmeier.net]
> Sent: Friday, June 08, 2018 5:29 PM
> To: Siva Durga Prasad Paladugu <sivadur@xilinx.com>
> Cc: Stefan Herbrechtsmeier <stefan.herbrechtsmeier@weidmueller.com>;
> u-boot at lists.denx.de; Michal Simek <michal.simek@xilinx.com>;
> monstr at monstr.eu
> Subject: [RFC PATCH] fpga: zynq: Add encrypted bitstream support with
> auto detect
>
Patch description here please.
> From: Stefan Herbrechtsmeier
> <stefan.herbrechtsmeier@weidmueller.com>
>
> Signed-off-by: Stefan Herbrechtsmeier
> <stefan.herbrechtsmeier@weidmueller.com>
>
> ---
>
> drivers/fpga/zynqpl.c | 73
> ++++++++++++++++++++++++++++++++++++++++-----------
> 1 file changed, 57 insertions(+), 16 deletions(-)
>
> diff --git a/drivers/fpga/zynqpl.c b/drivers/fpga/zynqpl.c index
> fd37d18..6622750 100644
> --- a/drivers/fpga/zynqpl.c
> +++ b/drivers/fpga/zynqpl.c
> @@ -17,6 +17,7 @@
>
> #define DEVCFG_CTRL_PCFG_PROG_B 0x40000000
> #define DEVCFG_CTRL_PCFG_AES_EFUSE_MASK 0x00001000
> +#define DEVCFG_CTRL_PCAP_RATE_EN_MASK 0x02000000
> #define DEVCFG_ISR_FATAL_ERROR_MASK 0x00740040
> #define DEVCFG_ISR_ERROR_FLAGS_MASK 0x00340840
> #define DEVCFG_ISR_RX_FIFO_OV 0x00040000
> @@ -38,18 +39,16 @@
> #define CONFIG_SYS_FPGA_PROG_TIME (CONFIG_SYS_HZ * 4) /* 4 s
> */
> #endif
>
> +#define NOP_WORD 0x20000000
> +#define CTRL0_WORD 0x3000a001
> +#define MASK_WORD 0x3000c001
> #define DUMMY_WORD 0xffffffff
>
> +#define CTRL0_DEC_MASK BIT(6)
> +
> /* Xilinx binary format header */
> +#define MAX_DUMMY_WORD_COUNT 8
> static const u32 bin_format[] = {
> - DUMMY_WORD, /* Dummy words */
> - DUMMY_WORD,
> - DUMMY_WORD,
> - DUMMY_WORD,
> - DUMMY_WORD,
> - DUMMY_WORD,
> - DUMMY_WORD,
> - DUMMY_WORD,
> 0x000000bb, /* Sync word */
> 0x11220044, /* Sync word */
> DUMMY_WORD,
> @@ -85,7 +84,23 @@ static u32 load_word(const void *buf, u32 swap)
> return word;
> }
>
> -static u32 check_header(const void *buf)
> +static void *skip_dummy_words(const void *buf) {
> + u32 *test = (u32 *)buf;
> + u32 i;
> +
> + for (i = 0; i < MAX_DUMMY_WORD_COUNT; i++) {
> + if (load_word(&test[i], SWAP_NO) != DUMMY_WORD) {
> + debug("%s: Found no dummy word at position
> %d/%x\n",
> + __func__, i, (u32)&test[i]);
> + return &test[i];
> + }
> + }
> +
> + return &test[i];
> +}
> +
> +static u32 check_header(const void *buf, bool *encrypted)
> {
> u32 i, pattern;
> int swap = SWAP_NO;
> @@ -93,6 +108,8 @@ static u32 check_header(const void *buf)
>
> debug("%s: Let's check bitstream header\n", __func__);
>
> + test = (u32 *)skip_dummy_words(buf);
> +
> /* Checking that passing bin is not a bitstream */
> for (i = 0; i < ARRAY_SIZE(bin_format); i++) {
> pattern = load_word(&test[i], swap);
> @@ -112,18 +129,34 @@ static u32 check_header(const void *buf)
>
> debug("%s: %d/%x: pattern %x/%x bin_format\n",
> __func__, i,
> (u32)&test[i], pattern, bin_format[i]);
> +
> if (pattern != bin_format[i]) {
> debug("%s: Bitstream is not recognized\n",
> __func__);
> return 0;
> }
> }
> - debug("%s: Found bitstream header at %x %s swapinng\n",
> __func__,
> - (u32)buf, swap == SWAP_NO ? "without" : "with");
> +
> + test = &test[i];
> +
> + /* Checking if passing bin is an encrypted bitstream */
> + if ((load_word(&test[0], swap) == NOP_WORD) &&
> + (load_word(&test[1], swap) == MASK_WORD) &&
> + (load_word(&test[2], swap) & CTRL0_DEC_MASK) &&
> + (load_word(&test[3], swap) == CTRL0_WORD) &&
> + (load_word(&test[4], swap) & CTRL0_DEC_MASK) &&
> + (load_word(&test[5], swap) == NOP_WORD))
> + *encrypted = true;
> + else
> + *encrypted = false;
> +
> + debug("%s: Found %sencrypted bitstream header at %x %s
> swapping\n",
> + __func__, *encrypted ? "" : "un", (u32)buf,
> + swap == SWAP_NO ? "without" : "with");
>
> return swap;
> }
>
> -static void *check_data(u8 *buf, size_t bsize, u32 *swap)
> +static void *check_data(u8 *buf, size_t bsize, u32 *swap, bool
> +*encrypted)
> {
> u32 word, p = 0; /* possition */
>
> @@ -136,7 +169,7 @@ static void *check_data(u8 *buf, size_t bsize, u32
> *swap)
> if (word == DUMMY_WORD) {
> debug("%s: Found dummy word at position
> %x/%x\n",
> __func__, p, (u32)&buf[p]);
> - *swap = check_header(&buf[p]);
> + *swap = check_header(&buf[p], encrypted);
> if (*swap) {
> /* FIXME add full bitstream checking here */
> return &buf[p];
> @@ -191,7 +224,7 @@ static int zynq_dma_transfer(u32 srcbuf, u32
> srclen, u32 dstbuf, u32 dstlen)
> return FPGA_SUCCESS;
> }
>
> -static int zynq_dma_xfer_init(bitstream_type bstype)
> +static int zynq_dma_xfer_init(bitstream_type bstype, bool encrypted)
> {
> u32 status, control, isr_status;
> unsigned long ts;
> @@ -291,6 +324,13 @@ static int zynq_dma_xfer_init(bitstream_type
> bstype)
> writel(DEVCFG_STATUS_DMA_DONE_CNT_MASK,
> &devcfg_base->status);
> }
>
> + control = readl(&devcfg_base->ctrl);
> + if (encrypted)
> + control |= DEVCFG_CTRL_PCAP_RATE_EN_MASK;
> + else
> + control &= ~DEVCFG_CTRL_PCAP_RATE_EN_MASK;
Clearing here is fine. Can we do the same at the end of bitstream programming because we should clear it
once we are done, just to be in proper state for next component.
> + writel(control, &devcfg_base->ctrl);
> +
> return FPGA_SUCCESS;
> }
>
> @@ -336,10 +376,11 @@ static int zynq_validate_bitstream(xilinx_desc
> *desc, const void *buf,
> size_t bsize, u32 blocksize, u32 *swap,
> bitstream_type *bstype)
> {
> + bool encrypted = false;
> u32 *buf_start;
> u32 diff;
>
> - buf_start = check_data((u8 *)buf, blocksize, swap);
> + buf_start = check_data((u8 *)buf, blocksize, swap, &encrypted);
>
> if (!buf_start)
> return FPGA_FAIL;
> @@ -358,7 +399,7 @@ static int zynq_validate_bitstream(xilinx_desc
> *desc, const void *buf,
> return FPGA_FAIL;
> }
>
I think here we should add condition to check if AES engine is enabled in case of encrypted bitstream and return error if not enabled.
AES engine enablement can be checked using PCFG_AES_EN bits 9-11 of control register.
Thanks,
Siva
> - if (zynq_dma_xfer_init(*bstype))
> + if (zynq_dma_xfer_init(*bstype, encrypted))
> return FPGA_FAIL;
>
> return 0;
> --
> 2.7.4
^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2018-06-19 7:15 UTC | newest]
Thread overview: 6+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2018-06-08 11:58 [U-Boot] [RFC PATCH] fpga: zynq: Add encrypted bitstream support with auto detect stefan at herbrechtsmeier.net
2018-06-11 11:39 ` Siva Durga Prasad Paladugu
2018-06-11 16:03 ` Stefan.Herbrechtsmeier at weidmueller.com
2018-06-12 3:48 ` Siva Durga Prasad Paladugu
2018-06-19 7:08 ` Siva Durga Prasad Paladugu
2018-06-19 7:15 ` Siva Durga Prasad Paladugu
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.