From: Adrian Fiergolski <adrian.fiergolski@fastree3d.com>
To: "Jorge Ramirez-Ortiz, Foundries" <jorge@foundries.io>,
michal.simek@xilinx.com, trini@konsulko.com, sjg@chromium.org
Cc: u-boot@lists.denx.de, ricardo@foundries.io, mike@foundries.io,
igor.opaniuk@foundries.io
Subject: Re: FIT image: load secure FPGA
Date: Wed, 19 Jan 2022 17:03:26 +0100 [thread overview]
Message-ID: <cc4cfdfc-e9c0-9228-65bb-f25157f6e491@fastree3d.com> (raw)
In-Reply-To: <20211004203226.GA4704@trex>
Hi Jorge,
Have you succeeded to enable secure boot on ZynqMP with SPL (not
Xilinx's FSBL)? Is it documented somewhere? Any configuration
files/yocto recipes? Have you managed to resolve problem of the
bitstream loaded in such a case by SPL?
I need to use an encrypted bitstream. However, it required the use of
DeviceKeys in post-boot state which eventually requires secure boot.
Regards,
Adrian
On 04.10.2021 22:32, Jorge Ramirez-Ortiz, Foundries wrote:
> Hello,
>
> We are enabling secure boot on Zynqmp with SPL.
>
> The issue however is that during secure boot, the bootrom not only
> validates the first loader (SPL and PMUFW combo) but it will also
> expect a signed bitstream during load(FPGA).
>
> Since currently the SPL load of an FPGA image from FIT does not
> support loading images for authentication (fpga_loads), I'd like to
> discuss how to best implement such support.
>
> A pretty standard file.its description of the FPGA loadable looks like
> this:
>
> fpga {
> description = "FPGA binary";
> data = /incbin/("${DEPLOY_DIR_IMAGE}/${SPL_FPGA_BINARY}");
> type = "fpga";
> arch = "${UBOOT_ARCH}";
> compression = "none";
> load = <${fpgaloadaddr}>;
> hash-1 {
> algo = "${FIT_HASH_ALG}";
> };
> };
>
> We could extend imagetool.h struct image_tool_params to add more
> params or perhpas just define different 'types' of fpga?
>
> Something like:
> "fpga"
> "fpga-auth" : authenticated
> "fpga-enc" : encrypted
> "fpga-sec" : encrypted and authenticated
>
> Then it would be a matter of modifying
> https://github.com/u-boot/u-boot/blob/master/common/spl/spl_fit.c#L572
>
> any thoughts?
>
> TIA
> Jorge
next prev parent reply other threads:[~2022-01-19 16:03 UTC|newest]
Thread overview: 13+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-10-04 20:32 FIT image: load secure FPGA Jorge Ramirez-Ortiz, Foundries
2021-10-04 20:54 ` Alex G.
2021-10-05 5:45 ` Jorge Ramirez-Ortiz, Foundries
2021-10-05 6:08 ` Jorge Ramirez-Ortiz, Foundries
2021-10-05 12:14 ` Michal Simek
2022-01-19 16:03 ` Adrian Fiergolski [this message]
2022-01-19 16:44 ` Jorge Ramirez-Ortiz, Foundries
2022-01-19 16:51 ` Jorge Ramirez-Ortiz, Foundries
2022-01-19 17:22 ` Jorge Ramirez-Ortiz, Foundries
2022-01-19 17:48 ` Oleksandr Suvorov
2022-02-07 12:24 ` Adrian Fiergolski
2022-02-09 7:51 ` Jorge Ramirez-Ortiz, Foundries
2022-02-09 12:20 ` Adrian Fiergolski
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=cc4cfdfc-e9c0-9228-65bb-f25157f6e491@fastree3d.com \
--to=adrian.fiergolski@fastree3d.com \
--cc=igor.opaniuk@foundries.io \
--cc=jorge@foundries.io \
--cc=michal.simek@xilinx.com \
--cc=mike@foundries.io \
--cc=ricardo@foundries.io \
--cc=sjg@chromium.org \
--cc=trini@konsulko.com \
--cc=u-boot@lists.denx.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.