+ All Categories
Home > Documents > Programming BBRAM and eFUSEs - xilinx.com · AES Key Zynq UltraScale+ devices use a hardened AES...

Programming BBRAM and eFUSEs - xilinx.com · AES Key Zynq UltraScale+ devices use a hardened AES...

Date post: 15-Mar-2020
Category:
Upload: others
View: 18 times
Download: 0 times
Share this document with a friend
27
XAPP1319 (v1.0) July 26, 2017 1 www.xilinx.com Summary Zynq® UltraScale+™ devices integrate a system-on-chip (SoC) and programmable logic (PL). Nonvolatile memory (NVM) in the form of eFUSEs and battery-backed RAM (BBRAM) are used for advanced encryption standard (AES) and Rivest-Shamir-Adleman (RSA) cryptography, security control, and user-defined applications. This application note describes the self-programming of BBRAM and eFUSEs in Zynq UltraScale+ devices. The capability to self-program BBRAM and eFUSEs increases the field programmability of Xilinx® FPGAs and SoCs. The self-programming of BBRAM and eFUSEs in Zynq UltraScale+ devices provides ease of use and security advantages over the self-programming capability available with the Zynq-7000 All Programmable SoC and UltraScale™ devices. Download the reference design files for this application note from the Xilinx website. For detailed information about the design files, see Reference Design. Introduction BBRAM and eFUSEs in Zynq UltraScale+ devices are principally used to store AES keys and the hash of RSA keys. Self-programming of BBRAM and eFUSEs in Zynq UltraScale+ devices does not require an IP core. Signals are not externally routed. Software running on the ARM® Cortex®-A53 or Cortex-R5 processor uses the Xilinx Secure Key (XilSKey) library. Example C code is provided to program the BBRAM or eFUSEs. The uses of programming the BBRAM and eFUSEs are listed below. AES Key (BBRAM or eFUSE) RSA Support Security Control Support PUF Support User Defined eFUSEs This application note provides the steps to create and run software projects to program the BBRAM and eFUSEs. After programming, steps to create and run a software project to test the cryptographic functionality enabled by programmed memory are provided. For example, after the zcu102_program_bbram software project is run, the hello_world software project tests the functionality. The two tasks used to program the memory in Xilinx Software Development Kit (SDK) are creating and compiling the project using the XilSKey library and Bootgen. Application Note: Zynq UltraScale+ Devices XAPP1319 (v1.0) July 26, 2017 Programming BBRAM and eFUSEs Author: Lester Sanders
Transcript
Page 1: Programming BBRAM and eFUSEs - xilinx.com · AES Key Zynq UltraScale+ devices use a hardened AES cryptographic block for AES encryption and decryption. The AES cryptographic block

XAPP1319 (v1.0) July 26, 2017 1www.xilinx.com

SummaryZynq® UltraScale+™ devices integrate a system-on-chip (SoC) and programmable logic (PL). Nonvolatile memory (NVM) in the form of eFUSEs and battery-backed RAM (BBRAM) are used for advanced encryption standard (AES) and Rivest-Shamir-Adleman (RSA) cryptography, security control, and user-defined applications. This application note describes the self-programming of BBRAM and eFUSEs in Zynq UltraScale+ devices. The capability to self-program BBRAM and eFUSEs increases the field programmability of Xilinx® FPGAs and SoCs. The self-programming of BBRAM and eFUSEs in Zynq UltraScale+ devices provides ease of use and security advantages over the self-programming capability available with the Zynq-7000 All Programmable SoC and UltraScale™ devices.

Download the reference design files for this application note from the Xilinx website. For detailed information about the design files, see Reference Design.

IntroductionBBRAM and eFUSEs in Zynq UltraScale+ devices are principally used to store AES keys and the hash of RSA keys. Self-programming of BBRAM and eFUSEs in Zynq UltraScale+ devices does not require an IP core. Signals are not externally routed. Software running on the ARM® Cortex®-A53 or Cortex-R5 processor uses the Xilinx Secure Key (XilSKey) library. Example C code is provided to program the BBRAM or eFUSEs.

The uses of programming the BBRAM and eFUSEs are listed below.

• AES Key (BBRAM or eFUSE)

• RSA Support

• Security Control Support

• PUF Support

• User Defined eFUSEs

This application note provides the steps to create and run software projects to program the BBRAM and eFUSEs. After programming, steps to create and run a software project to test the cryptographic functionality enabled by programmed memory are provided. For example, after the zcu102_program_bbram software project is run, the hello_world software project tests the functionality. The two tasks used to program the memory in Xilinx Software Development Kit (SDK) are creating and compiling the project using the XilSKey library and Bootgen.

Application Note: Zynq UltraScale+ Devices

XAPP1319 (v1.0) July 26, 2017

Programming BBRAM and eFUSEsAuthor: Lester Sanders

Page 2: Programming BBRAM and eFUSEs - xilinx.com · AES Key Zynq UltraScale+ devices use a hardened AES cryptographic block for AES encryption and decryption. The AES cryptographic block

Hardware and Software Requirements

XAPP1319 (v1.0) July 26, 2017 2www.xilinx.com

Programming BBRAM and eFUSEs is a prerequisite for the secure boot functionality discussed in the Zynq UltraScale+ MPSoC: Embedded Design Tutorial (UG1209) [Ref 1].

Hardware and Software RequirementsThe hardware and software requirements for the reference systems are as follows:

• ZCU102 evaluation board or Avnet UltraZed-EG board

• AC power adapter (12 VDC)

• USB type-A to USB mini-B cables (for UART, JTAG communication)

• Secure Digital (SD) multimedia card

• Xilinx Software Development Kit 2017.1 or newer

IMPORTANT: Programming any of the noted eFUSE settings preclude Xilinx test access. Consequently, Xilinx may not accept return material authorization (RMA) requests. The eFUSEs are ENC_ONLY, JTAG_DIS, DFT_DIS, RSA_EN, and AES key.

Programming BBRAM/eFUSEs Using XilSKey LibraryThe XilSKey library is located at <SDK install>/data/embeddedsw/lib/sw_services. The XilSKey library provides examples for programming Zynq UltraScale+ device eFUSEs and BBRAM in the examples directory. The high-level steps using the XilSKey library are explained in the Programming the AES Key in BBRAM, Programming eFUSEs for AES and RSA Cryptographic Functions, and Programming eFUSEs for Using the Physically Uncloneable Function sections.

For a complete list of programmable eFUSEs, see the Zynq UltraScale+ MPSoC: Technical Reference Manual (UG1085) [Ref 2].

BBRAM and eFUSE UsesThe uses of programming the BBRAM and eFUSEs are described below.

AES Key

Zynq UltraScale+ devices use a hardened AES cryptographic block for AES encryption and decryption. The AES cryptographic block accepts keys from several sources. The 256-bit eFUSE AES key is stored either in the BBRAM or eFUSEs. The AES key can also be stored in an obfuscated or black format in external eFUSE. Unlike in Xilinx 7 series FPGAs and Zynq-7000 devices, the AES key cannot be read after it is programmed. The value of the key can be verified. The Zynq UltraScale+ device also supports AES cryptographic functions using the physically uncloneable function (PUF), as discussed in PUF Support. In one of the two modes which use the PUF, eFUSEs are used.

Page 3: Programming BBRAM and eFUSEs - xilinx.com · AES Key Zynq UltraScale+ devices use a hardened AES cryptographic block for AES encryption and decryption. The AES cryptographic block

Programming BBRAM/eFUSEs Using XilSKey Library

XAPP1319 (v1.0) July 26, 2017 3www.xilinx.com

eFUSE UsesThe uses of programming the eFUSEs are described below.

RSA Support

Zynq UltraScale+ devices use silicon-based RSA and SHA3 cryptographic blocks for RSA authentication. RSA uses a 4096-bit private/public key pair. Only the 384-bit hash of the primary public key is stored in the eFUSEs to save area on the device. Zynq UltraScale+ devices support two primary private/public key pairs and a 32-bit secondary key ID (SPK_ID). This functionality can be used for key revocation.

Security Control Support

Zynq UltraScale+ devices provide eFUSEs that increase the security of the device. For example, some eFUSE bits can permanently disable the JTAG and design for testing (DFT) functionality of the device. JTAG and DFT circuitry is useful in development. When a device moves to production, disabling the JTAG and DFT can assist in eliminating security vulnerabilities.

PUF Support

The principle use of the PUF in Zynq UltraScale+ devices is black key storage. Black key storage stores the user’s AES key in the eFUSEs or in the Bootheader in an encrypted format. At the time of use, the encrypted key in the eFUSEs or Bootheader is decrypted and the resulting plaintext key is used for the encryption and decryption operation.

The PUF registration software is used to command the PUF to generate values and to program the eFUSEs used by the PUF. This software is included in the XilSKey library. The registration software commands the PUF to generate the following values.

• Helper data

• Black key (encrypted user key)

In the PUF eFUSE mode, the values generated by the PUF registration software are programmed into the eFUSEs. In the PUF Bootheader mode, the values are included in the Bootheader by the Bootgen.

The steps used to generate and program PUF values into the eFUSEs are explained in Programming eFUSEs for Using the Physically Uncloneable Function. The use of the PUF Bootheader mode is discussed in Secure Boot of Zynq UltraScale+ MPSoC: Embedded Design Tutorial (UG1209) [Ref 1].

User Defined eFUSEs

Zynq UltraScale+ devices provide eight 32-bit registers for user-defined eFUSEs. These eFUSEs can be written to and read from for various user-defined functions.

Page 4: Programming BBRAM and eFUSEs - xilinx.com · AES Key Zynq UltraScale+ devices use a hardened AES cryptographic block for AES encryption and decryption. The AES cryptographic block

Programming BBRAM/eFUSEs Using XilSKey Library

XAPP1319 (v1.0) July 26, 2017 4www.xilinx.com

Table 1 provides a summary of the user-defined macros used in eFUSE programming. These are used in the xilskey_bbramps_zynqmp.c, xilskey_efuseps_zynqmp_input.h, and xilskey_puf_registration.h files.

Table 1: Zynq UltraScale+ Non-Volatile Memory

Macro Description

AES

XSK_EFUSEPS_WRITE_AES_KEY Command to write the value defined in the XSK_EFUSEPS_AES_KEY macro to the AES eFUSE

XSK_EFUSEPS_AES_KEY 256-bit AES key for use in eFUSE

XSK_ZYNQMP_BBRAMPS_AES_KEY 256-bit AES key for use in BBRAM

XSK_EFUSEPS_AES_RD_LOCK Disables the AES key cyclic redundancy check (CRC) for eFUSE key storage

XSK_EFUSEPS_AES_WR_LOCK Disables write to AES eFUSEs

XSK_EFUSEPS_ENC_ONLY When programmed, requires that the boot image be encrypted with eFUSE AES key. It only applies to the encryption status and is independent of the RSA_EN.

XSK_EFUSEPS_BBRAM_DISABLE Permanently disables use of AES key from BBRAM

RSA

XSK_EFUSEPS_PPK0_IS_SHA3 Specifies secure hash algorithm-2 (SHA-2) or SHA-3 of PPK0

XSK_EFUSEPS_WRITE_PPK0_HASH Causes hash of public-private key 0 (PPK0) to be programmed into eFUSEs

XSK_EFUSEPS_PPK0_HASH PPK0 hash

XSK_EFUSEPS_PPK1_IS_SHA3 Specifies SHA-2 or SHA-3 of PPK1

XSK_EFUSEPS_WRITE_PPK1_HASH Causes hash of PPK1 to be programmed into eFUSEs

XSK_EFUSEPS_PPK1_HASH PPK1 hash

XSK_EFUSEPS_PPK0_WR_LOCK Permanently disables writing to PPK0 eFUSEs

XSK_EFUSEPS_PPK0_INVLD Permanently revokes PPK0

XSK_EFUSEPS_PPK1_INVLD Permanently revokes PPK1

XSK_EFUSEPS_PPK1_WR_LOCK Permanently disables writing to PPK1 eFUSEs

XSK_EFUSEPS_RSA_ENABLE Permanently enables RSA authentication during boot

XSK_EFUSEPS_SPK_ID Selects SPK to use

XSK_EFUSEPS_WRITE_SPK Write control for SPK selection

Security Control

XSK_EFUSEPS_ERR_DISABLE Prohibits error messages from being read via JTAG (ERROR_STATUS register)

XSK_EFUSEPS_JTAG_DISABLE Disables JTAG. IDCODE and BYPASS are the only allowed commands.

XSK_EFUSEPS_DFT_DISABLE Permanently disables DFT boot mode

XSK_EFUSEPS_PROG_GATE_DISABLE When programmed, these fuses prohibit the PROG_GATE feature from being engaged. If any of these are programmed, the PL is always reset when the PS is reset.

Page 5: Programming BBRAM and eFUSEs - xilinx.com · AES Key Zynq UltraScale+ devices use a hardened AES cryptographic block for AES encryption and decryption. The AES cryptographic block

Programming the AES Key in BBRAM

XAPP1319 (v1.0) July 26, 2017 5www.xilinx.com

Programming the AES Key in BBRAMRun the following steps to program the AES key in BBRAM.

1. Create a directory called program_nvm inside project directory $PROG_NVM.

2. At the command prompt, enter xsdk -workspace . &. Close the SDK welcome window.

3. In the SDK GUI, select File > New > Application Project. Set the Project name to zynqmp_fsbl (Figure 1).

XSK_EFUSEPS_SECURE_LOCK When programmed, the device does not enable boundary scan (BSCAN) capability while in secure lockdown.

XSK_EFUSEPS_LBIST_EN Permanently enables logic built-in self-test (BIST) to be run during boot

XSK_EFUSEPS_LPD_SC_EN Permanently enables zeroization of registers in low-power domain (LPD) during boot

XSK_EFUSEPS_FPD_SC_EN Permanently enables zeroization of registers in full-power domain (FPD) during boot

XSK_EFUSEPS_PBR_BOOT_ERR Permanently enables boot halt after a platform management unit (PMU) error

PUF

XSK_PUF_PROGRAM_EFUSE Programs syndrome data, CHASH, AUX, and black key into eFUSEs

XSK_PUF_IF_CONTRACT_MANUFACTURER Checks whether or not RSA is enabled prior to issuing PUF commands

XSK_PUF_READ_SECUREBITS Reads status of secure bits (SYN_INVALID, REGISTER_DISABLE, SYN_WRLK) for display on communication terminal

XSK_PUF_PROGRAM_SECUREBITS Program PUF secure bits (SYN_INVALID, REGISTER_DISABLE, SYN_WRLK)

XSK_PUF_SYN_INVALID Permanently invalidates the programmed helper data

XSK_PUF_REGISTER_DISABLE Permanently disables PUF regeneration

XSK_PUF_AES_KEY Red key value used in black key generation

XSK_PUF_IV User-provided initialization vector

XSK_PUF_SYN_WRLK Locks PUF helper data from future programming

User eFUSEs

XSK_EFUSEPS_USER[0-7]_FUSES User eFUSE value

XSK_EFUSEPS_WRITE_USER[0-7]_FUSE Burns value in XSK_EFUSEPS_USER[0-7] to user eFUSEs

XSK_EFUSEPS_USER_WRLK_[0-7] Locks the corresponding user eFUSE register so it cannot be written to again

Table 1: Zynq UltraScale+ Non-Volatile Memory (Cont’d)

Macro Description

Page 6: Programming BBRAM and eFUSEs - xilinx.com · AES Key Zynq UltraScale+ devices use a hardened AES cryptographic block for AES encryption and decryption. The AES cryptographic block

Programming the AES Key in BBRAM

XAPP1319 (v1.0) July 26, 2017 6www.xilinx.com

4. Change the hardware platform to ZynqMP_ZCU102_hw_platform or UltraZed-EG IOCC board. Click Next.

5. Under Available Templates, select Zynq MP FSBL. Click Finish.

6. Right-click on the zynqmp_fsbl project and select C/C++ Build Settings.

7. Select ARM A53 gcc compiler > Symbols.

8. In the Defined symbols pane, click the + icon. Enter FSBL_DEBUG_INFO in the text box. Click OK.

X-Ref Target - Figure 1

Figure 1: Create zynqmp_fsbl Application Project

X19393-061417

Page 7: Programming BBRAM and eFUSEs - xilinx.com · AES Key Zynq UltraScale+ devices use a hardened AES cryptographic block for AES encryption and decryption. The AES cryptographic block

Programming the AES Key in BBRAM

XAPP1319 (v1.0) July 26, 2017 7www.xilinx.com

9. Select File > New > Board Support Package. Enter program_aes_key_bbram_bsp_0 in the Project Name field (Figure 2).

X-Ref Target - Figure 2

Figure 2: Board Support Package Project - AES Key BBRAM

X19394-061417

Page 8: Programming BBRAM and eFUSEs - xilinx.com · AES Key Zynq UltraScale+ devices use a hardened AES cryptographic block for AES encryption and decryption. The AES cryptographic block

Programming the AES Key in BBRAM

XAPP1319 (v1.0) July 26, 2017 8www.xilinx.com

10. In the Board Support Package Settings window, scroll down and select the xilskey (Figure 3).

X-Ref Target - Figure 3

Figure 3: Board Support Package Settings - AES Key BBRAM

X19395-061417

Page 9: Programming BBRAM and eFUSEs - xilinx.com · AES Key Zynq UltraScale+ devices use a hardened AES cryptographic block for AES encryption and decryption. The AES cryptographic block

Programming the AES Key in BBRAM

XAPP1319 (v1.0) July 26, 2017 9www.xilinx.com

11. In the system.mss pane, scroll down and click Import Examples to the right of the xilskey library (Figure 4).

X-Ref Target - Figure 4

Figure 4: Import Examples

X19396-061417

Page 10: Programming BBRAM and eFUSEs - xilinx.com · AES Key Zynq UltraScale+ devices use a hardened AES cryptographic block for AES encryption and decryption. The AES cryptographic block

Programming the AES Key in BBRAM

XAPP1319 (v1.0) July 26, 2017 10www.xilinx.com

12. Select the check box for xilskey_bbramps_zynqmp_example. Click OK (Figure 5).X-Ref Target - Figure 5

Figure 5: Import xilskey BBRAM Example

X19397-061417

Page 11: Programming BBRAM and eFUSEs - xilinx.com · AES Key Zynq UltraScale+ devices use a hardened AES cryptographic block for AES encryption and decryption. The AES cryptographic block

Programming the AES Key in BBRAM

XAPP1319 (v1.0) July 26, 2017 11www.xilinx.com

13. In the Project Explorer pane, rename xilskey_bbramps_zynqmp_example to program_aes_key_bbram (Figure 6).

14. Double-click xilskey_bbramps_zynqmp_example.c so that it is displayed in a text window.

15. Enable the Show Line Numbers feature in SDK. Right-click on the left side margin.

X-Ref Target - Figure 6

Figure 6: Rename Resource

X19398-061417

Page 12: Programming BBRAM and eFUSEs - xilinx.com · AES Key Zynq UltraScale+ devices use a hardened AES cryptographic block for AES encryption and decryption. The AES cryptographic block

Programming the AES Key in BBRAM

XAPP1319 (v1.0) July 26, 2017 12www.xilinx.com

16. From the aes.nky file in the reference design files (see Reference Design), copy the AES key to line 66 in the xilskey_bbramps_zynqmp_example.c file. Save the file (Figure 7).

17. In the Project Explorer, right-click on program_aes_bbram_key and select Build Project.

X-Ref Target - Figure 7

Figure 7: BBRAM AES Key

X19399-061417

Page 13: Programming BBRAM and eFUSEs - xilinx.com · AES Key Zynq UltraScale+ devices use a hardened AES cryptographic block for AES encryption and decryption. The AES cryptographic block

Programming the AES Key in BBRAM

XAPP1319 (v1.0) July 26, 2017 13www.xilinx.com

18. Create an image to program the AES key in BBRAM. Select Xilinx Tools > Create Boot Image (Figure 8).

X-Ref Target - Figure 8

Figure 8: Create Boot Image

X19400-061417

Page 14: Programming BBRAM and eFUSEs - xilinx.com · AES Key Zynq UltraScale+ devices use a hardened AES cryptographic block for AES encryption and decryption. The AES cryptographic block

Programming the AES Key in BBRAM

XAPP1319 (v1.0) July 26, 2017 14www.xilinx.com

19. Select the Create new BIF file radio button. In the Output BIF file path field, select $PROG_NVM\program_nvm\program_aes_bbram_key (Figure 9).

20. In the bottom pane named Boot Image Partitions, click Add. Browse to and add the zynqmp_fsbl.elf and program_aes_bbram_key.elf partitions. These partitions are usually auto-populated, so this step might not be necessary. A bitstream is not necessary.

21. Click Create Image.

22. Verify that the BOOT.BIN and program_aes_bbram_key.bif files are written to the specified directory $PROG_NVM\program_nvm.

23. Use a text editor to review the program_bbram_aes_key.bif file.

24. Insert an SD card into the SD card slot of the PC. Copy BOOT.BIN to the SD card.

25. Set up the ZCU102 or UltraZed-EG evaluation board.

26. Set up one communication terminal such as Tera Term using Interface 0, 115200 baud rate, and default settings.

27. Move the SD card from the PC to the SD card slot on the ZCU102 or UltraZed-EG evaluation board. The ZCU102 evaluation board uses a standard SD card. The UltraZed-EG board uses a mini SD card.

28. Set the Boot Mode switch to SD mode.

X19401-061417

X-Ref Target - Figure 9

Figure 9: Create a Zynq MP Boot Image for the BBRAM AES Key

Page 15: Programming BBRAM and eFUSEs - xilinx.com · AES Key Zynq UltraScale+ devices use a hardened AES cryptographic block for AES encryption and decryption. The AES cryptographic block

Programming the AES Key in BBRAM

XAPP1319 (v1.0) July 26, 2017 15www.xilinx.com

29. Apply power to the evaluation board.

30. Verify that the output on the communication terminal indicates successful programming of the BBRAM AES key (Figure 10).

X-Ref Target - Figure 10

Figure 10: Programmed and Verified BBRAM AES Key

X19402-061417

Page 16: Programming BBRAM and eFUSEs - xilinx.com · AES Key Zynq UltraScale+ devices use a hardened AES cryptographic block for AES encryption and decryption. The AES cryptographic block

Programming the AES Key in BBRAM

XAPP1319 (v1.0) July 26, 2017 16www.xilinx.com

31. To test the functionality of the programmed BBRAM, create a hello software project. In the SDK GUI, select File > New Application. In the Project Name field, enter hello_world (Figure 11).

32. Under Available Templates, select Hello World > Next > Finish.

33. Select Xilinx Tools > Create Boot Image.

X-Ref Target - Figure 11

Figure 11: Create hello_world Application Project

X19406-061417

Page 17: Programming BBRAM and eFUSEs - xilinx.com · AES Key Zynq UltraScale+ devices use a hardened AES cryptographic block for AES encryption and decryption. The AES cryptographic block

Programming the AES Key in BBRAM

XAPP1319 (v1.0) July 26, 2017 17www.xilinx.com

34. Select ZynqMP. Select the Create new BIF file radio button. In the Output BIF file path field, select test_encrypted_hello.bif (Figure 12).

35. In the Boot Image Partitions pane, click Add. Browse to and add the zynqmp_fsbl.elf and hello_world.elf partitions.

X-Ref Target - Figure 12

Figure 12: Create Boot Image for Hello World

X19407-061417

Page 18: Programming BBRAM and eFUSEs - xilinx.com · AES Key Zynq UltraScale+ devices use a hardened AES cryptographic block for AES encryption and decryption. The AES cryptographic block

Programming the AES Key in BBRAM

XAPP1319 (v1.0) July 26, 2017 18www.xilinx.com

36. Click Security > Encryption. In the Key file field, browse to aes.nky. Under Key store select BBRAM RED (Figure 13).

37. Double-click the zynqmp_fsbl.elf and hello_world.elf and change the Encryption to AES. Click Create Image.

38. Insert an SD card into the SD card slot of the PC. Copy the BOOT.BIN to the SD card.

39. Move the SD card from the PC to the SD card slot on the evaluation board.

40. Apply power to the evaluation board.

X-Ref Target - Figure 13

Figure 13: Create Boot Image Encryption

X19408-070617

Page 19: Programming BBRAM and eFUSEs - xilinx.com · AES Key Zynq UltraScale+ devices use a hardened AES cryptographic block for AES encryption and decryption. The AES cryptographic block

Programming eFUSEs for AES and RSA Cryptographic Functions

XAPP1319 (v1.0) July 26, 2017 19www.xilinx.com

41. Verify that Hello World is displayed on the communication terminal (Figure 14).

Programming eFUSEs for AES and RSA Cryptographic Functions

Run the following steps to program the AES eFUSEs and hash of the primary public key. These steps can be used to program any of the other eFUSEs as well.

1. Navigate to the $PROG_NVM\program_nvm directory.

2. At the command prompt, enter xsdk -workspace . &. Close the SDK welcome window.

X-Ref Target - Figure 14

Figure 14: Verified Hello World

X19409-061417

Page 20: Programming BBRAM and eFUSEs - xilinx.com · AES Key Zynq UltraScale+ devices use a hardened AES cryptographic block for AES encryption and decryption. The AES cryptographic block

Programming eFUSEs for AES and RSA Cryptographic Functions

XAPP1319 (v1.0) July 26, 2017 20www.xilinx.com

3. In the SDK GUI, select File > New > Board Support Package. In the Project Name field, enter program_efuses_bsp_0 (Figure 15).

4. In the Board Support Package Settings, scroll down to Supported Libraries. Select the check box for xilskey. Click OK.

5. In the system.mss pane, scroll down to Libraries. To the right of XilSKey, double-click Import Examples.

X-Ref Target - Figure 15

Figure 15: Board Support Package Project eFUSEs

X19403-061417

Page 21: Programming BBRAM and eFUSEs - xilinx.com · AES Key Zynq UltraScale+ devices use a hardened AES cryptographic block for AES encryption and decryption. The AES cryptographic block

Programming eFUSEs for AES and RSA Cryptographic Functions

XAPP1319 (v1.0) July 26, 2017 21www.xilinx.com

6. In the Import Examples pane, select the check box for xilskey_efuseps_zynqmp_example (Figure 16).

7. In the Project Explorer pane, right-click on program_efuses_bsp_0_xilskey_efuseps_zynqmp_example. Under Rename Resource, rename the software project to program_efuses. Click OK.

X-Ref Target - Figure 16

Figure 16: Import xilskey eFUSE Example

X19404-061417

Page 22: Programming BBRAM and eFUSEs - xilinx.com · AES Key Zynq UltraScale+ devices use a hardened AES cryptographic block for AES encryption and decryption. The AES cryptographic block

Programming eFUSEs for AES and RSA Cryptographic Functions

XAPP1319 (v1.0) July 26, 2017 22www.xilinx.com

8. In the Project Explorer pane, expand the program_efuses project. Select src. Double-click xilskey_efuseps_zynqmp_input.h to open the file in an SDK source editor pane (Figure 17).

9. Right-click the left margin of the source editor pane and select Show Numbers in the xilskey_efuseps_zynqmp_input.h file. This file contains the #define statements used to specify the eFUSE functionality.

10. Change the xilskey_efuseps_zynqmp_input.h as defined in Table 2.

X-Ref Target - Figure 17

Figure 17: Edit xilskey_efuseps_zynqmp_input.h

X19405-061417

Table 2: Cryptographic Macros in xilskey_efuseps_zynqmp_input.h

Line No Macro Value

383 XSK_EFUSEPS_PPK0_REVOKE FALSE

387 XSK_EFUSEPS_PPK1_REVOKE FALSE

408 XSK_EFUSEPS_WRITE_PPK0_HASH TRUE

409 XSK_EFUSE_WRITE_PPK1_HASH TRUE

410 XSK_EFUSEPS_WRITE_SPKID FALSE

428 XSK_EFUSEPS_PPK0_IS_SHA3 TRUE

429 XSK_EFUSEPS_PPK0_HASH 384-bit

431 XSK_EFUSEPS_PPK1_HASH 384-bit

433 XSK_EFUSEPS_SPK_ID 00000000

000 XSK_EFUSEPS_AES_KEY 256-bit

Page 23: Programming BBRAM and eFUSEs - xilinx.com · AES Key Zynq UltraScale+ devices use a hardened AES cryptographic block for AES encryption and decryption. The AES cryptographic block

Programming eFUSEs for AES and RSA Cryptographic Functions

XAPP1319 (v1.0) July 26, 2017 23www.xilinx.com

11. Copy $PROG_NVM\program_nvm\keys\aes.nky to xilskey_efuseps_zynqmp_input.h line 426 (XSK_EFUSEPS_AES_KEY).

12. Copy $PROG_NVM\program_nvm\keys\sha3_0.pem to xilskey_efuse_zynqmp_input.h line 429 (XSK_EFUSEPS_PPK0_HASH).

13. Copy $PROG_NVM\program_nvm\keys\sha3_1.pem to xilskey_efuse_zynqmp_input.h line 432 (XSK_EFUSEPS_PPK1_HASH).

14. In the Project Explorer pane, right-click program_efuses, and select Build Project.

15. From the SDK menu bar, select Xilinx Tools > Create Boot Image.

16. Select the Create new BIF file radio button. Specify the location and name of the BIF, $PROG_NVM\program_nvm\program_efuses\program_efuses.bif.

17. Click the Add button. Add the $PROG_NVM\files\zynqmp_fsbl.elf file.

18. Click the Add button. Browse to $PROG_NVM\program_efuses\Debug\program_efuses.elf. Click Create Image.

19. Insert an SD card into the SD card slot of the PC. Copy $PROG_NVM\program_nvm\program_efuses\BOOT.BIN to the SD card.

20. Move the SD card from the PC to the SD card slot on the ZCU102 or UltraZed-EG evaluation board.

21. Set the Boot Mode switch to SD mode.

22. Apply power to the board.

23. Verify that the log in the communication terminal indicates that programming of eFUSEs worked as expected.

24. To test the functionality of the programmed eFUSEs, create a hello software project. In the SDK GUI, select File > New Application. In the Project Name field, enter hello_world.

25. Under Available Templates, select Hello World > Next > Finish.

26. Select Xilinx Tools > Create Boot Image.

27. Select ZynqMP. Click the Create new BIF file radio button. In the Output BIF file path field, select test_encrypted_hello.bif.

28. Click Add in the bottom pane named Boot Image Partitions. Browse to and add the zynqmp_fsbl.elf and hello_world.elf partitions.

29. Click Security > Encryption. In the Key File field, browse to aes.nky. Select EFUSE RED in the Key Store field.

30. Double-click the zynqmp_fsbl.elf and hello_world.elf and change the Encryption to AES. Click Create Image.

31. Insert an SD card into the SD card slot of the PC. Copy the BOOT.BIN to the SD card.

32. Move the SD card from the PC to the SD card slot on the evaluation board.

33. Apply power to the evaluation board.

Page 24: Programming BBRAM and eFUSEs - xilinx.com · AES Key Zynq UltraScale+ devices use a hardened AES cryptographic block for AES encryption and decryption. The AES cryptographic block

Programming eFUSEs for Using the Physically Uncloneable Function

XAPP1319 (v1.0) July 26, 2017 24www.xilinx.com

34. Verify that Hello World is displayed on the communication terminal. If the RSA_EN eFUSE is programmed, every boot is required to be authenticated.

Programming eFUSEs for Using the Physically Uncloneable Function

Run the following steps to program eFUSEs used by the PUF.

1. Navigate to the $PROG_NVM\program_nvm\puf_registration directory.

2. At the command prompt, enter xsdk -workspace . &. Close the SDK welcome window.

3. In the SDK GUI, enter File > New > Board Support Package. In the Project Name field, enter puf_registration_bsp_0.

4. In the Board Support Package Settings, scroll down to Supported Libraries and select the check boxes for the xilskey and xilsecure libraries. Click OK.

5. In the system.mss pane, scroll down to view Libraries. Double-click Import Examples to the right of xilskey.

6. In the Examples for xilskey pane, select the check box for xilskey_puf_registration. Click OK.

7. In the Project Explorer pane, right-click puf_registration_bsp_0_xilskey_puf_registration_1. Select Rename. Use the Rename Resource text box to rename the project to puf_registration.

8. In the Project Explorer pane, double-click puf_registration > src > xilskey_puf_registration.h to invoke the file in the SDK source editor.

9. Right-click the left side of the source editor and enable Show Line Numbers.

10. Edit the xilskey_puf_registration.h as follows:

° Line 145 #define XSK_PUF_PROGRAM_EFUSE TRUE

° Line 158 #define XSK_PUF_AES_KEY "45195DE9B5B80119D8DD4E7DF032736D53CF75AD1DCE61C5BA681CFA0724E8"

° Line 159 #define XSK_PUF_IV "62A4B57D0F121CCB02CB8336"

11. Save the file and exit.

12. In the Project Explorer, right-click on the puf_registration project and select Build Project.

13. In the SDK menu bar, select Xilinx Tools > Create Boot Image.

14. Select Zynq MP in the Architecture field.

15. In the Output BIF file path, specify $PROG_NVM\program_nvm\puf_registration\puf_registration.bif.

16. In the Output Path field, specify $PROG_NVM\program_nvm\puf_registration.

17. In the Boot Image Partitions pane, click Add. Add the following partitions:

Page 25: Programming BBRAM and eFUSEs - xilinx.com · AES Key Zynq UltraScale+ devices use a hardened AES cryptographic block for AES encryption and decryption. The AES cryptographic block

Conclusion

XAPP1319 (v1.0) July 26, 2017 25www.xilinx.com

° $PROG_NVM\files\zynqmp_fsbl.elf

° $PROG_NVM\program_nvm\puf_registration\Debug\puf_registration.elf

18. Insert an SD card into the SD card slot of the PC. Copy $PROG_NVM\program_nvm\program_sec_ctrl_efuses\BOOT.BIN to the SD card.

19. Move the SD card from the PC to the SD card slot on the ZCU102 or UltraZed-EG evaluation board.

20. Set the Boot Mode switch to SD mode.

21. Set up a communication terminal.

22. Power cycle the board.

23. Verify that the log displayed in the communication terminal indicates that the security control eFUSEs are programmed as expected.

ConclusionBBRAM and eFUSE programming is required for using the AES and RSA cryptographic functions in Zynq UltraScale+ devices. Zynq UltraScale+ devices also provide security control and user-defined eFUSEs. This application note provides a straightforward and secure method to self-program BBRAM and eFUSEs in the Zynq UltraScale+ devices.

Reference DesignDownload the reference design files for this application note from the Xilinx website.

Table 3 shows the reference design matrix.

Table 3: Reference Design Matrix

Parameter Description

General

Developer name Lester Sanders

Target devices Zynq UltraScale+ devices

Source code provided Yes

Source code format C

Design uses code and IP from existing Xilinx application note and reference designs or third party

No

Static code analysis/MISRA C Yes

Simulation

Functional simulation performed No

Timing simulation performed No

Page 26: Programming BBRAM and eFUSEs - xilinx.com · AES Key Zynq UltraScale+ devices use a hardened AES cryptographic block for AES encryption and decryption. The AES cryptographic block

Documentation Navigator and Design Hubs

XAPP1319 (v1.0) July 26, 2017 26www.xilinx.com

Documentation Navigator and Design HubsXilinx Documentation Navigator provides access to Xilinx documents, videos, and support resources, which you can filter and search to find information. To open the Xilinx Documentation Navigator (DocNav):

• From the Vivado® IDE, select Help > Documentation and Tutorials.

• On Windows, select Start > All Programs > Xilinx Design Tools > DocNav.

• At the Linux command prompt, enter docnav.

Xilinx Design Hubs provide links to documentation organized by design tasks and other topics, which you can use to learn key concepts and address frequently asked questions. To access the Design Hubs:

• In the Xilinx Documentation Navigator, click the Design Hubs View tab.

• On the Xilinx website, see the Design Hubs page.

Note: For more information on Documentation Navigator, see the Documentation Navigator page on the Xilinx website.

Test bench used for functional and timing simulations

No

Test bench format N/A

Simulator software/version used N/A

SPICE/IBIS simulations N/A

Implementation

Synthesis software tools/versions used N/A

Implementation software tools/versions used

N/A

Static timing analysis performed No

Hardware Verification

Hardware verified Yes

Hardware platform used for verification Avnet UltraZed-EG and ZCU102 evaluation boards

Table 3: Reference Design Matrix (Cont’d)

Parameter Description

Page 27: Programming BBRAM and eFUSEs - xilinx.com · AES Key Zynq UltraScale+ devices use a hardened AES cryptographic block for AES encryption and decryption. The AES cryptographic block

References

XAPP1319 (v1.0) July 26, 2017 27www.xilinx.com

References1. Zynq UltraScale+ MPSoC: Embedded Design Tutorial (UG1209)

2. Zynq UltraScale+ MPSoC: Technical Reference Manual (UG1085)

3. Internal Programming of BBRAM and eFUSEs (XAPP1283)

4. Secure Boot of Zynq-7000 All Programmable SoC (XAPP1175)

5. Zynq UltraScale+ MPSoC Technical Reference Manual (UG1085)

6. Changing the Cryptographic Key in Zynq-7000 AP SoC (XAPP1223)

7. Zynq UltraScale+ MPSoC Software Developer Guide (UG1137)

Revision HistoryThe following table shows the revision history for this document.

Please Read: Important Legal NoticesThe information disclosed to you hereunder (the “Materials”) is provided solely for the selection and use of Xilinx products. To the maximum extent permitted by applicable law: (1) Materials are made available "AS IS" and with all faults, Xilinx hereby DISCLAIMS ALL WARRANTIES AND CONDITIONS, EXPRESS, IMPLIED, OR STATUTORY, INCLUDING BUT NOT LIMITED TO WARRANTIES OF MERCHANTABILITY, NON-INFRINGEMENT, OR FITNESS FOR ANY PARTICULAR PURPOSE; and (2) Xilinx shall not be liable (whether in contract or tort, including negligence, or under any other theory of liability) for any loss or damage of any kind or nature related to, arising under, or in connection with, the Materials (including your use of the Materials), including for any direct, indirect, special, incidental, or consequential loss or damage (including loss of data, profits, goodwill, or any type of loss or damage suffered as a result of any action brought by a third party) even if such damage or loss was reasonably foreseeable or Xilinx had been advised of the possibility of the same. Xilinx assumes no obligation to correct any errors contained in the Materials or to notify you of updates to the Materials or to product specifications. You may not reproduce, modify, distribute, or publicly display the Materials without prior written consent. Certain products are subject to the terms and conditions of Xilinx’s limited warranty, please refer to Xilinx’s Terms of Sale which can be viewed at https://www.xilinx.com/legal.htm#tos; IP cores may be subject to warranty and support terms contained in a license issued to you by Xilinx. Xilinx products are not designed or intended to be fail-safe or for use in any application requiring fail-safe performance; you assume sole risk and liability for use of Xilinx products in such critical applications, please refer to Xilinx’s Terms of Sale which can be viewed at https://www.xilinx.com/legal.htm#tos.AUTOMOTIVE APPLICATIONS DISCLAIMERAUTOMOTIVE PRODUCTS (IDENTIFIED AS "XA" IN THE PART NUMBER) ARE NOT WARRANTED FOR USE IN THE DEPLOYMENT OF AIRBAGS OR FOR USE IN APPLICATIONS THAT AFFECT CONTROL OF A VEHICLE ("SAFETY APPLICATION") UNLESS THERE IS A SAFETY CONCEPT OR REDUNDANCY FEATURE CONSISTENT WITH THE ISO 26262 AUTOMOTIVE SAFETY STANDARD ("SAFETY DESIGN"). CUSTOMER SHALL, PRIOR TO USING OR DISTRIBUTING ANY SYSTEMS THAT INCORPORATE PRODUCTS, THOROUGHLY TEST SUCH SYSTEMS FOR SAFETY PURPOSES. USE OF PRODUCTS IN A SAFETY APPLICATION WITHOUT A SAFETY DESIGN IS FULLY AT THE RISK OF CUSTOMER, SUBJECT ONLY TO APPLICABLE LAWS AND REGULATIONS GOVERNING LIMITATIONS ON PRODUCT LIABILITY.© Copyright 2017 Xilinx, Inc. Xilinx, the Xilinx logo, Artix, ISE, Kintex, Spartan, Virtex, Vivado, Zynq, and other designated brands included herein are trademarks of Xilinx in the United States and other countries. AMBA, AMBA Designer, ARM, ARM1176JZ-S, CoreSight, Cortex, PrimeCell, and MPCore are trademarks of ARM in the EU and other countries. All other trademarks are the property of their respective owners.

Date Version Revision

07/26/2017 1.0 Initial Xilinx release.


Recommended