...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
Table Of Content
Table of Contents |
---|
Introduction
HW IP Features
NA
Features supported in driver
- Sysfs interface to load the secure partition.
- Sysfs interface to load the AES key used to decrypt the secure partition.
Kernel Configuration
Firmware driver is by default enabled for ZynqMP platform. The following config options should be enabled in order to build the ZynqMP firmware driver.
Code Block | ||
---|---|---|
| ||
CONFIG_ZYNQMP_FIRMWARE:
Firmware interface driver is used by different to
communicate with the firmware for various platform
management services.
Say yes to enable ZynqMP firmware interface driver.
In doubt, say N
Symbol: ZYNQMP_FIRMWARE [=y]
Type : boolean
Prompt: Enable Xilinx Zynq MPSoC firmware interface
Location:
-> Firmware Drivers
-> Zynq MPSoC Firmware Drivers
Defined at drivers/firmware/xilinx/zynqmp/Kconfig:7
Depends on: ARCH_ZYNQMP [=y]
Selected by: ARCH_ZYNQMP [=y] |
The following config option should be enabled to load secure partition from the Linux.
Code Block | ||
---|---|---|
| ||
Symbol: ZYNQMP_FIRMWARE_SECURE [=n]
Type : bool
Prompt: Enable Xilinx Zynq MPSoC secure firmware loading APIs
Location:
-> Firmware Drivers
-> Zynq MPSoC Firmware Drivers
Defined at drivers/firmware/xilinx/Kconfig:24
Depends on: ARCH_ZYNQMP [=y] |
Test Procedure
Create a primary boot image with PMUFW, FSBL, U-boot and ATF. Example .bif is provided below.
Code Block | ||
---|---|---|
| ||
boot_img:
{
[auth_params] ppk_select = <0/1>
[pskfile]<path_to_primary_secret_key_file>
[sskfile]<path_to_secondary_secret_key_file>
[keysrc_encryption] bbram_red_key
// Bootloader
[ bootloader,
destination_cpu = a53-0,
authentication = rsa,
encryption = aes,
aeskeyfile = <path_to_aes_red_key_file>
] <path_to_fsbl_elf_file>
// PMU FW - Loaded by FSBL
[ destination_cpu = pmu,
authentication = rsa,
encryption = aes,
aeskeyfile = <path_to_aes_red_key_file>
] <path_to_pmufw_elf_file>
// ATF
[ destination_cpu = a53-0,
exception_level = el-3,
trustzone = secure,
authentication = rsa,
encryption = aes,
aeskeyfile = <path_to_aes_red_key_file>
] <path_to_atf_elf_file>
//U-boot
[ destination_cpu = a53-0,
exception_level = el-2,
authentication = rsa,
encryption = aes,
aeskeyfile = <path_to_aes_red_key_file>
] <path_to_uboot_elf_file>
} |
Create single partition image (authenticated or encrypted or authenticated + encrypted). The example .bif is provided below.
Code Block | ||
---|---|---|
| ||
data_img:
{
[auth_params] ppk_select = 0; spk_id = 0x01
[pskfile]<path_to_primary_secure_key_file>
[sskfile]<path_to_secondary_secure_key_file>
[spk_select] spk_efuse
[ authentication = rsa,
] <path_to_image_file_to_be_authenticated>
} |
Expected Output:
Code Block | ||
---|---|---|
| ||
root@xilinx-zcu102-2019_1:~# mount /dev/mmcblk0p1 /media/
root@xilinx-zcu102-2019_1:~# cp /media/data* /lib/firmware/
root@xilinx-zcu102-2019_1:~# echo data_auth.bin > /sys/devices/platform/securefw/secure_load
[ 57.316797] securefw securefw: Verified image at 0x6fcc2800
root@xilinx-zcu102-2019_1:~#
root@xilinx-zcu102-2019_1:~#
root@xilinx-zcu102-2019_1:~# echo data_enc_kup.bin > /sys/devices/platform/securefw/secure_load
Err: Failed image loading with error : 14
[ 69.530529] securefw securefw: Failed to load secure image
-sh: echo: write error: Invalid argument
root@xilinx-zcu102-2019_1:~#
root@xilinx-zcu102-2019_1:~#
root@xilinx-zcu102-2019_1:~#
root@xilinx-zcu102-2019_1:~#
root@xilinx-zcu102-2019_1:~# echo f878b838d8589818e868a828c8488808f070b030d0509010e060a020c0408000 > /sys/devices/platform/securefw/key
root@xilinx-zcu102-2019_1:~# echo data_enc_kup.bin > /sys/devices/platform/securefw/secure_load
[ 88.682596] securefw securefw: Verified image at 0xf0400000
root@xilinx-zcu102-2018_3:~# echo 1 > /sys/devices/platform/securefw/secure_load_done |
Info | ||
---|---|---|
| ||
To load encrypted single partition image using device key, primary boot image should be encrypted with the Device key. |
Points to be noted :
- To view the error code PMU should be built with PM_LOG_LEVEL set to 2
- If load address is not specified in single partition bin , after decryption the image overrides the source.
- If load address is specified in the bif , decrypted image will be stored in the load address.
- Please make sure to release the kernel memory after reading the decrypted image from the load address using below command.
echo 1 > /sys/devices/platform/securefw/secure_load_done
Mainline status
- This driver is currently not available in mainline kernel.
Change Log
2019.1
Summary
- zynqmp: firmware: Adds a driver for loading secure partition from Linux
Commits
Initial commit
- 386d33zynqmp: firmware: Adds a driver for loading secure partition from Linux
Bug fixes
- 9d4968 firmware: xilinx: Handle error pointer correctly
- b1331d zynqmp-secure: Fix for crash seen with secure image loading
- 07bb52 firmware: zynqmp-secure: Correct error handling for secure_load
- 6a6344 drivers: Defer probe if firmware is not ready
- 3f9e46drivers: xilinx: Reorganize firmware driver for zynqmp
Related Links
https://github.com/Xilinx/linux-xlnx/blob/master/drivers/firmware/xilinx/zynqmp-secure.c
...
Table Of Content
...