Table Of Content
NA
Firmware driver is by default enabled for ZynqMP platform. The following config options should be enabled in order to build the ZynqMP firmware driver.
Please note as the data provided in user space will be located in virtual space, linux driver before handing off to ATF converts the data buffers to physical address.
CONFIG_ZYNQMP_FIRMWARE: Firmware interface driver is used by different to communicate with the firmware for various platform management services. Say yes to enable ZynqMP firmware interface driver. In doubt, say N Symbol: ZYNQMP_FIRMWARE [=y] Type : boolean Prompt: Enable Xilinx Zynq MPSoC firmware interface Location: -> Firmware Drivers -> Zynq MPSoC Firmware Drivers Defined at drivers/firmware/xilinx/zynqmp/Kconfig:7 Depends on: ARCH_ZYNQMP [=y] Selected by: ARCH_ZYNQMP [=y] |
The following config option should be enabled to load secure partition from the Linux.
Symbol: ZYNQMP_FIRMWARE_SECURE [=n] Type : bool Prompt: Enable Xilinx Zynq MPSoC secure firmware loading APIs Location: -> Firmware Drivers -> Zynq MPSoC Firmware Drivers Defined at drivers/firmware/xilinx/Kconfig:24 Depends on: ARCH_ZYNQMP [=y] |
Create a primary boot image with PMUFW, FSBL, U-boot and ATF. Example .bif is provided below.
boot_img: { [auth_params] ppk_select = <0/1> [pskfile]<path_to_primary_secret_key_file> [sskfile]<path_to_secondary_secret_key_file> [keysrc_encryption] bbram_red_key // Bootloader [ bootloader, destination_cpu = a53-0, authentication = rsa, encryption = aes, aeskeyfile = <path_to_aes_red_key_file> ] <path_to_fsbl_elf_file> // PMU FW - Loaded by FSBL [ destination_cpu = pmu, authentication = rsa, encryption = aes, aeskeyfile = <path_to_aes_red_key_file> ] <path_to_pmufw_elf_file> // ATF [ destination_cpu = a53-0, exception_level = el-3, trustzone = secure, authentication = rsa, encryption = aes, aeskeyfile = <path_to_aes_red_key_file> ] <path_to_atf_elf_file> //U-boot [ destination_cpu = a53-0, exception_level = el-2, authentication = rsa, encryption = aes, aeskeyfile = <path_to_aes_red_key_file> ] <path_to_uboot_elf_file> } |
Create single partition image (authenticated or encrypted or authenticated + encrypted). The example .bif is provided below.
data_img: { [auth_params] ppk_select = 0; spk_id = 0x01 [pskfile]<path_to_primary_secure_key_file> [sskfile]<path_to_secondary_secure_key_file> [spk_select] spk_efuse [ authentication = rsa, ] <path_to_image_file_to_be_authenticated> } |
root@xilinx-zcu102-2019_1:~# mount /dev/mmcblk0p1 /media/ root@xilinx-zcu102-2019_1:~# cp /media/data* /lib/firmware/ root@xilinx-zcu102-2019_1:~# echo data_auth.bin > /sys/devices/platform/securefw/secure_load [ 57.316797] securefw securefw: Verified image at 0x6fcc2800 root@xilinx-zcu102-2019_1:~# root@xilinx-zcu102-2019_1:~# root@xilinx-zcu102-2019_1:~# echo data_enc_kup.bin > /sys/devices/platform/securefw/secure_load Err: Failed image loading with error : 14 [ 69.530529] securefw securefw: Failed to load secure image -sh: echo: write error: Invalid argument root@xilinx-zcu102-2019_1:~# root@xilinx-zcu102-2019_1:~# root@xilinx-zcu102-2019_1:~# root@xilinx-zcu102-2019_1:~# root@xilinx-zcu102-2019_1:~# echo f878b838d8589818e868a828c8488808f070b030d0509010e060a020c0408000 > /sys/devices/platform/securefw/key root@xilinx-zcu102-2019_1:~# echo data_enc_kup.bin > /sys/devices/platform/securefw/secure_load [ 88.682596] securefw securefw: Verified image at 0xf0400000 root@xilinx-zcu102-2018_3:~# echo 1 > /sys/devices/platform/securefw/secure_load_done |
To load encrypted single partition image using device key, primary boot image should be encrypted with the Device key. |
Points to be noted :
2019.1
Summary
Commits
Initial commit
Bug fixes
https://github.com/Xilinx/linux-xlnx/blob/master/drivers/firmware/xilinx/zynqmp-secure.c