Zynq Ultrascale+ MPSoC Secure Driver for Linux
Table Of Content
Introduction
This Secure driver provides an interface to secure_load firmware APIs to load a secure partition.
HW IP Features
NA
Features supported in driver
- Sysfs interface to load the secure partition.
- Sysfs interface to load the AES key used to decrypt the secure partition.
Kernel Configuration
Firmware driver is by default enabled for ZynqMP platform. The following config options should be enabled in order to build the ZynqMP firmware driver.
Please note as the data provided in user space will be located in virtual space, linux driver before handing off to ATF converts the data buffers to physical address.
CONFIG_ZYNQMP_FIRMWARE:
Firmware interface driver is used by different to
communicate with the firmware for various platform
management services.
Say yes to enable ZynqMP firmware interface driver.
In doubt, say N
Symbol: ZYNQMP_FIRMWARE [=y]
Type : boolean
Prompt: Enable Xilinx Zynq MPSoC firmware interface
Location:
-> Firmware Drivers
-> Zynq MPSoC Firmware Drivers
Defined at drivers/firmware/xilinx/zynqmp/Kconfig:7
Depends on: ARCH_ZYNQMP [=y]
Selected by: ARCH_ZYNQMP [=y]
The following config option should be enabled to load secure partition from the Linux.
Symbol: ZYNQMP_FIRMWARE_SECURE [=n]
Type : bool
Prompt: Enable Xilinx Zynq MPSoC secure firmware loading APIs
Location:
-> Firmware Drivers
-> Zynq MPSoC Firmware Drivers
Defined at drivers/firmware/xilinx/Kconfig:24
Depends on: ARCH_ZYNQMP [=y]
Test Procedure
Create a primary boot image with PMUFW, FSBL, U-boot and ATF. Example .bif is provided below.
boot_img:
{
[auth_params] ppk_select = <0/1>
[pskfile]<path_to_primary_secret_key_file>
[sskfile]<path_to_secondary_secret_key_file>
[keysrc_encryption] bbram_red_key
// Bootloader
[ bootloader,
destination_cpu = a53-0,
authentication = rsa,
encryption = aes,
aeskeyfile = <path_to_aes_red_key_file>
] <path_to_fsbl_elf_file>
// PMU FW - Loaded by FSBL
[ destination_cpu = pmu,
authentication = rsa,
encryption = aes,
aeskeyfile = <path_to_aes_red_key_file>
] <path_to_pmufw_elf_file>
// ATF
[ destination_cpu = a53-0,
exception_level = el-3,
trustzone = secure,
authentication = rsa,
encryption = aes,
aeskeyfile = <path_to_aes_red_key_file>
] <path_to_atf_elf_file>
//U-boot
[ destination_cpu = a53-0,
exception_level = el-2,
authentication = rsa,
encryption = aes,
aeskeyfile = <path_to_aes_red_key_file>
] <path_to_uboot_elf_file>
}
Create single partition image (authenticated or encrypted or authenticated + encrypted). The example .bif is provided below.
data_img:
{
[auth_params] ppk_select = 0; spk_id = 0x01
[pskfile]<path_to_primary_secure_key_file>
[sskfile]<path_to_secondary_secure_key_file>
[spk_select] spk_efuse
[ authentication = rsa,
] <path_to_image_file_to_be_authenticated>
}
Expected Output:
root@xilinx-zcu102-2019_1:~# mount /dev/mmcblk0p1 /media/ root@xilinx-zcu102-2019_1:~# cp /media/data* /lib/firmware/ root@xilinx-zcu102-2019_1:~# echo data_auth.bin > /sys/devices/platform/securefw/secure_load [ 57.316797] securefw securefw: Verified image at 0x6fcc2800 root@xilinx-zcu102-2019_1:~# root@xilinx-zcu102-2019_1:~# root@xilinx-zcu102-2019_1:~# echo data_enc_kup.bin > /sys/devices/platform/securefw/secure_load Err: Failed image loading with error : 14 [ 69.530529] securefw securefw: Failed to load secure image -sh: echo: write error: Invalid argument root@xilinx-zcu102-2019_1:~# root@xilinx-zcu102-2019_1:~# root@xilinx-zcu102-2019_1:~# root@xilinx-zcu102-2019_1:~# root@xilinx-zcu102-2019_1:~# echo f878b838d8589818e868a828c8488808f070b030d0509010e060a020c0408000 > /sys/devices/platform/securefw/key root@xilinx-zcu102-2019_1:~# echo data_enc_kup.bin > /sys/devices/platform/securefw/secure_load [ 88.682596] securefw securefw: Verified image at 0xf0400000 root@xilinx-zcu102-2018_3:~# echo 1 > /sys/devices/platform/securefw/secure_load_done
Info:
To load encrypted single partition image using device key, primary boot image should be encrypted with the Device key.
Points to be noted :
- To view the error code PMU should be built with PM_LOG_LEVEL set to 2
- If load address is not specified in single partition bin , after decryption the image overrides the source.
- If load address is specified in the bif , decrypted image will be stored in the load address.
- Please make sure to release the kernel memory after reading the decrypted image from the load address using below command.
echo 1 > /sys/devices/platform/securefw/secure_load_done
Mainline status
- This driver is currently not available in mainline kernel.
Change Log
2019.1
Summary
- zynqmp: firmware: Adds a driver for loading secure partition from Linux
Commits
Initial commit
- 386d33zynqmp: firmware: Adds a driver for loading secure partition from Linux
Bug fixes
- 9d4968 firmware: xilinx: Handle error pointer correctly
- b1331d zynqmp-secure: Fix for crash seen with secure image loading
- 07bb52 firmware: zynqmp-secure: Correct error handling for secure_load
- 6a6344 drivers: Defer probe if firmware is not ready
- 3f9e46drivers: xilinx: Reorganize firmware driver for zynqmp
Related Links
https://github.com/Xilinx/linux-xlnx/blob/master/drivers/firmware/xilinx/zynqmp-secure.c
© Copyright 2019 - 2022 Xilinx Inc. Privacy Policy