Introduction

This Secure driver provides an interface to secure_load firmware APIs to load a secure partition.

HW IP Features

NA

Features supported in driver

Sysfs interface to load the secure partition.
Sysfs interface to load the AES key used to decrypt the secure partition.

Kernel Configuration

Firmware driver is by default enabled for ZynqMP platform. The following config options should be enabled in order to build the ZynqMP firmware driver.

Please note as the data provided in user space will be located in virtual space, linux driver before handing off to ATF converts the data buffers to physical address.

CONFIG_ZYNQMP_FIRMWARE:
 
Firmware interface driver is used by different to
communicate with the firmware for various platform
management services.
Say yes to enable ZynqMP firmware interface driver.
In doubt, say N
 
Symbol: ZYNQMP_FIRMWARE [=y]
Type  : boolean
Prompt: Enable Xilinx Zynq MPSoC firmware interface
  Location:
    -> Firmware Drivers
      -> Zynq MPSoC Firmware Drivers
  Defined at drivers/firmware/xilinx/zynqmp/Kconfig:7
  Depends on: ARCH_ZYNQMP [=y]
  Selected by: ARCH_ZYNQMP [=y]

The following config option should be enabled to load secure partition from the Linux.

Symbol: ZYNQMP_FIRMWARE_SECURE [=n]                                                                                                                    
Type  : bool                                                                                                                                           
Prompt: Enable Xilinx Zynq MPSoC secure firmware loading APIs                                                                                          
  Location:                                                                                                                                            
   -> Firmware Drivers                                                                                                                                
     -> Zynq MPSoC Firmware Drivers                                                                                                                   
  Defined at drivers/firmware/xilinx/Kconfig:24                                                                                                       
  Depends on: ARCH_ZYNQMP [=y]

Test Procedure

Create a primary boot image with PMUFW, FSBL, U-boot and ATF. Example .bif is provided below.

boot_img:
{
   [auth_params] ppk_select = <0/1>
   [pskfile]<path_to_primary_secret_key_file>
   [sskfile]<path_to_secondary_secret_key_file>
   [keysrc_encryption] bbram_red_key

   // Bootloader
   [ bootloader,
     destination_cpu = a53-0,
     authentication = rsa,
	 encryption = aes,
	 aeskeyfile = <path_to_aes_red_key_file>
   ] <path_to_fsbl_elf_file>

   // PMU FW - Loaded by FSBL
   [ destination_cpu = pmu,
     authentication = rsa,
	 encryption = aes,
	 aeskeyfile = <path_to_aes_red_key_file>
   ] <path_to_pmufw_elf_file>

   // ATF
   [ destination_cpu = a53-0,
     exception_level = el-3,
     trustzone = secure,
     authentication = rsa,
	 encryption = aes,
	 aeskeyfile = <path_to_aes_red_key_file>
   ] <path_to_atf_elf_file>

   //U-boot
   [ destination_cpu = a53-0,
     exception_level = el-2,
     authentication = rsa,
	 encryption = aes,
	 aeskeyfile = <path_to_aes_red_key_file>	 
   ] <path_to_uboot_elf_file>
}

Create single partition image (authenticated or encrypted or authenticated + encrypted). The example .bif is provided below.

data_img:
{
   [auth_params] ppk_select = 0; spk_id = 0x01 
   [pskfile]<path_to_primary_secure_key_file> 
   [sskfile]<path_to_secondary_secure_key_file>
   [spk_select] spk_efuse
   
   [ authentication = rsa,
   ] <path_to_image_file_to_be_authenticated>
}

Expected Output:

root@xilinx-zcu102-2019_1:~# mount /dev/mmcblk0p1 /media/ 
root@xilinx-zcu102-2019_1:~# cp /media/data* /lib/firmware/ 
root@xilinx-zcu102-2019_1:~# echo data_auth.bin > /sys/devices/platform/securefw/secure_load 
[   57.316797] securefw securefw: Verified image at 0x6fcc2800 
root@xilinx-zcu102-2019_1:~# 
root@xilinx-zcu102-2019_1:~# 
root@xilinx-zcu102-2019_1:~# echo data_enc_kup.bin > /sys/devices/platform/securefw/secure_load
Err: Failed image loading  with error : 14 
[   69.530529] securefw securefw: Failed to load secure image 
-sh: echo: write error: Invalid argument 
root@xilinx-zcu102-2019_1:~# 
root@xilinx-zcu102-2019_1:~# 
root@xilinx-zcu102-2019_1:~# 
root@xilinx-zcu102-2019_1:~#
root@xilinx-zcu102-2019_1:~# echo f878b838d8589818e868a828c8488808f070b030d0509010e060a020c0408000 > /sys/devices/platform/securefw/key 
root@xilinx-zcu102-2019_1:~# echo data_enc_kup.bin > /sys/devices/platform/securefw/secure_load 
[   88.682596] securefw securefw: Verified image at 0xf0400000 
root@xilinx-zcu102-2018_3:~# echo 1 > /sys/devices/platform/securefw/secure_load_done

Info:

To load encrypted single partition image using device key, primary boot image should be encrypted with the Device key.

Points to be noted :

To view the error code PMU should be built with PM_LOG_LEVEL set to 2
If load address is not specified in single partition bin , after decryption the image overrides the source.
If load address is specified in the bif , decrypted image will be stored in the load address.
Please make sure to release the kernel memory after reading the decrypted image from the load address using below command.
echo 1 > /sys/devices/platform/securefw/secure_load_done

Mainline status

This driver is currently not available in mainline kernel.

Change Log

2019.1

Summary

zynqmp: firmware: Adds a driver for loading secure partition from Linux

Commits

Initial commit

386d33zynqmp: firmware: Adds a driver for loading secure partition from Linux

Bug fixes

9d4968 firmware: xilinx: Handle error pointer correctly
b1331d zynqmp-secure: Fix for crash seen with secure image loading
07bb52 firmware: zynqmp-secure: Correct error handling for secure_load
6a6344 drivers: Defer probe if firmware is not ready
3f9e46drivers: xilinx: Reorganize firmware driver for zynqmp

Zynq Ultrascale+ MPSoC Secure Driver for Linux