U-Boot for Zynq is capable to authenticate and decrypt bitstream/images from the command line. Both zynq rsa/zynq aes commands works getting the image from the DDR memory, allowing the images be loaded from wide variety of sources (flash memory, TFTP sever...).

The images have to be generated using bootgen with proper authentication and encryption keys.

Table of Contents

U-Boot configuration

By default this feature is disabled in the default U-Boot/Petalinux configurations, so both CONFIG_CMD_ZYNQ_RSA and CONFIG_CMD_ZYNQ_AES needs to be enabled in the U-Boot configuration file.

zynq aes - Zynq AES decryption
 
Usage:
zynq aes [operation type] <srcaddr> <srclen> <dstaddr> <dstlen>  -
Decrypts the encrypted image present in source address
and places the decrypted image at destination address
zynq aes operations:
   zynq aes <srcaddr> <srclen> <dstaddr> <dstlen>
   zynq aes load <srcaddr> <srclen>
   zynq aes loadp <srcaddr> <srclen>
if operation type is load or loadp, it loads the encrypted
full or partial bitstream on to PL respectively. If no valid
operation type specified then it loads decrypted image back
to memory and it doesnt support loading PL bistsream

Zynq> zynq rsa
zynq rsa - Zynq RSA verfication
 
Usage:
zynq rsa <baseaddr>  - Verifies the authenticated and encrypted zynq images

Loading authenticated/encrypted bitstream

Encrypted bitstream

Create a BIF file to be used for the encrypted bitstream generation process and use bootgen to generate it.

all:
{
   [aeskeyfile] key.nky
   [encryption = aes] download.bit
}

bootgen -image bitstream.bif -arch zynq -process_bitstream bin -encrypt efuse

Boot up to U-Boot and use the zynqaes command to load the encrypted bitstream

Zynq> fatload mmc 0 1000000 download.bit.bin
reading download.bit.bin
4044652 bytes read in 234 ms (16.5 MiB/s)
Zynq> zynq aes load 1000000 ${filesize}
zynq_decrypt_load: FPGA config done

Note: this feature does not work with eFUSE stored keys for U-Boot released bellow 2018.1

Authenticated bitstream

Content under development

Loading authenticated/encrypted images

Encrypted images

Create a BIF file to be used for the encrypted image generation process and use bootgen to generate it. Split option is required for bootgen in order to get encrypted image without boot header, this way the dummy partition will include the boot header and the image will be splited in a encrypted way.

all:
{
   [aeskeyfile] key.nky
   [bootloader, encryption=aes] zynq_fsbl.elf
   [encryption = aes] image.ub
}

bootgen -w -image images.bif -arch zynq -o images.bin -encrypt efuse -split bin

Boot up to U-Boot and use the zynq aes command to decrypt the encrypted image.

Zynq> fatload mmc 0 0x1000000 image.ub.bin
reading image.ub.bin
10147564 bytes read in 565 ms (17.1 MiB/s)
Zynq> zynq aes 0x1000000 0x9ad6ec 0x2000000 0x9ad3d0

Note: This feature does not work for U-Boot released bellow 2018.1

Authenticated images

Create a BIF file to be used for authenticated image generation process and use bootgen to generate it. The partitions authenticated by U-Boot can be specified by the attribute partition_owner, and load attribute to set the address where authenticated partition will be loaded. The current implementation requires at least two partition be present before the first U-Boot owned partition.

all:
{
   [pskfile] psk.pem
   [sskfile] ssk.pem
   [bootloader, authentication=rsa] zynq_fsbl.elf
   [authentication=rsa] u-boot.elf
   [authentication=rsa, load = 0x3000000, partition_owner=uboot] image.ub
}

bootgen -w -image images.bif -arch zynq -o images.bin

Boot up to U-Boot and use the zynq rsa command to authenticate the boot image.

Zynq> fatload mmc 0 0x1000000 images.bin
reading images.bin
15157504 bytes read in 1263 ms (11.4MiB/s)
Zynq> zynq rsa 0x1000000
UBOOT is not Owner for partition 0
UBOOT is not Owner for partition 1
Zynq> bootm 0x3000000

Encrypted and Authenticated images

Create a BIF file to be used for image generation process and use bootgen to generate it.

all:
{
   [aeskeyfile] key.nky
   [pskfile] psk.pem
   [sskfile] ssk.pem
   [bootloader, encryption=aes, authentication=rsa] zynq_fsbl.elf
   [encryption=aes, authentication=rsa] u-boot.elf
   [encryption=aes, authentication=rsa, load = 0x3000000, partition_owner=uboot] image.ub
}

bootgen -w -image images.bif -arch zynq -o images.bin -encrypt efuse

Boot up to U-Boot and use the zynq rsa command to authenticate and decrypt the boot image.

Zynq> fatload mmc 0 0x1000000 images.bin
reading images.bin
15157504 bytes read in 1263 ms (11.4MiB/s)
Zynq> zynq rsa 0x1000000
UBOOT is not Owner for partition 0
UBOOT is not Owner for partition 1
Zynq> bootm 0x3000000

Xilinx Wiki

Authentication and Decryption in Zynq U-Boot