Authentication and Decryption in Zynq U-Boot


U-Boot for Zynq is capable to authenticate and decrypt bitstream/images from the command line. Both zynqrsa/zynqaes commands works getting the image from the DDR memory, allowing the images be loaded from wide variety of sources (flash memory, TFTP sever...).

The images have to be generated using bootgen with proper authentication and encryption keys.

Table of Contents



U-Boot configuration

By default this feature is disabled in the default U-Boot/Petalinux configurations, so both CONFIG_CMD_ZYNQ_RSA and CONFIG_CMD_ZYNQ_AES needs to be enabled in the U-Boot configuration file.


Loading authenticated/encrypted bitstream

Encrypted bitstream

Create a BIF file to be used for the encrypted bitstream generation process and use bootgen to generate it.
Boot up to U-Boot and use the zynqaes command to load the encrypted bitstream
Note: this feature does not work with eFUSE stored keys for U-Boot released bellow 2018.1

Authenticated bitstream

Content under development

Loading authenticated/encrypted images

Encrypted images

Create a BIF file to be used for the encrypted image generation process and use bootgen to generate it. Split option is required for bootgen in order to get encrypted image without boot header, this way the dummy partition will include the boot header and the image will be splited in a encrypted way.
Boot up to U-Boot and use the zynqaes command to decrypt the encrypted image.
Note: This feature does not work for U-Boot released bellow 2018.1

Authenticated images

Create a BIF file to be used for authenticated image generation process and use bootgen to generate it. The partitions authenticated by U-Boot can be specified by the attribute partition_owner, and load attribute to set the address where authenticated partition will be loaded. The current implementation requires at least two partition be present before the first U-Boot owned partition.
Boot up to U-Boot and use the zynqrsa command to authenticate the boot image.

Encrypted and Authenticated images

Create a BIF file to be used for image generation process and use bootgen to generate it.
Boot up to U-Boot and use the zynqrsa command to authenticate and decrypt the boot image.

Related Links

  • Title 1 & Link 1
  • Title 1 & Link 1