Zynq UltraScale+ MPSoC JTAG Enable in U-Boot

This design note is to document the necessary modifications to a PetaLinux project to support the ability to enable JTAG in the U-Boot console after a secure boot. This allows for a selective enablement of JTAG.

  • The ZCU102 and 2022.1 tools are used in this demonstration

  • Securing the boot image is not detailed in this demonstration

  • No form of security is applied to the JTAG enabling process

This mechanism will not work if the JTAG_DIS eFUSE has been burned.

Table of Contents

Introduction

This demonstration leverages AR68391 which details the sequence of register writes required to enable JTAG after a secure boot. For U-Boot to modify those registers it utilizes the PMU FW. In PMU FW (in pm_mmio_access.c) there is a filtering process that determines which registers can be accessed. The status of the filtering for the registers of interest is listed below. Modifications are required to enable access to the full set.

Operation

Reg Name

Symbol

Note

Operation

Reg Name

Symbol

Note

Xil_Out32(0xffca0038,0x3F);

jtag_sec

CSU_JTAG_SEC

Access enabled if
SECURE_ACCESS_VAL=1 defined

Xil_Out32(0xffca003C,0xFF);

jtag_dap_cfg

CSU_JTAG_DAP_CFG

Access enabled if
SECURE_ACCESS_VAL=1 defined

Xil_Out32(0xffca0030,0x3);

jtag_chain_cfg

CSU_JTAG_CHAIN_CFG

Access enabled if
SECURE_ACCESS_VAL=1 defined + patch applied

Xil_Out32(0xFF5E00B0,0x01002002);

DBG_LPD_CTRL

CRL_APB_DBG_LPD_CTRL

Patch required to enable access

Xil_Out32(0xFF5E0240,0x0);

RST_LPD_DBG

CRL_APB_RST_LPD_DBG

Patch required to enable access

Xil_Out32(0xFFCA3000,0x1);

Pcap_prog

CSU_PCAP_PROG_REG

Access enabled if
SECURE_ACCESS_VAL=1 defined

General Steps

  • It is assumed that you have a PetaLinux 2022.1 Project for the ZCU102 board

  • Configure the PMU FW to support modification of the registers of interest

    • Define the symbol

    • Apply the provided patch

  • Build the PetaLinux Project

  • Create the Boot Image

  • Deploy and Test on the ZCU102 board

Workflow

PetaLinux Project : It is assumed that this has been created.
Configure & Build : Incorporate changes to the PMU FW using build settings along with a patch.
Create Boot Image : Use of bootgen to create BOOT. BIN. Authentication uses boot header mode, encryption uses a BBRAM key. For other use cases, the example BIF will need to be modified accordingly.
Deploy & Test on the ZCU102 : Configure a terminal for the U-Boot shell, boot the board from an SD card with the created BOOT.BIN, verify that JTAG is disabled, issue the provided commands, verify that JTAG has been enabled.

Configure for Secure Access Symbol

Define the SECURE_ACCESS_VAL symbol in the PMU FW to enable 4 of the 6 registers needed to enable JTAG.

In the PetaLinux project:

Edit <plnx-proj-root>/project-spec/meta-user/recipes-bsp/embeddedsw/pmu-firmware_%.bbappend to add the following. If this file does not yet exist you will need to create it.

YAML_COMPILER_FLAGS:append = "-DSECURE_ACCESS_VAL=1"

Configure for Patch; Build

Incorporate the patch to enable the remaining 2 registers.

Create the directory for the patch.

$ mkdir -p <plnx-proj-root>/project-spec/meta-user/recipes-bsp/embeddedsw/files

Copy the patch file into the directory (see Appendix for content).

Edit the bbappend file to include the patch.

Include the following into the bbappend.

# Patch for PMU FW SRC_URI:append += "//file:0001-Added-2-regs-for-access.patch" FILESEXTRAPATHS:prepend := "${THISDIR}/files:"

Build the PMU FW.

$ petalinux-build -c pmufw

Create Boot Image

Use bootgen to create BOOT.BIN.

$ bootgen -arch zynqmp -image ZCU102_uboot_bhauthenc.bif -p zu9eg -o BOOT.BIN

The content of ZCU102_uboot_bhauthenc.bif assumes that the needed components are in a local directory, copied from <plnx-proj-root>/images/linux. It also assumes that keys are in the keys subfolder and named as noted.

//arch = zynqmp ; split = false; format = BIN; key_part_name = zu9eg the_ROM_image { [pskfile] keys/psk0.pem [sskfile] keys/ssk0.pem [auth_params] spk_id = 0; ppk_select = 0 [keysrc_encryption] bbram_red_key [fsbl_config] bh_auth_enable [bootloader, destination_cpu = a53-0, encryption = aes , aeskeyfile = keys/fsbl_a53.nky, authentication = rsa] zynqmp_fsbl.elf [destination_cpu = pmu , authentication = rsa] pmufw.elf [encryption = aes , aeskeyfile = keys/design_1_wrapper.nky, authentication = rsa, destination_device = pl] design_1_wrapper.bit [destination_cpu = a53-0, exception_level =el-3, trustzone, authentication = rsa] bl31.elf [destination_cpu = a53-0, load=0x00100000, encryption = aes, aeskeyfile = devtree.nky, authentication = rsa] system.dtb [destination_cpu = a53-0, exception_level = el-2, encryption = aes, aeskeyfile = keys/u-boot.nky, authentication = rsa] u-boot.elf }

Deploy & Test

Copy BOOT.BIN onto the SD card, insert it into the ZCU102, set boot mode to SD; power up.

Issue the following at the U-Boot prompt.

u-boot> zynqmp mmio_write 0xffca0038 0xffffffff 0x3f u-boot> zynqmp mmio_write 0xffca003c 0xffffffff 0xff u-boot> zynqmp mmio_write 0xffca0030 0xffffffff 0x3 u-boot> zynqmp mmio_write 0xff5e00b0 0xffffffff 0x01002002 u-boot> zynqmp mmio_write 0xff5e0240 0xffffffff 0x0 u-boot> zynqmp mmio_write 0xffca3000 0xffffffff 0x1

Verify JTAG access to the Zynq UltraScale+ device.
One method to verify the enablement of JTAG is to connect in an XSCT shell and execute xsct$ targets. The expected output when JTAG is disabled / enabled is shown below.

Appendix

PMU FW Patch

Patch Creation Process

In a directory outside of the PetaLinux project clone the embeddedsw repository.

$ mkdir pmufw_patch ; cd pmufw_patch $ git clone https://github.com/Xilinx/embeddedsw $ cd embeddedsw $ git checkout xilinx_v2022.1 (can use git tag -l to get a list of tags)

Edit the pm_mmio_access.c source file in embeddedsw/lib/sw_apps/zynqmp_pmufw/src to add R/W access for DBG_LPD_CTRL and RST_LPD_DBG and change CSU_JTAG_CHAIN_CFG to R/W.

CSU_JTAG_CHAIN_CFG needs to be changed to R/W from WO because the zynqmp mmio_write command performs a read-modify-write. When this register is in WO mode the read fails and the write does not occur.

Create a patch from the modified source file.

$ git add pm_mmio_access.c

optional : $ git status to see the file is staged.

$ git commit -signoff

optional : $ git status to see the file is no longer staged.
optional : $ git show to see the changes just added.

$ git diff xilinx_v2022.1 > 0001-Added-2-regs-for-access.patch

Review the patch to verify that expected changes are represented.

 

© Copyright 2019 - 2022 Xilinx Inc. Privacy Policy