XAPP1319 (v1.0) July 26, 2017 1 www.xilinx.com Summary Zynq® UltraScale+™ devices integrate a system-on-chip (SoC) and programmable logic (PL). Nonvolatile memory (NVM) in the form of eFUSEs and battery-backed RAM (BBRAM) are used for advanced encryption standard (AES) and Rivest-Shamir-Adleman (RSA) cryptography, security control, and user-defined applications. This application note describes the self-programming of BBRAM and eFUSEs in Zynq UltraScale+ devices. The capability to self-program BBRAM and eFUSEs increases the field programmability of Xilinx® FPGAs and SoCs. The self-programming of BBRAM and eFUSEs in Zynq UltraScale+ devices provides ease of use and security advantages over the self-programming capability available with the Zynq-7000 All Programmable SoC and UltraScale™ devices. Download the reference design files for this application note from the Xilinx website. For detailed information about the design files, see Reference Design. Introduction BBRAM and eFUSEs in Zynq UltraScale+ devices are principally used to store AES keys and the hash of RSA keys. Self-programming of BBRAM and eFUSEs in Zynq UltraScale+ devices does not require an IP core. Signals are not externally routed. Software running on the ARM® Cortex®-A53 or Cortex-R5 processor uses the Xilinx Secure Key (XilSKey) library. Example C code is provided to program the BBRAM or eFUSEs. The uses of programming the BBRAM and eFUSEs are listed below. • AES Key (BBRAM or eFUSE) • RSA Support • Security Control Support • PUF Support • User Defined eFUSEs This application note provides the steps to create and run software projects to program the BBRAM and eFUSEs. After programming, steps to create and run a software project to test the cryptographic functionality enabled by programmed memory are provided. For example, after the zcu102_program_bbram software project is run, the hello_world software project tests the functionality. The two tasks used to program the memory in Xilinx Software Development Kit (SDK) are creating and compiling the project using the XilSKey library and Bootgen. Application Note: Zynq UltraScale+ Devices XAPP1319 (v1.0) July 26, 2017 Programming BBRAM and eFUSEs Author: Lester Sanders
27
Embed
Programming BBRAM and eFUSEs - xilinx.com · AES Key Zynq UltraScale+ devices use a hardened AES cryptographic block for AES encryption and decryption. The AES cryptographic block
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
XAPP1319 (v1.0) July 26, 2017 1www.xilinx.com
SummaryZynq® UltraScale+™ devices integrate a system-on-chip (SoC) and programmable logic (PL). Nonvolatile memory (NVM) in the form of eFUSEs and battery-backed RAM (BBRAM) are used for advanced encryption standard (AES) and Rivest-Shamir-Adleman (RSA) cryptography, security control, and user-defined applications. This application note describes the self-programming of BBRAM and eFUSEs in Zynq UltraScale+ devices. The capability to self-program BBRAM and eFUSEs increases the field programmability of Xilinx® FPGAs and SoCs. The self-programming of BBRAM and eFUSEs in Zynq UltraScale+ devices provides ease of use and security advantages over the self-programming capability available with the Zynq-7000 All Programmable SoC and UltraScale™ devices.
Download the reference design files for this application note from the Xilinx website. For detailed information about the design files, see Reference Design.
IntroductionBBRAM and eFUSEs in Zynq UltraScale+ devices are principally used to store AES keys and the hash of RSA keys. Self-programming of BBRAM and eFUSEs in Zynq UltraScale+ devices does not require an IP core. Signals are not externally routed. Software running on the ARM® Cortex®-A53 or Cortex-R5 processor uses the Xilinx Secure Key (XilSKey) library. Example C code is provided to program the BBRAM or eFUSEs.
The uses of programming the BBRAM and eFUSEs are listed below.
• AES Key (BBRAM or eFUSE)
• RSA Support
• Security Control Support
• PUF Support
• User Defined eFUSEs
This application note provides the steps to create and run software projects to program the BBRAM and eFUSEs. After programming, steps to create and run a software project to test the cryptographic functionality enabled by programmed memory are provided. For example, after the zcu102_program_bbram software project is run, the hello_world software project tests the functionality. The two tasks used to program the memory in Xilinx Software Development Kit (SDK) are creating and compiling the project using the XilSKey library and Bootgen.
Application Note: Zynq UltraScale+ Devices
XAPP1319 (v1.0) July 26, 2017
Programming BBRAM and eFUSEsAuthor: Lester Sanders
Programming BBRAM and eFUSEs is a prerequisite for the secure boot functionality discussed in the Zynq UltraScale+ MPSoC: Embedded Design Tutorial (UG1209) [Ref 1].
Hardware and Software RequirementsThe hardware and software requirements for the reference systems are as follows:
• ZCU102 evaluation board or Avnet UltraZed-EG board
• AC power adapter (12 VDC)
• USB type-A to USB mini-B cables (for UART, JTAG communication)
• Secure Digital (SD) multimedia card
• Xilinx Software Development Kit 2017.1 or newer
IMPORTANT: Programming any of the noted eFUSE settings preclude Xilinx test access. Consequently, Xilinx may not accept return material authorization (RMA) requests. The eFUSEs are ENC_ONLY, JTAG_DIS, DFT_DIS, RSA_EN, and AES key.
Programming BBRAM/eFUSEs Using XilSKey LibraryThe XilSKey library is located at <SDK install>/data/embeddedsw/lib/sw_services. The XilSKey library provides examples for programming Zynq UltraScale+ device eFUSEs and BBRAM in the examples directory. The high-level steps using the XilSKey library are explained in the Programming the AES Key in BBRAM, Programming eFUSEs for AES and RSA Cryptographic Functions, and Programming eFUSEs for Using the Physically Uncloneable Function sections.
For a complete list of programmable eFUSEs, see the Zynq UltraScale+ MPSoC: Technical Reference Manual (UG1085) [Ref 2].
BBRAM and eFUSE UsesThe uses of programming the BBRAM and eFUSEs are described below.
AES Key
Zynq UltraScale+ devices use a hardened AES cryptographic block for AES encryption and decryption. The AES cryptographic block accepts keys from several sources. The 256-bit eFUSE AES key is stored either in the BBRAM or eFUSEs. The AES key can also be stored in an obfuscated or black format in external eFUSE. Unlike in Xilinx 7 series FPGAs and Zynq-7000 devices, the AES key cannot be read after it is programmed. The value of the key can be verified. The Zynq UltraScale+ device also supports AES cryptographic functions using the physically uncloneable function (PUF), as discussed in PUF Support. In one of the two modes which use the PUF, eFUSEs are used.
eFUSE UsesThe uses of programming the eFUSEs are described below.
RSA Support
Zynq UltraScale+ devices use silicon-based RSA and SHA3 cryptographic blocks for RSA authentication. RSA uses a 4096-bit private/public key pair. Only the 384-bit hash of the primary public key is stored in the eFUSEs to save area on the device. Zynq UltraScale+ devices support two primary private/public key pairs and a 32-bit secondary key ID (SPK_ID). This functionality can be used for key revocation.
Security Control Support
Zynq UltraScale+ devices provide eFUSEs that increase the security of the device. For example, some eFUSE bits can permanently disable the JTAG and design for testing (DFT) functionality of the device. JTAG and DFT circuitry is useful in development. When a device moves to production, disabling the JTAG and DFT can assist in eliminating security vulnerabilities.
PUF Support
The principle use of the PUF in Zynq UltraScale+ devices is black key storage. Black key storage stores the user’s AES key in the eFUSEs or in the Bootheader in an encrypted format. At the time of use, the encrypted key in the eFUSEs or Bootheader is decrypted and the resulting plaintext key is used for the encryption and decryption operation.
The PUF registration software is used to command the PUF to generate values and to program the eFUSEs used by the PUF. This software is included in the XilSKey library. The registration software commands the PUF to generate the following values.
• Helper data
• Black key (encrypted user key)
In the PUF eFUSE mode, the values generated by the PUF registration software are programmed into the eFUSEs. In the PUF Bootheader mode, the values are included in the Bootheader by the Bootgen.
The steps used to generate and program PUF values into the eFUSEs are explained in Programming eFUSEs for Using the Physically Uncloneable Function. The use of the PUF Bootheader mode is discussed in Secure Boot of Zynq UltraScale+ MPSoC: Embedded Design Tutorial (UG1209) [Ref 1].
User Defined eFUSEs
Zynq UltraScale+ devices provide eight 32-bit registers for user-defined eFUSEs. These eFUSEs can be written to and read from for various user-defined functions.
Table 1 provides a summary of the user-defined macros used in eFUSE programming. These are used in the xilskey_bbramps_zynqmp.c, xilskey_efuseps_zynqmp_input.h, and xilskey_puf_registration.h files.
Table 1: Zynq UltraScale+ Non-Volatile Memory
Macro Description
AES
XSK_EFUSEPS_WRITE_AES_KEY Command to write the value defined in the XSK_EFUSEPS_AES_KEY macro to the AES eFUSE
XSK_EFUSEPS_AES_KEY 256-bit AES key for use in eFUSE
XSK_ZYNQMP_BBRAMPS_AES_KEY 256-bit AES key for use in BBRAM
XSK_EFUSEPS_AES_RD_LOCK Disables the AES key cyclic redundancy check (CRC) for eFUSE key storage
XSK_EFUSEPS_AES_WR_LOCK Disables write to AES eFUSEs
XSK_EFUSEPS_ENC_ONLY When programmed, requires that the boot image be encrypted with eFUSE AES key. It only applies to the encryption status and is independent of the RSA_EN.
XSK_EFUSEPS_BBRAM_DISABLE Permanently disables use of AES key from BBRAM
RSA
XSK_EFUSEPS_PPK0_IS_SHA3 Specifies secure hash algorithm-2 (SHA-2) or SHA-3 of PPK0
XSK_EFUSEPS_WRITE_PPK0_HASH Causes hash of public-private key 0 (PPK0) to be programmed into eFUSEs
XSK_EFUSEPS_PPK0_HASH PPK0 hash
XSK_EFUSEPS_PPK1_IS_SHA3 Specifies SHA-2 or SHA-3 of PPK1
XSK_EFUSEPS_WRITE_PPK1_HASH Causes hash of PPK1 to be programmed into eFUSEs
XSK_EFUSEPS_PPK1_HASH PPK1 hash
XSK_EFUSEPS_PPK0_WR_LOCK Permanently disables writing to PPK0 eFUSEs
XSK_EFUSEPS_PPK0_INVLD Permanently revokes PPK0
XSK_EFUSEPS_PPK1_INVLD Permanently revokes PPK1
XSK_EFUSEPS_PPK1_WR_LOCK Permanently disables writing to PPK1 eFUSEs
XSK_EFUSEPS_RSA_ENABLE Permanently enables RSA authentication during boot
XSK_EFUSEPS_SPK_ID Selects SPK to use
XSK_EFUSEPS_WRITE_SPK Write control for SPK selection
Security Control
XSK_EFUSEPS_ERR_DISABLE Prohibits error messages from being read via JTAG (ERROR_STATUS register)
XSK_EFUSEPS_JTAG_DISABLE Disables JTAG. IDCODE and BYPASS are the only allowed commands.
XSK_EFUSEPS_PROG_GATE_DISABLE When programmed, these fuses prohibit the PROG_GATE feature from being engaged. If any of these are programmed, the PL is always reset when the PS is reset.
16. From the aes.nky file in the reference design files (see Reference Design), copy the AES key to line 66 in the xilskey_bbramps_zynqmp_example.c file. Save the file (Figure 7).
17. In the Project Explorer, right-click on program_aes_bbram_key and select Build Project.
19. Select the Create new BIF file radio button. In the Output BIF file path field, select $PROG_NVM\program_nvm\program_aes_bbram_key (Figure 9).
20. In the bottom pane named Boot Image Partitions, click Add. Browse to and add the zynqmp_fsbl.elf and program_aes_bbram_key.elf partitions. These partitions are usually auto-populated, so this step might not be necessary. A bitstream is not necessary.
21. Click Create Image.
22. Verify that the BOOT.BIN and program_aes_bbram_key.bif files are written to the specified directory $PROG_NVM\program_nvm.
23. Use a text editor to review the program_bbram_aes_key.bif file.
24. Insert an SD card into the SD card slot of the PC. Copy BOOT.BIN to the SD card.
25. Set up the ZCU102 or UltraZed-EG evaluation board.
26. Set up one communication terminal such as Tera Term using Interface 0, 115200 baud rate, and default settings.
27. Move the SD card from the PC to the SD card slot on the ZCU102 or UltraZed-EG evaluation board. The ZCU102 evaluation board uses a standard SD card. The UltraZed-EG board uses a mini SD card.
28. Set the Boot Mode switch to SD mode.
X19401-061417
X-Ref Target - Figure 9
Figure 9: Create a Zynq MP Boot Image for the BBRAM AES Key
31. To test the functionality of the programmed BBRAM, create a hello software project. In the SDK GUI, select File > New Application. In the Project Name field, enter hello_world (Figure 11).
32. Under Available Templates, select Hello World > Next > Finish.
Programming eFUSEs for AES and RSA Cryptographic Functions
XAPP1319 (v1.0) July 26, 2017 19www.xilinx.com
41. Verify that Hello World is displayed on the communication terminal (Figure 14).
Programming eFUSEs for AES and RSA Cryptographic Functions
Run the following steps to program the AES eFUSEs and hash of the primary public key. These steps can be used to program any of the other eFUSEs as well.
1. Navigate to the $PROG_NVM\program_nvm directory.
2. At the command prompt, enter xsdk -workspace . &. Close the SDK welcome window.
Programming eFUSEs for AES and RSA Cryptographic Functions
XAPP1319 (v1.0) July 26, 2017 21www.xilinx.com
6. In the Import Examples pane, select the check box for xilskey_efuseps_zynqmp_example (Figure 16).
7. In the Project Explorer pane, right-click on program_efuses_bsp_0_xilskey_efuseps_zynqmp_example. Under Rename Resource, rename the software project to program_efuses. Click OK.
Programming eFUSEs for AES and RSA Cryptographic Functions
XAPP1319 (v1.0) July 26, 2017 22www.xilinx.com
8. In the Project Explorer pane, expand the program_efuses project. Select src. Double-click xilskey_efuseps_zynqmp_input.h to open the file in an SDK source editor pane (Figure 17).
9. Right-click the left margin of the source editor pane and select Show Numbers in the xilskey_efuseps_zynqmp_input.h file. This file contains the #define statements used to specify the eFUSE functionality.
10. Change the xilskey_efuseps_zynqmp_input.h as defined in Table 2.
X-Ref Target - Figure 17
Figure 17: Edit xilskey_efuseps_zynqmp_input.h
X19405-061417
Table 2: Cryptographic Macros in xilskey_efuseps_zynqmp_input.h
Programming eFUSEs for AES and RSA Cryptographic Functions
XAPP1319 (v1.0) July 26, 2017 23www.xilinx.com
11. Copy $PROG_NVM\program_nvm\keys\aes.nky to xilskey_efuseps_zynqmp_input.h line 426 (XSK_EFUSEPS_AES_KEY).
12. Copy $PROG_NVM\program_nvm\keys\sha3_0.pem to xilskey_efuse_zynqmp_input.h line 429 (XSK_EFUSEPS_PPK0_HASH).
13. Copy $PROG_NVM\program_nvm\keys\sha3_1.pem to xilskey_efuse_zynqmp_input.h line 432 (XSK_EFUSEPS_PPK1_HASH).
14. In the Project Explorer pane, right-click program_efuses, and select Build Project.
15. From the SDK menu bar, select Xilinx Tools > Create Boot Image.
16. Select the Create new BIF file radio button. Specify the location and name of the BIF, $PROG_NVM\program_nvm\program_efuses\program_efuses.bif.
17. Click the Add button. Add the $PROG_NVM\files\zynqmp_fsbl.elf file.
18. Click the Add button. Browse to $PROG_NVM\program_efuses\Debug\program_efuses.elf. Click Create Image.
19. Insert an SD card into the SD card slot of the PC. Copy $PROG_NVM\program_nvm\program_efuses\BOOT.BIN to the SD card.
20. Move the SD card from the PC to the SD card slot on the ZCU102 or UltraZed-EG evaluation board.
21. Set the Boot Mode switch to SD mode.
22. Apply power to the board.
23. Verify that the log in the communication terminal indicates that programming of eFUSEs worked as expected.
24. To test the functionality of the programmed eFUSEs, create a hello software project. In the SDK GUI, select File > New Application. In the Project Name field, enter hello_world.
25. Under Available Templates, select Hello World > Next > Finish.
26. Select Xilinx Tools > Create Boot Image.
27. Select ZynqMP. Click the Create new BIF file radio button. In the Output BIF file path field, select test_encrypted_hello.bif.
28. Click Add in the bottom pane named Boot Image Partitions. Browse to and add the zynqmp_fsbl.elf and hello_world.elf partitions.
29. Click Security > Encryption. In the Key File field, browse to aes.nky. Select EFUSE RED in the Key Store field.
30. Double-click the zynqmp_fsbl.elf and hello_world.elf and change the Encryption to AES. Click Create Image.
31. Insert an SD card into the SD card slot of the PC. Copy the BOOT.BIN to the SD card.
32. Move the SD card from the PC to the SD card slot on the evaluation board.
Programming eFUSEs for Using the Physically Uncloneable Function
XAPP1319 (v1.0) July 26, 2017 24www.xilinx.com
34. Verify that Hello World is displayed on the communication terminal. If the RSA_EN eFUSE is programmed, every boot is required to be authenticated.
Programming eFUSEs for Using the Physically Uncloneable Function
Run the following steps to program eFUSEs used by the PUF.
1. Navigate to the $PROG_NVM\program_nvm\puf_registration directory.
2. At the command prompt, enter xsdk -workspace . &. Close the SDK welcome window.
3. In the SDK GUI, enter File > New > Board Support Package. In the Project Name field, enter puf_registration_bsp_0.
4. In the Board Support Package Settings, scroll down to Supported Libraries and select the check boxes for the xilskey and xilsecure libraries. Click OK.
5. In the system.mss pane, scroll down to view Libraries. Double-click Import Examples to the right of xilskey.
6. In the Examples for xilskey pane, select the check box for xilskey_puf_registration. Click OK.
7. In the Project Explorer pane, right-click puf_registration_bsp_0_xilskey_puf_registration_1. Select Rename. Use the Rename Resource text box to rename the project to puf_registration.
8. In the Project Explorer pane, double-click puf_registration > src > xilskey_puf_registration.h to invoke the file in the SDK source editor.
9. Right-click the left side of the source editor and enable Show Line Numbers.
10. Edit the xilskey_puf_registration.h as follows:
° Line 145 #define XSK_PUF_PROGRAM_EFUSE TRUE
° Line 158 #define XSK_PUF_AES_KEY "45195DE9B5B80119D8DD4E7DF032736D53CF75AD1DCE61C5BA681CFA0724E8"
° Line 159 #define XSK_PUF_IV "62A4B57D0F121CCB02CB8336"
11. Save the file and exit.
12. In the Project Explorer, right-click on the puf_registration project and select Build Project.
13. In the SDK menu bar, select Xilinx Tools > Create Boot Image.
14. Select Zynq MP in the Architecture field.
15. In the Output BIF file path, specify $PROG_NVM\program_nvm\puf_registration\puf_registration.bif.
16. In the Output Path field, specify $PROG_NVM\program_nvm\puf_registration.
17. In the Boot Image Partitions pane, click Add. Add the following partitions:
18. Insert an SD card into the SD card slot of the PC. Copy $PROG_NVM\program_nvm\program_sec_ctrl_efuses\BOOT.BIN to the SD card.
19. Move the SD card from the PC to the SD card slot on the ZCU102 or UltraZed-EG evaluation board.
20. Set the Boot Mode switch to SD mode.
21. Set up a communication terminal.
22. Power cycle the board.
23. Verify that the log displayed in the communication terminal indicates that the security control eFUSEs are programmed as expected.
ConclusionBBRAM and eFUSE programming is required for using the AES and RSA cryptographic functions in Zynq UltraScale+ devices. Zynq UltraScale+ devices also provide security control and user-defined eFUSEs. This application note provides a straightforward and secure method to self-program BBRAM and eFUSEs in the Zynq UltraScale+ devices.
Reference DesignDownload the reference design files for this application note from the Xilinx website.
Table 3 shows the reference design matrix.
Table 3: Reference Design Matrix
Parameter Description
General
Developer name Lester Sanders
Target devices Zynq UltraScale+ devices
Source code provided Yes
Source code format C
Design uses code and IP from existing Xilinx application note and reference designs or third party
Documentation Navigator and Design HubsXilinx Documentation Navigator provides access to Xilinx documents, videos, and support resources, which you can filter and search to find information. To open the Xilinx Documentation Navigator (DocNav):
• From the Vivado® IDE, select Help > Documentation and Tutorials.
• On Windows, select Start > All Programs > Xilinx Design Tools > DocNav.
• At the Linux command prompt, enter docnav.
Xilinx Design Hubs provide links to documentation organized by design tasks and other topics, which you can use to learn key concepts and address frequently asked questions. To access the Design Hubs:
• In the Xilinx Documentation Navigator, click the Design Hubs View tab.
• On the Xilinx website, see the Design Hubs page.
Note: For more information on Documentation Navigator, see the Documentation Navigator page on the Xilinx website.
Test bench used for functional and timing simulations
No
Test bench format N/A
Simulator software/version used N/A
SPICE/IBIS simulations N/A
Implementation
Synthesis software tools/versions used N/A
Implementation software tools/versions used
N/A
Static timing analysis performed No
Hardware Verification
Hardware verified Yes
Hardware platform used for verification Avnet UltraZed-EG and ZCU102 evaluation boards