Chapter 32: Device Security
XILINX CONFIDENTIAL — DISCLOSED UNDER NDA
Zynq-7000 EPP Technical Reference Manual www.xilinx.com 4
UG585 (DRAFT) February 15, 2012
33.2 Master Secure Boot
The Master Secure Boot mode is the only secure boot mode that Zynq-7000 supports. It uses the hardened AES de-
cryption engine and the hardened HMAC authentication engine within the PL to decrypt the encrypted image. The
boot process and data flow for the Master Secure Boot mode are shown in Figure 1.
Figure 1: Boot Process
The PS will boot first from the on-chip ROM (step 1). It then reads the encrypted PS boot image from the external boot
device. As the encrypted image is read, it is sent to the AES decryption and HMAC authentication engines which
reside in the PL via the PCAP (step 2). The PL configuration logic loops back the decrypted, authenticated image
immediately without internal buffering to be stored in the PS OCM (step 3). The PS reads the final authentication
status from the PL configuration logic to ensure the images was properly authenticated. If it fails, the PS will trigger a
system secure reset.
Once the PS image has been successfully loaded and authenticated, control is turned over to the plain text FSBL which
now resides in the OCM. Based on the user application, the FSBL could then either start processing, configure the PL
(step 4), load additional software, or wait for further instruction from and external source.
The Master Secure Boot mode uses the AES decryption and HMAC authentication engines within the PL, therefore,
the PL must be powered on during the secure boot process. The boot ROM will ensure that the PL is powered before
reading the encrypted image from the external boot device.
To Next Page
Loading...
Need help?
General
