The following are device level decisions affecting secure boot:
Boot mode
AES key storage location
AES storage state (encrypted or unencrypted)
Encryption and authentication requirements
Key provisioning
The boot modes which support secure boot are quad serial peripheral interface (QSPI), SD, eMMC, USB Boot, and NAND. The AES key is stored in either eFUSEs (encrypted or unencrypted), battery backed random access memory (BBRAM) (unencrypted only), or in external Non-Volatile Memory (NVM) (encrypted only).
In Zynq UltraScale+ MPSoC devices, partitions can be encrypted and/or authenticated on a partition basis. Xilinx generally recommends that all partitions be RSA authenticated. Partitions that are open source (such as U-Boot and Linux) or that do not contain any proprietary or confidential information typically do not need to be encrypted. In systems in which there are multiple sources/suppliers of sensitive data and/or proprietary IP, encrypting the partitions using unique keys can be important.
DPA resistance requirements are dictated by whether the adversary has physical access to the device.
The following table can be a good reference when deciding on features required to meet a specific secure system requirement. The following sections discuss the features in more detail.
System Consideration |
Zynq UltraScale+ Feature |
|---|---|
Ensure that only the users software and hardware runs on the device |
Hardware Root of Trust |
Guarantee that the users software and hardware are not modified |
Hardware Root of Trust |
Ensure that an adversary cannot clone or reverse engineer software/hardware |
Boot Image Confidentiality |
Protect sensitive data and proprietary Intellectual Property (IP) |
Boot Image Confidentiality |
Ensure that Private Key (AES key) is protected against side channel attacks |
DPA Protections |
Private/Secret keys (AES key) is stored encrypted at rest |
Black Key Storage |