In the example secure boot processes described previously, the bitstream was loaded by the FSBL. The bitstream can also be loaded, authenticated, and/or decrypted by U-Boot or Linux. In this scenario, U-Boot or Linux calls the XilFPGA library, which was securely loaded as part of the PMUFW to perform the security operations. XilFPGA executes out of internal PMU RAM, performs all of the security checks, and uses the CSU accelerators to do the authentication and/or decryption.
In the hardware root of trust secure boot mode, bitstreams can be authenticated, or authenticated and decrypted with either the device key or a user provided key. In the encrypt only secure boot mode, the bitstream is decrypted using the eFUSE device key loaded by the FSBL. Bitstream authentication and decryption is supported for the FSBL, standalone XilFPGA drivers, U-Boot and Linux using either device keys or user keys for both full bitstreams and partial reconfiguration bitstreams.