Systems without external DRAM

Zynq UltraScale+ Device Technical Reference Manual (UG1085)

Document ID
UG1085
Release Date
2022-09-15
Revision
2.3 English

Secure boot in systems without external DRAM is supported when the FSBL is used to load the bitstream and non-bitstream partitions.

   Non-bitstream partitions can only be loaded by the FSBL. The FSBL will copy the partition data from external non-volatile memory to the internal memory location and then authenticate and/or decrypt in place. XilSecure does not support loading a non-bitstream directly from external non-volatile memory.

   Bitstream partitions can only be loaded by the FSBL. The FSBL utilizes the Secure OCM method to load the bitstream. XilFPGA does not support loading a bitstream directly from external non-volatile memory.

Secure boot in systems with external DRAM can be achieved differently based on specific requirements and whether the external DRAM is considered secure.

Note:   2019.1 development tools, or subsequent releases, are used.

   Non-bitstream partitions are decrypted by the FSBL or XilSecure. In both cases, the external DRAM, which is the final destination, is considered secure.

°The FSBL will copy the partition data from external non-volatile memory to the specified DRAM address and then decrypt in place.

°XilSecure, when called, will decrypt at the destination DRAM address. The partition must be loaded into external DRAM before calling XilSecure.

   Bitstream partitions can be loaded in multiple ways in systems with external DRAM.

°The bitstream partition could be decrypted in external DRAM by XilSecure and then loaded, in plain-text form, using XilFPGA. In this scenario, the external DRAM is assumed secure.

°   XilFPGA can be called to read the bitstream partition into the device where it is decrypted by the AES engine and then loaded into the programmable logic. The partition must be loaded into external DRAM before calling XilFPGA. Since the decryption is performed internal to the device, this method does not require the DRAM to be secure.

Secure boot in systems without external DRAM is supported when FSBL is used to load the bitstream and non-bitstream partitions.

   Non-bitstream partitions (e.g. application software) can only be loaded by the FSBL.   The FSBL will copy the partition data from external non-volatile memory to the internal memory location and then decrypt in place. XilSecure does not support loading a non-bitstream directly from external non-volatile memory.

   Bitstream partitions can only be loaded by the FSBL. The FSBL will read the partition data from external non-volatile memory and then send it for decryption and load into the configuration memory. XilFPGA does not support loading a bitstream directly from external non-volatile memory.