User manual
Table Of Contents
- Zynq-7000 All Programmable SoC
- Table of Contents
- Ch. 1: Introduction
- Ch. 2: Signals, Interfaces, and Pins
- Ch. 3: Application Processing Unit
- Ch. 4: System Addresses
- Ch. 5: Interconnect
- Ch. 6: Boot and Configuration
- Ch. 7: Interrupts
- Ch. 8: Timers
- Ch. 9: DMA Controller
- Introduction
- Functional Description
- DMA Transfers on the AXI Interconnect
- AXI Transaction Considerations
- DMA Manager
- Multi-channel Data FIFO (MFIFO)
- Memory-to-Memory Transfers
- PL Peripheral AXI Transactions
- PL Peripheral Request Interface
- PL Peripheral - Length Managed by PL Peripheral
- PL Peripheral - Length Managed by DMAC
- Events and Interrupts
- Aborts
- Security
- IP Configuration Options
- Programming Guide for DMA Controller
- Programming Guide for DMA Engine
- Programming Restrictions
- System Functions
- I/O Interface
- Ch. 10: DDR Memory Controller
- Introduction
- AXI Memory Port Interface (DDRI)
- DDR Core and Transaction Scheduler (DDRC)
- DDRC Arbitration
- Controller PHY (DDRP)
- Initialization and Calibration
- DDR Clock Initialization
- DDR IOB Impedance Calibration
- DDR IOB Configuration
- DDR Controller Register Programming
- DRAM Reset and Initialization
- DRAM Input Impedance (ODT) Calibration
- DRAM Output Impedance (RON) Calibration
- DRAM Training
- Write Data Eye Adjustment
- Alternatives to Automatic DRAM Training
- DRAM Write Latency Restriction
- Register Overview
- Error Correction Code (ECC)
- Programming Model
- Ch. 11: Static Memory Controller
- Ch. 12: Quad-SPI Flash Controller
- Ch. 13: SD/SDIO Controller
- Ch. 14: General Purpose I/O (GPIO)
- Ch. 15: USB Host, Device, and OTG Controller
- Introduction
- Functional Description
- Programming Overview and Reference
- Device Mode Control
- Device Endpoint Data Structures
- Device Endpoint Packet Operational Model
- Device Endpoint Descriptor Reference
- Programming Guide for Device Controller
- Programming Guide for Device Endpoint Data Structures
- Host Mode Data Structures
- EHCI Implementation
- Host Data Structures Reference
- Programming Guide for Host Controller
- OTG Description and Reference
- System Functions
- I/O Interfaces
- Ch. 16: Gigabit Ethernet Controller
- Ch. 17: SPI Controller
- Ch. 18: CAN Controller
- Ch. 19: UART Controller
- Ch. 20: I2C Controller
- Ch. 21: Programmable Logic Description
- Ch. 22: Programmable Logic Design Guide
- Ch. 23: Programmable Logic Test and Debug
- Ch. 24: Power Management
- Ch. 25: Clocks
- Ch. 26: Reset System
- Ch. 27: JTAG and DAP Subsystem
- Ch. 28: System Test and Debug
- Ch. 29: On-Chip Memory (OCM)
- Ch. 30: XADC Interface
- Ch. 31: PCI Express
- Ch. 32: Device Secure Boot
- Appx. A: Additional Resources
- Appx. B: Register Details
- Overview
- Acronyms
- Module Summary
- AXI_HP Interface (AFI) (axi_hp)
- CAN Controller (can)
- DDR Memory Controller (ddrc)
- CoreSight Cross Trigger Interface (cti)
- Performance Monitor Unit (cortexa9_pmu)
- CoreSight Program Trace Macrocell (ptm)
- Debug Access Port (dap)
- CoreSight Embedded Trace Buffer (etb)
- PL Fabric Trace Monitor (ftm)
- CoreSight Trace Funnel (funnel)
- CoreSight Intstrumentation Trace Macrocell (itm)
- CoreSight Trace Packet Output (tpiu)
- Device Configuration Interface (devcfg)
- DMA Controller (dmac)
- Gigabit Ethernet Controller (GEM)
- General Purpose I/O (gpio)
- Interconnect QoS (qos301)
- NIC301 Address Region Control (nic301_addr_region_ctrl_registers)
- I2C Controller (IIC)
- L2 Cache (L2Cpl310)
- Application Processing Unit (mpcore)
- On-Chip Memory (ocm)
- Quad-SPI Flash Controller (qspi)
- SD Controller (sdio)
- System Level Control Registers (slcr)
- Static Memory Controller (pl353)
- SPI Controller (SPI)
- System Watchdog Timer (swdt)
- Triple Timer Counter (ttc)
- UART Controller (UART)
- USB Controller (usb)
Zynq-7000 AP SoC Technical Reference Manual www.xilinx.com 774
UG585 (v1.11) September 27, 2016
Chapter 32: Device Secure Boot
32.3 Secure Boot Features
32.3.1 Non-Secure Boot State
The non-secure state is entered when the BootROM detects that the FSBL is not encrypted. In this
state the AES decryption and HMAC authentication engines are disabled and locked requiring a
power-on reset (POR) to re-enable. RSA authentication is still available in non-secure boots. All
subsequent PS images, PL configuration bitstreams, and PL partial re-configuration bitstreams must
be non-encrypted.
There is no mechanism to move from the non-secure state to the secure state, aside from power-on
reset. Any attempt to load encrypted data after non-encrypted data results in a security violation and
security lockdown.
32.3.2 Secure Boot State
The Zynq AP SoC always powers up in the secure state, only switching to the non-secure state when
the BootROM detects that the FSBL is not encrypted. In the secure state the encrypted FSBL is loaded
into the PS. The first configuration bitstream loaded into the PL must also be encrypted.
Since the encrypted FSBL loaded in a secure boot is “trusted”, it is possible to load additional
non-encrypted PS images. PL partial re-configuration bitstreams can be loaded via the PCAP or ICAP
interfaces as encrypted or non-encrypted. Subsequent PS images or PL bitstreams must use the
same key source as the FSBL, key switching is not allowed. Loading of non-encrypted images or
bitstreams after a secure boot is not recommended.
32.3.3 Security Lockdown
The PS's device configuration interface contains a security policy block that is used to monitor the
system security. When conflicting status is detected either from the PS or the PL that could indicate
inconsistent system configuration or tampering, a security lockdown is triggered. In a security
lockdown the on-chip RAM is cleared along with all the system caches. The PL is reset and the PS
enters a lockdown mode that can only be cleared by issuing a power-on reset. The following
conditions cause a security lockdown:
• Non-secure boot specified in the boot image header and secure boot only eFuse is set
• Enabling the JTAG chain or the ARM DAP with the JTAG chain disable eFuse set
• SEU error tracking has been enabled in the PS and the PL reports an SEU error
• A discrepancy in the redundant AES enable logic
• Software sets the FORCE_RST bit of the Device Configuration Control register