User manual
Table Of Contents
- Zynq-7000 All Programmable SoC
- Table of Contents
- Ch. 1: Introduction
- Ch. 2: Signals, Interfaces, and Pins
- Ch. 3: Application Processing Unit
- Ch. 4: System Addresses
- Ch. 5: Interconnect
- Ch. 6: Boot and Configuration
- Ch. 7: Interrupts
- Ch. 8: Timers
- Ch. 9: DMA Controller
- Introduction
- Functional Description
- DMA Transfers on the AXI Interconnect
- AXI Transaction Considerations
- DMA Manager
- Multi-channel Data FIFO (MFIFO)
- Memory-to-Memory Transfers
- PL Peripheral AXI Transactions
- PL Peripheral Request Interface
- PL Peripheral - Length Managed by PL Peripheral
- PL Peripheral - Length Managed by DMAC
- Events and Interrupts
- Aborts
- Security
- IP Configuration Options
- Programming Guide for DMA Controller
- Programming Guide for DMA Engine
- Programming Restrictions
- System Functions
- I/O Interface
- Ch. 10: DDR Memory Controller
- Introduction
- AXI Memory Port Interface (DDRI)
- DDR Core and Transaction Scheduler (DDRC)
- DDRC Arbitration
- Controller PHY (DDRP)
- Initialization and Calibration
- DDR Clock Initialization
- DDR IOB Impedance Calibration
- DDR IOB Configuration
- DDR Controller Register Programming
- DRAM Reset and Initialization
- DRAM Input Impedance (ODT) Calibration
- DRAM Output Impedance (RON) Calibration
- DRAM Training
- Write Data Eye Adjustment
- Alternatives to Automatic DRAM Training
- DRAM Write Latency Restriction
- Register Overview
- Error Correction Code (ECC)
- Programming Model
- Ch. 11: Static Memory Controller
- Ch. 12: Quad-SPI Flash Controller
- Ch. 13: SD/SDIO Controller
- Ch. 14: General Purpose I/O (GPIO)
- Ch. 15: USB Host, Device, and OTG Controller
- Introduction
- Functional Description
- Programming Overview and Reference
- Device Mode Control
- Device Endpoint Data Structures
- Device Endpoint Packet Operational Model
- Device Endpoint Descriptor Reference
- Programming Guide for Device Controller
- Programming Guide for Device Endpoint Data Structures
- Host Mode Data Structures
- EHCI Implementation
- Host Data Structures Reference
- Programming Guide for Host Controller
- OTG Description and Reference
- System Functions
- I/O Interfaces
- Ch. 16: Gigabit Ethernet Controller
- Ch. 17: SPI Controller
- Ch. 18: CAN Controller
- Ch. 19: UART Controller
- Ch. 20: I2C Controller
- Ch. 21: Programmable Logic Description
- Ch. 22: Programmable Logic Design Guide
- Ch. 23: Programmable Logic Test and Debug
- Ch. 24: Power Management
- Ch. 25: Clocks
- Ch. 26: Reset System
- Ch. 27: JTAG and DAP Subsystem
- Ch. 28: System Test and Debug
- Ch. 29: On-Chip Memory (OCM)
- Ch. 30: XADC Interface
- Ch. 31: PCI Express
- Ch. 32: Device Secure Boot
- Appx. A: Additional Resources
- Appx. B: Register Details
- Overview
- Acronyms
- Module Summary
- AXI_HP Interface (AFI) (axi_hp)
- CAN Controller (can)
- DDR Memory Controller (ddrc)
- CoreSight Cross Trigger Interface (cti)
- Performance Monitor Unit (cortexa9_pmu)
- CoreSight Program Trace Macrocell (ptm)
- Debug Access Port (dap)
- CoreSight Embedded Trace Buffer (etb)
- PL Fabric Trace Monitor (ftm)
- CoreSight Trace Funnel (funnel)
- CoreSight Intstrumentation Trace Macrocell (itm)
- CoreSight Trace Packet Output (tpiu)
- Device Configuration Interface (devcfg)
- DMA Controller (dmac)
- Gigabit Ethernet Controller (GEM)
- General Purpose I/O (gpio)
- Interconnect QoS (qos301)
- NIC301 Address Region Control (nic301_addr_region_ctrl_registers)
- I2C Controller (IIC)
- L2 Cache (L2Cpl310)
- Application Processing Unit (mpcore)
- On-Chip Memory (ocm)
- Quad-SPI Flash Controller (qspi)
- SD Controller (sdio)
- System Level Control Registers (slcr)
- Static Memory Controller (pl353)
- SPI Controller (SPI)
- System Watchdog Timer (swdt)
- Triple Timer Counter (ttc)
- UART Controller (UART)
- USB Controller (usb)
Zynq-7000 AP SoC Technical Reference Manual www.xilinx.com 775
UG585 (v1.11) September 27, 2016
Chapter 32: Device Secure Boot
32.3.4 Boot Partition Search
The BootROM supports the capability to fall-back and reload a different FSBL if there is a problem
with the initial FSBL. In a secure boot, this feature is only supported if the RSA authentication fails,
regardless of the encryption status of the FSBL. The new FSBL being loaded must also be signed. If
the decryption or HMAC authentication of the FSBL fails, then the device enters secure lockdown.
See section 6.3.10 BootROM Header Search for more information.
32.3.5 JTAG and Debug Considerations
Whenever the BootROM is running, the PS DAP and the PL TAP controllers are disabled, eliminating
any JTAG access to the AP SoC device.
In non-secure boot modes JTAG access is restored once the BootROM has completed execution.
In secure boot modes JTAG access can be restored by the FSBL or subsequent PS images as these
applications are considered trusted. Access to the DAP enable registers can be locked out using the
Device Configuration Interface LOCK register.
The PS DAP and PL TAP controllers can be permanently disabled using the JTAG CHAIN DISABLE
eFuse. The JTAG access to the PL can also be disabled by setting the DISABLE_JTAG configuration
option when creating the PL bitstream. (see UG628
, Command Line Tools User Guide for more
information.
32.3.6 Readback
Whenever an encrypted bitstream is loaded into the PL, readback of the internal configuration
memory cannot be performed by any of the external interfaces, including JTAG. The only readback
access to the configuration memory after an encrypted bitstream load is via PCAP or ICAP. The PCAP
and ICAP interfaces are trusted channels since access to these interfaces are from an authenticated
PS image or an authenticated PL bitstream.
32.3.7 Secure Boot Modes of Operation
Zynq RSA authentication and AES encryption features can be used in a number of combinations to
deliver a flexible secure boot solution. Table 32-4 through Table 32-6 show the possible
authentication and encryption options available for a Zynq secure boot. The following two points
must be taken into consideration when using secure boot:
1. The FSBL must be encrypted if any other PS images or PL bitstreams are required to be
encrypted.
2. The BootROM only provides authentication for the FSBL. If any other PS images or PL bitstreams
require authentication, the RSA algorithm must be provided as user software.