zynqmp_huk.c - OpenGrok history log for /optee_os/core/drivers/zynqmp

Revision	Date	Author	Comments
# dfeed924	07-May-2022	Vesa Jääskeläinen <vesa.jaaskelainen@vaisala.com>	drivers: zynqmp_huk: Add AES eFuse and HUK seed support When AES eFuse is used to encrypt boot loaders and bitstreams then PUF functionality is not available for use. When AES eFuse based encryption drivers: zynqmp_huk: Add AES eFuse and HUK seed support When AES eFuse is used to encrypt boot loaders and bitstreams then PUF functionality is not available for use. When AES eFuse based encryption is in use AES eFuse key becomes device key instead of PUF generated key. In order to re-plenish additional device specific entropy that PUF would provide utilize selected set of User programmable eFuses. Selected user eFuses should be programmed during device manufacturing with cryptographically good random numbers. Signed-off-by: Vesa Jääskeläinen <vesa.jaaskelainen@vaisala.com> Acked-by: Etienne Carriere <etienne.carriere@linaro.org> show more ...
# 1d23b02e	08-Oct-2021	Jorge Ramirez-Ortiz <jorge@foundries.io>	zynqmp: drivers: generate HUK from PUF KEK If authenticated boot was disabled we allow generating the HUK using the SHA-256 of the DNA unique identifier. If authenticated boot was enabled, use the zynqmp: drivers: generate HUK from PUF KEK If authenticated boot was disabled we allow generating the HUK using the SHA-256 of the DNA unique identifier. If authenticated boot was enabled, use the PUK KEK to generate the HUK instead. The PUF KEK must be registered while securing the board using the Xilinx tools. In this case, the HUK is generated by reading the DNA eFuses. This 96 bits value is used to generate a 16 byte digest which is then AES-GCM encrypted using the PUF KEK. The resulting 16 byte value is the HUK. To prevent the HUK from being leaked, the AES-GCM module must be reserved. The HUK generation was validated on Zynqmp zu3cg using the Xilinx Lightweight Provisioning Tool to enable authenticated boot and to provision the PUF (burning a number of eFuses in the process). Tested-by: Jorge Ramirez-Ortiz <jorge@foundries.io> Signed-off-by: Jorge Ramirez-Ortiz <jorge@foundries.io> Tested-by: Ricardo Salveti <ricardo@foundries.io> Acked-by: Etienne Carriere <etienne.carriere@linaro.org> show more ...

Revision

Date

Author

Comments

# dfeed924

07-May-2022

Vesa Jääskeläinen <vesa.jaaskelainen@vaisala.com>

drivers: zynqmp_huk: Add AES eFuse and HUK seed support

When AES eFuse is used to encrypt boot loaders and bitstreams then PUF
functionality is not available for use. When AES eFuse based encryption

drivers: zynqmp_huk: Add AES eFuse and HUK seed support

When AES eFuse is used to encrypt boot loaders and bitstreams then PUF
functionality is not available for use. When AES eFuse based encryption is
in use AES eFuse key becomes device key instead of PUF generated key.

In order to re-plenish additional device specific entropy that PUF would
provide utilize selected set of User programmable eFuses.

Selected user eFuses should be programmed during device manufacturing with
cryptographically good random numbers.

Signed-off-by: Vesa Jääskeläinen <vesa.jaaskelainen@vaisala.com>
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>

# 1d23b02e

08-Oct-2021

Jorge Ramirez-Ortiz <jorge@foundries.io>

zynqmp: drivers: generate HUK from PUF KEK

If authenticated boot was disabled we allow generating the HUK using
the SHA-256 of the DNA unique identifier.

If authenticated boot was enabled, use the

zynqmp: drivers: generate HUK from PUF KEK

If authenticated boot was disabled we allow generating the HUK using
the SHA-256 of the DNA unique identifier.

If authenticated boot was enabled, use the PUK KEK to generate the
HUK instead. The PUF KEK must be registered while securing the board
using the Xilinx tools. In this case, the HUK is generated by reading
the DNA eFuses. This 96 bits value is used to generate a 16 byte
digest which is then AES-GCM encrypted using the PUF KEK. The
resulting 16 byte value is the HUK. To prevent the HUK from being
leaked, the AES-GCM module must be reserved.

The HUK generation was validated on Zynqmp zu3cg using the Xilinx
Lightweight Provisioning Tool to enable authenticated boot and to
provision the PUF (burning a number of eFuses in the process).

Tested-by: Jorge Ramirez-Ortiz <jorge@foundries.io>
Signed-off-by: Jorge Ramirez-Ortiz <jorge@foundries.io>
Tested-by: Ricardo Salveti <ricardo@foundries.io>
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>