Searched hist:"1 d23b02e1ce5665e6552ebd9f8d67883a405cc4e" (Results 1 – 5 of 5) sorted by relevance
| /optee_os/core/include/drivers/ |
| H A D | zynqmp_csu.h | 1d23b02e1ce5665e6552ebd9f8d67883a405cc4e Fri Oct 08 07:46:13 UTC 2021 Jorge Ramirez-Ortiz <jorge@foundries.io> zynqmp: drivers: generate HUK from PUF KEK
If authenticated boot was disabled we allow generating the HUK using
the SHA-256 of the DNA unique identifier.
If authenticated boot was enabled, use the PUK KEK to generate the
HUK instead. The PUF KEK must be registered while securing the board
using the Xilinx tools. In this case, the HUK is generated by reading
the DNA eFuses. This 96 bits value is used to generate a 16 byte
digest which is then AES-GCM encrypted using the PUF KEK. The
resulting 16 byte value is the HUK. To prevent the HUK from being
leaked, the AES-GCM module must be reserved.
The HUK generation was validated on Zynqmp zu3cg using the Xilinx
Lightweight Provisioning Tool to enable authenticated boot and to
provision the PUF (burning a number of eFuses in the process).
Tested-by: Jorge Ramirez-Ortiz <jorge@foundries.io>
Signed-off-by: Jorge Ramirez-Ortiz <jorge@foundries.io>
Tested-by: Ricardo Salveti <ricardo@foundries.io>
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>
|
| /optee_os/core/drivers/ |
| H A D | zynqmp_huk.c | 1d23b02e1ce5665e6552ebd9f8d67883a405cc4e Fri Oct 08 07:46:13 UTC 2021 Jorge Ramirez-Ortiz <jorge@foundries.io> zynqmp: drivers: generate HUK from PUF KEK
If authenticated boot was disabled we allow generating the HUK using
the SHA-256 of the DNA unique identifier.
If authenticated boot was enabled, use the PUK KEK to generate the
HUK instead. The PUF KEK must be registered while securing the board
using the Xilinx tools. In this case, the HUK is generated by reading
the DNA eFuses. This 96 bits value is used to generate a 16 byte
digest which is then AES-GCM encrypted using the PUF KEK. The
resulting 16 byte value is the HUK. To prevent the HUK from being
leaked, the AES-GCM module must be reserved.
The HUK generation was validated on Zynqmp zu3cg using the Xilinx
Lightweight Provisioning Tool to enable authenticated boot and to
provision the PUF (burning a number of eFuses in the process).
Tested-by: Jorge Ramirez-Ortiz <jorge@foundries.io>
Signed-off-by: Jorge Ramirez-Ortiz <jorge@foundries.io>
Tested-by: Ricardo Salveti <ricardo@foundries.io>
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>
|
| H A D | zynqmp_csu_puf.c | 1d23b02e1ce5665e6552ebd9f8d67883a405cc4e Fri Oct 08 07:46:13 UTC 2021 Jorge Ramirez-Ortiz <jorge@foundries.io> zynqmp: drivers: generate HUK from PUF KEK
If authenticated boot was disabled we allow generating the HUK using
the SHA-256 of the DNA unique identifier.
If authenticated boot was enabled, use the PUK KEK to generate the
HUK instead. The PUF KEK must be registered while securing the board
using the Xilinx tools. In this case, the HUK is generated by reading
the DNA eFuses. This 96 bits value is used to generate a 16 byte
digest which is then AES-GCM encrypted using the PUF KEK. The
resulting 16 byte value is the HUK. To prevent the HUK from being
leaked, the AES-GCM module must be reserved.
The HUK generation was validated on Zynqmp zu3cg using the Xilinx
Lightweight Provisioning Tool to enable authenticated boot and to
provision the PUF (burning a number of eFuses in the process).
Tested-by: Jorge Ramirez-Ortiz <jorge@foundries.io>
Signed-off-by: Jorge Ramirez-Ortiz <jorge@foundries.io>
Tested-by: Ricardo Salveti <ricardo@foundries.io>
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>
|
| H A D | sub.mk | 1d23b02e1ce5665e6552ebd9f8d67883a405cc4e Fri Oct 08 07:46:13 UTC 2021 Jorge Ramirez-Ortiz <jorge@foundries.io> zynqmp: drivers: generate HUK from PUF KEK
If authenticated boot was disabled we allow generating the HUK using
the SHA-256 of the DNA unique identifier.
If authenticated boot was enabled, use the PUK KEK to generate the
HUK instead. The PUF KEK must be registered while securing the board
using the Xilinx tools. In this case, the HUK is generated by reading
the DNA eFuses. This 96 bits value is used to generate a 16 byte
digest which is then AES-GCM encrypted using the PUF KEK. The
resulting 16 byte value is the HUK. To prevent the HUK from being
leaked, the AES-GCM module must be reserved.
The HUK generation was validated on Zynqmp zu3cg using the Xilinx
Lightweight Provisioning Tool to enable authenticated boot and to
provision the PUF (burning a number of eFuses in the process).
Tested-by: Jorge Ramirez-Ortiz <jorge@foundries.io>
Signed-off-by: Jorge Ramirez-Ortiz <jorge@foundries.io>
Tested-by: Ricardo Salveti <ricardo@foundries.io>
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>
|
| /optee_os/core/arch/arm/plat-zynqmp/ |
| H A D | conf.mk | 1d23b02e1ce5665e6552ebd9f8d67883a405cc4e Fri Oct 08 07:46:13 UTC 2021 Jorge Ramirez-Ortiz <jorge@foundries.io> zynqmp: drivers: generate HUK from PUF KEK
If authenticated boot was disabled we allow generating the HUK using
the SHA-256 of the DNA unique identifier.
If authenticated boot was enabled, use the PUK KEK to generate the
HUK instead. The PUF KEK must be registered while securing the board
using the Xilinx tools. In this case, the HUK is generated by reading
the DNA eFuses. This 96 bits value is used to generate a 16 byte
digest which is then AES-GCM encrypted using the PUF KEK. The
resulting 16 byte value is the HUK. To prevent the HUK from being
leaked, the AES-GCM module must be reserved.
The HUK generation was validated on Zynqmp zu3cg using the Xilinx
Lightweight Provisioning Tool to enable authenticated boot and to
provision the PUF (burning a number of eFuses in the process).
Tested-by: Jorge Ramirez-Ortiz <jorge@foundries.io>
Signed-off-by: Jorge Ramirez-Ortiz <jorge@foundries.io>
Tested-by: Ricardo Salveti <ricardo@foundries.io>
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>
|