News:

Attention: For security reasons,please choose a user name *different* from your login name.
Also make sure to choose a secure password and change it regularly.

Main Menu

No longer to debug when programmed RSA_EN eFuse

Started by sueaki, June 10, 2022, 02:28:21 PM

Previous topic - Next topic

sueaki

Hello everyone,

I am using TE0820 & TE0706.
By accident, I programmed RSA_EN eFuse, so I have to provide secure boot images. Here is my BIF file:
Quote
the_ROM_image:
{
  [pskfile]psk0.pem
  [sskfile].ssk0.pem
  [auth_params]spk_id = 0; ppk_select = 0
  [keysrc_encryption] efuse_blk_key
  [bh_key_iv]puf_iv.txt
  [bootloader, encryption = aes, authentication = rsa, aeskeyfile =keys.nky, destination_cpu = a53-0]fsbl_a53.elf
  [pmufw_image].pmufw.elf
  [destination_device = pl]test_board_3eg_1e_2gb.bit
  [destination_cpu = a53-0, exception_level = el-3, trustzone]bl31.elf
  [destination_cpu = a53-0, exception_level = el-2]u-boot.elf
  [destination_cpu = a53-0, load = 0x00100000]u-boot.dtb
}
I only enable RSA auth and AES encryption for fsbl, for simplicity.
I can boot linux successfully. But I can no longer debug when the board is boot. When I debug a program in Vitis, I got error:
Quote
12:35:52 INFO   : 'jtag frequency' command is executed.
12:35:52 INFO   : Sourcing of '/home/sueaki/opt/Vitis/2021.2/scripts/vitis/util/zynqmp_utils.tcl' is done.
12:35:52 INFO   : Context for 'APU' is selected.
12:35:52 INFO   : System reset is completed.
12:35:55 INFO   : 'after 3000' command is executed.
12:35:55 INFO   : 'targets -set -filter {jtag_cable_name =~ "JTAG-ONB4 2516330064E1A" && level==0 && jtag_device_ctx=="jsn-JTAG-ONB4-2516330064E1A-14710093-0"}' command is executed.
12:35:58 ERROR   : fpga initialization failed
12:35:58 ERROR   : Exception occured while running Program Device.
java.lang.RuntimeException: fpga initialization failed

After I get this error, if I turn to Vivado to program bit files, I get a critical warning:
Quote
CRITICAL WARNING: [Labtools 27-3421] xczu3_0 PL Power Status OFF, cannot connect PL TAP.  Check POR_B signal.

I know enabling secure boot especially programming eFuse could limit development, but I don't know for sure. I read this in ug1085:
Quote
When the ENC_ONLY or RSA_EN eFuse is blown, the JTAG boot mode is no longer available. If this was the only mechanism
used to program the boot flash, a secondary means should be employed. Xilinx recommends some other form of in-system
flash programming and not relying on booting the device successfully to update the flash contents.

My question is:
1. Can I still do development (need to debug all the time) on this RSA_EN eFuse programmed board?
2. If I can, how? Like maybe using another boot mode, e.g. QSPI?

Thanks in advance.

JH

Hi,

with Efuse programming there are many setting options, I am not familiar with it, so I can't help you much.  I think you has disabled JTAG, that's the reason why you did not longer see the device with vitis. I would expect QSPI boot should work, as long as you use the same binaries, which match your key.

I would suggest to wrote on the xilinx forum, that's more a general question for Xilinx. Community is much bigger there.
br
John