manualshive.com logo in svg

Xilinx Zynq-7000, Application Note

The Xilinx Zynq-7000 is a powerful system-on-chip (SoC) that combines a dual-core ARM Cortex-A9 processor with programmable logic for ultimate customization. Get started with this innovative product by downloading the manual for free from manualshive.com and unlock its full potential today.

Share
Download
background image

Network Security in Measured Boot

XAPP1309 (v1.0) March 7, 2017

 12

www.xilinx.com

Network Security in Measured Boot

Software updates and remote attestation require a secure connection between a server and the 

embedded system clients. The network has a large attack surface because it can be attacked by 

any adversary with access to the Internet. For firmware updates, a server to client(s) connection 

is used. In some factory automation environments, client-to-client communication is also 

needed to coordinate operational procedures.

Figure 10

 shows a high-level view of strongSwan’s implementation of TCG’s trusted network 

connect (TNC). In the TNC architecture, the server connects to clients in the integrity evaluation 

layer. The client does integrity measurement collection (IMC), and the server does integrity 

measurement verification (IMV). The software on the client is the platform trusted service (PTS), 

trust software stack (Trousers), and the TPM tools.

PTS uses the Trousers library to access the TPM and IMA measurements. The reports use 

standard PTS formats for interoperability between applications and vendors.

The policy decision point (PDP) defines the action taken by the server after measurement 

verification. A typical policy/action is to limit network access until remediation is done. A 

different policy is used when availability is a critical driver, and some out-of-range measurement 

verifications are not treated as critical. The TPM Main Specification 

[Ref 4]

 provides an overview 

of the TNC architecture.

The underlying security for TNC in the reference design uses IPsec. This includes conventional 

technology such as Internet key exchange (IKEv2), public key infrastructure (PKI), and the 

transport layer security (TLS) handshake in which the encryption and authentication algorithms 

are negotiated and pre-shared keys are exchanged. A virtual private network is set up in the 

strongSwan architecture. A privacy CA generates the x509 certificates. The strongSwan 

Readme.txt

 provides information on the IPsec flow.

X-Ref Target - Figure 10

Figure 10:

Trusted Network Connect for Remote Attestation

Policy Decision/

Enforcer

Integrity 

Measurement 

Verifier

TNC Server

TNC Client

Integrity 

Measurement 

Collector

Server

Client

Trousers

TPM Tools

Platform Trust 

Service

IPsec

X18728-020317

Summary of Contents for Zynq-7000

Page 1: ...ation note from the Xilinx website Introduction In most current applications Xilinx FPGAs and SoCs are programmed once at the factory and often not reconfigured for the life cycle of the device A meth...

Page 2: ...etwork update the software re run remote attestation and allow the client to connect to the network if the software can be trusted Isolating a corrupted embedded system from the network limits its abi...

Page 3: ...ts are transmitted to the server for remote attestation The TPM cryptographically signs the SHA 1 values in PCRs so that partition measurements are not transmitted from the embedded system in plain te...

Page 4: ...rd Two USB type A to USB mini B cables for UART and JTAG communication Micro Secure Digital microSD memory card 16 GB Ethernet cable Xilinx Software Development Kit 2017 1 Xilinx Vivado Design Suite 2...

Page 5: ...p for the single client system used in the reference design The client in the Avnet IIoT drives a communication terminal The strongSwan attestation server runs from VirtualBox A browser is used to vie...

Page 6: ...icroZed and includes the strongSwan client software Prior to booting WRPL the Zynq 7000 AP SoC runs the FSBL The FSBL runs pre boot authentication on the BootROM and FSBL The FSBL then executes PCR ex...

Page 7: ...rust In Zynq 7000 AP SoCs the HROT is based on the first code executed by the ARM CPU0 at power on The code is stored in on chip metal masked ROM and is referred to as BootROM code BootROM code is imm...

Page 8: ...tems which use measured boot Secure boot and measured boot functionality are complementary Connecting embedded systems to a network provides a method for firmware updates Embedded systems connected to...

Page 9: ...ents RIMs and acts according to a predefined policy In the reference design this is referred to as the policy decision point PDP After running measured boot a server website provides a summary of meas...

Page 10: ...remote attestation of a client is based on a quote A quote is measurement or evidence on the partitions booted In TPM 1 2 an SHA 1 digest is used as the measurement for partitions loaded In TPM 2 0 a...

Page 11: ...n extend the SHA 1 digests into the TPM s PCRs The SHA 1 values are calculated in sha1 c Code to take ownership and activate the TPM is in slb9670_tpm_spi c The PCRs are extended in slb9670_spi_tpm c...

Page 12: ...rd PTS formats for interoperability between applications and vendors The policy decision point PDP defines the action taken by the server after measurement verification A typical policy action is to l...

Page 13: ...nager The process is defined on the strongSwan website Conclusion Zynq 7000 AP SoCs provide significant advantages in their ability to program both hardware and software on the same device Cost effect...

Page 14: ...You may not reproduce modify distribute or publicly display the Materials without prior written consent Certain products are subject to the terms and conditions of Xilinx s limited warranty please re...

Reviews:

No comments

Related manuals for Zynq-7000

Xilinx ZC706 Manual preview
ZC706
Brand: Xilinx Pages: 23
Xilinx ML505 User Manual preview
ML505
Brand: Xilinx Pages: 60
Xilinx ML505 Quick Start Manual preview
ML505
Brand: Xilinx Pages: 41
Xilinx Zynq UltraScale+ ZCU104 User Manual preview
Zynq UltraScale+ ZCU104
Brand: Xilinx Pages: 92
Xilinx Zynq UltraScale+ ZCU104 Quick Start Manual preview
Zynq UltraScale+ ZCU104
Brand: Xilinx Pages: 4
Xilinx Spartan-3A DSP FPGA Series Getting Started preview
Spartan-3A DSP FPGA Series
Brand: Xilinx Pages: 10
Xilinx ML605 User Manual preview
ML605
Brand: Xilinx Pages: 92
AOpen AK79D-400 1394 Easy Installation Manual preview
AK79D-400 1394
Brand: AOpen Pages: 8
Abit UL8 User Manual preview
UL8
Brand: Abit Pages: 72
Texas Instruments ADS8688EVM-PDK User Manual preview
ADS8688EVM-PDK
Brand: Texas Instruments Pages: 47
Fujitsu Siemens Computers D2300 Tehnical Manual preview
D2300
Brand: Fujitsu Siemens Computers Pages: 42
Gigabyte GA-790XTA-UD4 User Manual preview
GA-790XTA-UD4
Brand: Gigabyte Pages: 120
Supermicro X11DPX-T User Manual preview
X11DPX-T
Brand: Supermicro Pages: 256
Freetech P8F155 User Manual preview
P8F155
Brand: Freetech Pages: 79
DFI CA100-D User Manual preview
CA100-D
Brand: DFI Pages: 115
ITX SECURITY Prodigy M 2022 Compatibility Manual preview
Prodigy M 2022
Brand: ITX SECURITY Pages: 18
Rohm KXTJ3-1057-EVK-001 User Manual preview
KXTJ3-1057-EVK-001
Brand: Rohm Pages: 3
Infineon 2ED2106S06F User Manual preview
2ED2106S06F
Brand: Infineon Pages: 30

Brands by name

Popular brands

Load more brands