manualshive.com logo in svg

Xilinx Zynq-7000, Application Note

The Xilinx Zynq-7000 is a powerful system-on-chip (SoC) that combines a dual-core ARM Cortex-A9 processor with programmable logic for ultimate customization. Get started with this innovative product by downloading the manual for free from manualshive.com and unlock its full potential today.

Share
Download
background image

Introduction

XAPP1309 (v1.0) March 7, 2017

 2

www.xilinx.com

Remote attestation capability has been in Linux starting with 2.6.3, and is generally known as 

integrity measurement architecture (IMA). The Linux extended verification module (EVM) is 

used in conjunction with IMA. The term 

measured boot

 is used because the client returns a 

value, typically a secure hash algorithm-1 (SHA-1) digest, of each of the partitions loaded. In 

remote attestation, the server compares the measured logs with known good measurements.

The attestation server knows the characteristics (measurements) of the partitions loaded on the 

embedded systems, including partition size and digests. At load, the embedded systems send 

log files to the server containing partition measurements. The server verifies the measurement, 

and if a client loads software that is different than what is expected, the server executes a policy 

set up by the server administrator. A policy is a set of actions taken by the server based on 

measurement results. Policies in the reference design include 

Allowed

Quaranteed

Blocked

, and 

Isolated

.

An example of a policy is to keep the embedded system off the network, update the software, 

re-run remote attestation, and allow the client to connect to the network if the software can be 

trusted. Isolating a corrupted embedded system from the network limits its ability to corrupt 

other embedded systems. This is a typical policy of a server in remote attestation, not the only 

policy, because the policy is generally defined by the application.

Measured boot is done in addition to, not in place of, secure boot. Measured boot does not 

prevent malicious software from being loaded. The TPM enhances the HROT and increases the 

security of the software load/update process. The TPM is placed on the same board as the 

Zynq-7000 AP SoC. A device ID is associated with the Zynq-7000 SoC-TPM platform. The TPM 

provides cryptographic functions used in measure boot. The HROT is enhanced with the TPM 

because an adversary has to defeat both the Zynq-7000 AP SoC and the tamper-resistant TPM 

for a successful attack.

X-Ref Target - Figure 1

Figure 1:

Measured Boot of Zynq-7000 AP SoC Embedded Systems

strongSwan TNC, IMC/IMV

Wind River Pulsar Linux

Integrity Measurement Architecture

Infineon 9670 TPM

Zynq-7000 AP SoC

Avnet IIOT Kit

Client 1

Client 2

Client N

Server Remote Attestation

IPsec Network Security

Infineon 9670 TPM

Zynq-7000 AP SoC

Avnet IIOT Kit

Infineon 9670 TPM

Zynq-7000 AP SoC

Avnet IIOT Kit

X18727-021417

Summary of Contents for Zynq-7000

Page 1: ...ation note from the Xilinx website Introduction In most current applications Xilinx FPGAs and SoCs are programmed once at the factory and often not reconfigured for the life cycle of the device A meth...

Page 2: ...etwork update the software re run remote attestation and allow the client to connect to the network if the software can be trusted Isolating a corrupted embedded system from the network limits its abi...

Page 3: ...ts are transmitted to the server for remote attestation The TPM cryptographically signs the SHA 1 values in PCRs so that partition measurements are not transmitted from the embedded system in plain te...

Page 4: ...rd Two USB type A to USB mini B cables for UART and JTAG communication Micro Secure Digital microSD memory card 16 GB Ethernet cable Xilinx Software Development Kit 2017 1 Xilinx Vivado Design Suite 2...

Page 5: ...p for the single client system used in the reference design The client in the Avnet IIoT drives a communication terminal The strongSwan attestation server runs from VirtualBox A browser is used to vie...

Page 6: ...icroZed and includes the strongSwan client software Prior to booting WRPL the Zynq 7000 AP SoC runs the FSBL The FSBL runs pre boot authentication on the BootROM and FSBL The FSBL then executes PCR ex...

Page 7: ...rust In Zynq 7000 AP SoCs the HROT is based on the first code executed by the ARM CPU0 at power on The code is stored in on chip metal masked ROM and is referred to as BootROM code BootROM code is imm...

Page 8: ...tems which use measured boot Secure boot and measured boot functionality are complementary Connecting embedded systems to a network provides a method for firmware updates Embedded systems connected to...

Page 9: ...ents RIMs and acts according to a predefined policy In the reference design this is referred to as the policy decision point PDP After running measured boot a server website provides a summary of meas...

Page 10: ...remote attestation of a client is based on a quote A quote is measurement or evidence on the partitions booted In TPM 1 2 an SHA 1 digest is used as the measurement for partitions loaded In TPM 2 0 a...

Page 11: ...n extend the SHA 1 digests into the TPM s PCRs The SHA 1 values are calculated in sha1 c Code to take ownership and activate the TPM is in slb9670_tpm_spi c The PCRs are extended in slb9670_spi_tpm c...

Page 12: ...rd PTS formats for interoperability between applications and vendors The policy decision point PDP defines the action taken by the server after measurement verification A typical policy action is to l...

Page 13: ...nager The process is defined on the strongSwan website Conclusion Zynq 7000 AP SoCs provide significant advantages in their ability to program both hardware and software on the same device Cost effect...

Page 14: ...You may not reproduce modify distribute or publicly display the Materials without prior written consent Certain products are subject to the terms and conditions of Xilinx s limited warranty please re...

Reviews:

No comments

Related manuals for Zynq-7000

Biostar M7 VKG Engineering Validation Test Report preview
M7 VKG
Brand: Biostar Pages: 61
ASROCK Industrial NUC-J6412 Settings Manual preview
Industrial NUC-J6412
Brand: ASROCK Pages: 2
MACHINIST H61M-S1 User Manual preview
H61M-S1
Brand: MACHINIST Pages: 15
ON Semiconductor NCN8024GEVB Series User Manual preview
NCN8024GEVB Series
Brand: ON Semiconductor Pages: 5
ON Semiconductor MT9M034 User Manual preview
MT9M034
Brand: ON Semiconductor Pages: 5
AOpen MX4SG-4DL Easy Installation Manual preview
MX4SG-4DL
Brand: AOpen Pages: 8
ST STEVAL-1PS03A User Manual preview
STEVAL-1PS03A
Brand: ST Pages: 13
JETWAY 601TCFR3A User Manual preview
601TCFR3A
Brand: JETWAY Pages: 46
RAK RAK8213 User Manual preview
RAK8213
Brand: RAK Pages: 17
Advantech EmbCore ROM-7421 Quick Start Manual preview
EmbCore ROM-7421
Brand: Advantech Pages: 25
BESTEK BNX-A110 User Manual preview
BNX-A110
Brand: BESTEK Pages: 47
Gigabyte GA-MA785GMT-UD2H User Manual preview
GA-MA785GMT-UD2H
Brand: Gigabyte Pages: 104
ASROCK Z77E-ITX User Manual preview
Z77E-ITX
Brand: ASROCK Pages: 64
MSI A320M PRO-VH PLUS User Manual preview
A320M PRO-VH PLUS
Brand: MSI Pages: 154
Aaeon EMB-LN8T Manual preview
EMB-LN8T
Brand: Aaeon Pages: 56
SOYO SY-6VBA 133 User Manual preview
SY-6VBA 133
Brand: SOYO Pages: 94
National Semiconductor TPS65132L User Manual preview
TPS65132L
Brand: National Semiconductor Pages: 22
JETWAY NF9A-Q67 Technical Manual preview
NF9A-Q67
Brand: JETWAY Pages: 41

Brands by name

Popular brands

Load more brands