From: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
To: Nava kishore Manne <nava.kishore.manne@amd.com>,
mdf@kernel.org, hao.wu@intel.com, yilun.xu@intel.com,
trix@redhat.com, robh+dt@kernel.org,
krzysztof.kozlowski+dt@linaro.org, conor+dt@kernel.org,
michal.simek@amd.com, mathieu.poirier@linaro.org,
ben.levinsky@amd.com, sai.krishna.potthuri@amd.com,
tanmay.shah@amd.com, dhaval.r.shah@amd.com, arnd@arndb.de,
shubhrajyoti.datta@amd.com, linux-fpga@vger.kernel.org,
devicetree@vger.kernel.org, linux-kernel@vger.kernel.org,
linux-arm-kernel@lists.infradead.org
Subject: Re: [RFC PATCH 0/3]fpga: Add encrypted Bitstream loading support
Date: Fri, 24 Nov 2023 16:49:07 +0100 [thread overview]
Message-ID: <c2f9d247-752f-429d-8c20-e105b1117be2@linaro.org> (raw)
In-Reply-To: <20231122054404.3764288-1-nava.kishore.manne@amd.com>
On 22/11/2023 06:44, Nava kishore Manne wrote:
> For user-key encrypted bitstream loading use case, users can encrypt
> FPGA configuration Images with their own key.While decrypting the
> configuration Image the user needs to provide the same key.To support
> this use case with the existing FPGA manager framework is not possible
> because it doesn’t have a mechanism to get the required inputs from
> the user. So this patch series adds the required changes to the FPGA
> manager framework to support user-key encrypted bitstream image loading
Wasn't the entire point of encrypted FPGA bistreams that the key is
fused into the FPGA and the FPGA does the decrypting? Otherwise it's
like security through obscurity - the only trouble for attacker is to
decode DTB to find the filename of key, so actually not even really
obscure. Then the attacker retrieves the key and bitstream from
filesystem (by taking out the Zynq-based SoM out or booting from own
system or just accessing storage pins directly) and voila: encrypted key
is available.
Best regards,
Krzysztof
prev parent reply other threads:[~2023-11-24 15:49 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-11-22 5:44 [RFC PATCH 0/3]fpga: Add encrypted Bitstream loading support Nava kishore Manne
2023-11-22 5:44 ` [RFC PATCH 1/3] dt-bindings: fpga: Add support for user-key encrypted bitstream loading Nava kishore Manne
2023-11-22 16:50 ` Conor Dooley
2023-11-24 6:35 ` Manne, Nava kishore
2023-11-24 12:48 ` Conor Dooley
2023-11-24 15:46 ` Krzysztof Kozlowski
2023-12-22 15:30 ` Conor Dooley
2023-11-22 5:44 ` [RFC PATCH 2/3] drivers: fpga: Add user-key encrypted FPGA Image loading support Nava kishore Manne
2023-11-22 5:44 ` [RFC PATCH 3/3] fpga: zynqmp: Add encrypted Bitstream " Nava kishore Manne
2023-11-24 15:49 ` Krzysztof Kozlowski [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=c2f9d247-752f-429d-8c20-e105b1117be2@linaro.org \
--to=krzysztof.kozlowski@linaro.org \
--cc=arnd@arndb.de \
--cc=ben.levinsky@amd.com \
--cc=conor+dt@kernel.org \
--cc=devicetree@vger.kernel.org \
--cc=dhaval.r.shah@amd.com \
--cc=hao.wu@intel.com \
--cc=krzysztof.kozlowski+dt@linaro.org \
--cc=linux-arm-kernel@lists.infradead.org \
--cc=linux-fpga@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=mathieu.poirier@linaro.org \
--cc=mdf@kernel.org \
--cc=michal.simek@amd.com \
--cc=nava.kishore.manne@amd.com \
--cc=robh+dt@kernel.org \
--cc=sai.krishna.potthuri@amd.com \
--cc=shubhrajyoti.datta@amd.com \
--cc=tanmay.shah@amd.com \
--cc=trix@redhat.com \
--cc=yilun.xu@intel.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).