

Achilles Heel in Secure Boot: Breaking RSA Authentication and decrypted bitstream recovery from Zynq-7000 SoC

Prasanna Ravi **Arpan Jati** Shivam Bhasin

Temasek Labs, NTU Singapore 14<sup>th</sup> March, 2024



#### Introduction

- The Zynq-7000 is widely deployed series of FPGA+SOC device from Xilinx/AMD.
- □ Used for defense, aerospace and medical applications.
- We have identified critical security vulnerability in RSA authentication process of Secure Boot of Zynq 7000 SoC.
- The flaw is present in FSBL (first stage boot loader), which can be exploited by constructing a malicious boot image to boot unauthorized applications.
- Once we get root access, we demonstrate a novel attack to recover the encrypted bitstream and applications.
- □ We also extend our analysis to the critical BootROM.





## Outline

#### Introduction

**RSA** Authentication Attack on Zynq-7000

#### □ Background: Attack Model, Secure Boot and RSA Authentication

- **U** Vulnerability in FSBL
- □ Attack Implementation: Using SD Card Switcher Board
- **Starbleed on Zynq** 
  - Introduction and Working
  - **Experimental Results**
- Analyzing SD Card Data Transfer
- BootROM
  - Possible BootROM Vulnerabilities
  - **PHT Transfer Analysis**
  - **BootROM Data Transfer Analysis**
- Conclusion and Future Works

#### **Attack Model**

- Attacker has access to the target Zynq-7000 device.
- □ He/She can obtain the valid secure boot image used in the target device.
- RSA Authentication mandatory for secure boot (RSA Enable eFUSE is burnt).







- □ Secure Boot Image is typically stored in a non-volatile memory such as SD Card, NOR or NAND flash.
- □ It has information about:
  - Different HW and SW components to be loaded on the Zynq device.
  - Where and how each and every partition has to be loaded during the secure boot procedure.
- □ It contains multiple partitions:
  - BootROM header (BIH)
  - Partition Header Table (PHT)
  - □ First Stage Boot Loader (FSBL)
  - □ PL partition/s (bitstream)
  - PS partition/s (Standalone Application or Operating System)
- Each partition can be AES encrypted, HMAC authenticated and RSA authenticated



**Typical Boot Image Structure** 

- □ Secure Boot Image is typically stored in a non-volatile memory such as SD Card, NOR or NAND flash.
- □ It has information about:
  - Different HW and SW components to be loaded on the Zynq device.
  - Where and how each and every partition has to be loaded during the secure boot procedure.
- □ It contains multiple partitions:
  - BootROM header (BIH)
  - Partition Header Table (PHT)
  - □ First Stage Boot Loader (FSBL)
  - PL partition/s (bitstream)
  - PS partition/s (Standalone Application or Operating System)
- Each partition can be AES encrypted, HMAC authenticated and RSA authenticated



**Typical Boot Image Structure** 

- □ Secure Boot Image is typically stored in a non-volatile memory such as SD Card, NOR or NAND flash.
- □ It has information about:
  - Different HW and SW components to be loaded on the Zynq device.
  - Where and how each and every partition has to be loaded during the secure boot procedure.
- □ It contains multiple partitions:
  - BootROM header (BIH)
  - Partition Header Table (PHT)
  - □ First Stage Boot Loader (FSBL)
  - PL partition/s (bitstream)
  - PS partition/s (Standalone Application or Operating System)
- Each partition can be AES encrypted, HMAC authenticated and RSA authenticated



**Typical Boot Image Structure** 

- □ Secure Boot Image is typically stored in a non-volatile memory such as SD Card, NOR or NAND flash.
- □ It contains multiple partitions:
  - □ BootROM header (BIH)
  - □ Partition Header Table (PHT)
  - □ First Stage Boot Loader (FSBL)
  - □ PL partition/s (bitstream)
  - □ PS partition/s (Standalone Application or Operating System)

| Boot Image Header<br>(Unencrypted)      |
|-----------------------------------------|
| Partition Header Table<br>(Unencrypted) |
| Header Table Certificate                |
| First Stage Boot Loader<br>(Encrypted)  |
| FSBL Certificate                        |
| PL Partition<br>(Encrypted/Unencrypted) |
| PL Certificate                          |
| PS Partition<br>(Encrypted/Unencrypted) |
| PS Certificate                          |
|                                         |

**Boot Image (Authenticated)** 

- Secure Boot Image is typically stored in a non-volatile memory such as SD Card, NOR or NAND flash.
- □ It contains multiple partitions:
  - BootROM header (BIH)
  - □ Partition Header Table (PHT)
  - □ First Stage Boot Loader (FSBL)
  - □ PL partition/s (bitstream)
  - □ PS partition/s (Standalone Application or Operating System)

| Boot Image Header<br>(Unencrypted)      |  |
|-----------------------------------------|--|
| Partition Header Table<br>(Unencrypted) |  |
| Header Table Certificate                |  |
| First Stage Boot Loader<br>(Encrypted)  |  |
| FSBL Certificate                        |  |
| PL Partition<br>(Encrypted/Unencrypted) |  |
| PL Certificate                          |  |
| PS Partition<br>(Encrypted/Unencrypted) |  |
| PS Certificate                          |  |

Metadata (Non-Executable)

| Secure Boot Image is typically stored in a non-volatile memory                                                               | Boot Image Header<br>(Unencrypted)      |   | Metadata                            |
|------------------------------------------------------------------------------------------------------------------------------|-----------------------------------------|---|-------------------------------------|
| such as SD Card, NOR or NAND flash.                                                                                          | Partition Header Table<br>(Unencrypted) |   | (Non-Executable)                    |
| It contains multiple partitions: <ul> <li>BootROM header (BIH)</li> </ul>                                                    | Header Table Certificate                |   |                                     |
| <ul> <li>Partition Header Table (PHT)</li> <li>First Stage Boot Loader (FSBL)</li> <li>PL partition/s (bitstream)</li> </ul> | First Stage Boot Loader<br>(Encrypted)  | 1 |                                     |
| <ul> <li>PS partition/s (Standalone Application or Operating System)</li> </ul>                                              | FSBL Certificate                        |   |                                     |
|                                                                                                                              | PL Partition<br>(Encrypted/Unencrypted) |   | Executable Partitions<br>(PS or PL) |
|                                                                                                                              | PL Certificate                          |   |                                     |
|                                                                                                                              | PS Partition<br>(Encrypted/Unencrypted) |   |                                     |
|                                                                                                                              | PS Certificate                          | J |                                     |
|                                                                                                                              | Boot Image (Authenticated               | ) |                                     |

- □ Secure Boot Image is typically stored in a non-volatile memory such as SD Card, NOR or NAND flash.
- □ It contains multiple partitions:
  - □ BootROM header (BIH)
  - □ Partition Header Table (PHT)
  - □ First Stage Boot Loader (FSBL)
  - □ PL partition/s (bitstream)
  - □ PS partition/s (Standalone Application or Operating System)

| Boot Image Header<br>(Unencrypted)      |  | Metadata                            |  |
|-----------------------------------------|--|-------------------------------------|--|
| Partition Header Table<br>(Unencrypted) |  | (Non-Executable)                    |  |
| Header Table Certificate                |  |                                     |  |
| First Stage Boot Loader<br>(Encrypted)  |  |                                     |  |
| FSBL Certificate                        |  |                                     |  |
| PL Partition<br>(Encrypted/Unencrypted) |  | Executable Partitions<br>(PS or PL) |  |
| PL Certificate                          |  |                                     |  |
| PS Partition<br>(Encrypted/Unencrypted) |  |                                     |  |
| PS Certificate                          |  |                                     |  |
| Boot Image (Authenticated)              |  |                                     |  |

## RSA Authentication in Zynq-7000 SoC

- Based on the well-known RSA-2048 signature scheme
- □ Authentication of each partition is done using two types of keys:
  - □ Primary Key Primary Public Key (PPK), Primary Secret Key (PSK)
  - □ Secondary Keys Secondary Public Key (SPK), Secondary Secret Key (SSK)
- Primary Key (PPK, PSK) is fixed for a given device Hash of PPK is burnt into RSA eFUSE (One-Time Programmable)
- Secondary Key (SPK, SSK) is specific to each partition and can be different for each.
- **Two-Step Authentication** (For Each Partition):
  - Primary Keys authenticate the Secondary Keys
  - □ Secondary Keys authenticate the Partition

## **Boot Image Header (BIH): Intro**

- □ Contains metadata about the boot image.
  - Encryption Status of Boot Image
  - Size of Boot Image
  - □ Location of FSBL
  - Load address of FSBL
- Upon reset, **BootROM** is the first piece of code executed

#### **BootROM Execution:**

- CRC check of BootROM is carried out
- BIH is read from the SD card
- **G** FSBL is read from SD card (Along with certificate)
- □ It is authenticated and decrypted based on the eFuse
- □ If successful, control transferred to FSBL

| 8 |                                         |                 |
|---|-----------------------------------------|-----------------|
|   | Boot Image Header<br>(Unencrypted)      | Read by BootROM |
|   | Partition Header Table<br>(Unencrypted) |                 |
|   | Header Table Certificate                |                 |
|   | First Stage Boot Loader<br>(Encrypted)  |                 |
|   | FSBL Certificate                        |                 |
|   | PL Partition<br>(Encrypted/Unencrypted) |                 |
|   | PL Certificate                          |                 |
|   | PS Partition<br>(Encrypted/Unencrypted) |                 |
|   | PS Certificate                          |                 |

## Partition Header Table (PHT) ): Intro

- Provides metadata info. about each partition in boot image.
- **Each** partition has a 64-byte entry in the PHT, read by FSBL.
- **Each entry contains information about the partition such as:** 
  - Partition Encryption status (AES encrypted or not)
  - **Partition Authentication status (RSA authenticated or not)**
  - Partition Length etc.
- PHT also has a certificate which is verified by First Stage Boot Loader (FSBL).
- □ PHT is central to the secure boot process.
- □ If we tamper PHT, we can load any application of our choice!!!

| Boot Image Header<br>(Unencrypted)      |             |
|-----------------------------------------|-------------|
| Partition Header Table<br>(Unencrypted) | Read by FSB |
| Header Table Certificate                |             |
| First Stage Boot Loader<br>(Encrypted)  |             |
| FSBL Certificate                        |             |
| PL Partition<br>(Encrypted/Unencrypted) |             |
| PL Certificate                          |             |
| PS Partition<br>(Encrypted/Unencrypted) |             |
| PS Certificate                          |             |







Gathers information about the individual partitions from the Partition Header Table.



- Gathers information about the individual partitions from the Partition Header Table.
- □ All partitions are loaded into a temporary location in the DDR memory from the NVM memory.



- Gathers information about the individual partitions from the Partition Header Table.
- All partitions are loaded into a temporary location in the DDR memory from the NVM memory.
- □ They are then suitably decrypted and authenticated before being used for configuration appropriately (Configure PL using PL bitstream and transfer control to last PS partition).



























Step 3: Decrypt and authenticate bitstream (if required)





Step 3: Decrypt and authenticate bitstream (if required)





























#### Step 6: Hand over control to PS application



## Outline

Introduction

**RSA** Authentication Attack on Zynq-7000

□ Background: Attack Model, Secure Boot and RSA Authentication

#### **U** Vulnerability in FSBL

□ Attack Implementation: Using SD Card Switcher Board

#### **Starbleed on Zynq**

- □ Introduction and Working
- **Experimental Results**
- Analyzing SD Card Data Transfer
- BootROM
  - Possible BootROM Vulnerabilities
  - **PHT Transfer Analysis**
  - **BootROM Data Transfer Analysis**
- Conclusion and Future Works

#### **FSBL** Queries for the PHT from NVM **Receive PHT1 from NVM** Save PHT1 in GVAR Checks if RSA is Enabled, Queries for PHT with AC from NVM NVM If Yes, (SD Card) Receive PHT2 and AC from NVM Validate AC and PHT2 If Success, Use PHT1 in **GVAR for SecureBoot**

#### **FSBL** Queries for the PHT from NVM **Receive PHT1 from NVM** Save PHT1 in GVAR Checks if RSA is Enabled, Queries for PHT with AC from NVM NVM If Yes, (SD Card) Receive PHT2 and AC from NVM Validate AC and PHT2 If Success, Use PHT1 in **GVAR for SecureBoot**





## **Vulnerability: Redundant PHT Transfer**

- □ Key Observation: FSBL authenticates PHT2, but uses PHT1 for secure boot
- **Flaw**: FSBL uses the unauthenticated **PHT1** for secure boot.
- □ Attack Idea:
  - Present Tampered PHT1 to device
  - □ Present Valid PHT2 to device: PHT2 will be authenticated successfully by device
  - □ Flaw: Tampered PHT1 will be used for secure boot
  - □ Attack application mounted successfully on target!!

## **RSA Attack using SD card Multiplexer**

- □ **Requirement**: Manipulate data coming from SD card (PHT1 ≠ PHT2)
- □ Idea: Multiplexer to switch between two SD cards (SD Card 1 and SD Card 2)
- □ Attack Steps:
  - □ SD Card 1 sends tampered PHT1
  - □ Switch!!!
  - □ SD Card 2 sends valid PHT2
  - Device boots based on tampered PHT1
  - □ Attack application loaded from SD Card 2
- **Caveat**: Switch should be done oblivious to the target Zynq device
- **Solution**: We designed an SD card switcher board

## Outline

#### Introduction

- **RSA** Authentication Attack on Zynq-7000
  - □ Background: Attack Model, Secure Boot and RSA Authentication
  - **U** Vulnerability in FSBL

#### □ Attack Implementation: Using SD Card Switcher Board

- **Given Starbleed on Zynq** 
  - Introduction and Working
  - **Experimental Results**
- Analyzing SD Card Data Transfer
- BootROM
  - Possible BootROM Vulnerabilities
  - **D** PHT Transfer Analysis
  - **BootROM Data Transfer Analysis**
- Conclusion and Future Works

#### **SD Card Switcher Board:**



SD Card 1

SD Card 2

#### **SD Card Switcher Board:**



SD Card 1

SD Card 2

Manual Switch for SD card swap

#### **SD Card Switcher Board:**



SD Card 2

Manual Switch for SD card swap

#### **Attack Setup:**





## Attack (Expected):



## Attack (Observed):



#### Attack:



# The Attack, practicality and CVE

- Attack requires to make a very minor modification in the FSBL: To Initialize the SD Card 2
  - Ury close to practical, but not yet fully practical
  - Modification in FSBL not related to the identified vulnerability !!!
- However, our attack concretely demonstrates presence of flaw in FSBL.
  - Xilinx confirmed its a serious issue and patched the vulnerability
  - □ They also published a CVE 2022/23822 (Dated April 27, 2024)
- □ For real-world practical attack, we need to design specialized hardware (using ASIC/FPGA)



# Software Patch by Xilinx

| ← C ⊡ https://github.com/Xilinx/embeddedsw/blob/master/lib/sw_apps/zynq_fsbl/src/image_mover.c |                                                                                                                                      |
|------------------------------------------------------------------------------------------------|--------------------------------------------------------------------------------------------------------------------------------------|
| • Files                                                                                        | embeddedsw / lib / sw_apps / zynq_fsbl / src / image_mover.c                                                                         |
| 양 master                                                                                       | Code Blame 1372 lines (1226 loc) · 35.6 KB                                                                                           |
| Q Go to file                                                                                   | 48     *     Fix for PR#782309 Fallback support for AES       49     *     encryption with E-Fuse - Enhancement                      |
| > misc                                                                                         | 50 * 11.00a ka 10/12/18 Fix for CR#1006294 Zynq FSBL - Zynq FSBL does not check<br>51 * USE_AES_ONLY eFuse                           |
| ✓ ■ src                                                                                        | 52 * 12.0 vns 03/18/22 Fixed CR#1125470 to authenticate the parition header buffer 53 * which is being used instead of one from DDR. |
| CMakeLists.txt Makefile                                                                        | 54 * Deleted GetImageHeaderAndSignature() and added<br>55 * GetNAuthImageHeader()                                                    |
| 🕒 fsbl.h                                                                                       | 56 *<br>57 *                                                                                                                         |
| 🗋 fsbl_debug.h                                                                                 | 58 *<br>59 *@note                                                                                                                    |
| fsbl_handoff.S                                                                                 | 60 * A partition is either an executable or a bitstream to program FPGA<br>61 *                                                      |
| fsbl_hooks.c fsbl_hooks.h                                                                      | 62 ************************************                                                                                              |
| image_mover.c                                                                                  | 64 /************************************                                                                                             |
| image_mover.h                                                                                  | <pre>66 #include "image_mover.h" 67 #include "xil_printf.h"</pre>                                                                    |

#### **Patch Note:**

This patch fixes the secure vulnerability of parition header(PH) authentication, in existing code the actual buffer used and authenticated are different, this patch fixes the issue by considering the actual used buffer of partition header while calculating the SHA2 digest

March 25, 2022

## Outline

#### Introduction

**RSA** Authentication Attack on Zynq-7000

□ Background: Attack Model, Secure Boot and RSA Authentication

**U** Vulnerability in FSBL

□ Attack Implementation: Using SD Card Switcher Board

**Given Starbleed on Zynq** 

#### □ Introduction and Working

**Experimental Results** 

Analyzing SD Card Data Transfer

BootROM

**D** Possible BootROM Vulnerabilities

**D** PHT Transfer Analysis

**BootROM Data Transfer Analysis** 

Conclusion and Future Works





































Secure boot **OK**!!

□ Main Challenges:



Secure boot OK!!

#### □ Main Challenges:

□ Implementing a working Starbleed attack on standalone FPGA



Secure boot OK!!

#### □ Main Challenges:

- □ Implementing a working Starbleed attack on standalone FPGA
- □ Construction of secure attack boot image (without knowledge of key)



Secure boot OK!!

#### □ Main Challenges:

- □ Implementing a working Starbleed attack on standalone FPGA
- □ Construction of secure attack boot image (without knowledge of key)
- Development of attack application to carry out the starbleed attack (PCAP interface)



Secure boot OK!!

#### □ Main Challenges:

□ Implementing a working Starbleed attack on standalone FPGA



- □ Construction of secure attack boot image (without knowledge of key)
- Development of attack application to carry out the starbleed attack (PCAP interface)



Secure boot OK!!

#### □ Main Challenges:

- □ Implementing a working Starbleed attack on standalone FPGA
- □ Construction of secure attack boot image (without knowledge of key)



Development of attack application to carry out the starbleed attack (PCAP interface)



Secure boot OK!!

#### □ Main Challenges:

- □ Implementing a working Starbleed attack on standalone FPGA
- □ Construction of secure attack boot image (without knowledge of key)

Development of attack application to carry out the starbleed attack (PCAP interface)

### **Starbleed Bitstream Creation: Tool**

| SelectMA         | P. Progr | amr       | ner i      | U Riter | ream F         | Brow      | ser | SAKLIRA-V | 1.1.4          | lanci | h 20      | 2314         | Arnan lat       |           | -   |        |              |                |       |   |                |      |      |        |     | × |
|------------------|----------|-----------|------------|---------|----------------|-----------|-----|-----------|----------------|-------|-----------|--------------|-----------------|-----------|-----|--------|--------------|----------------|-------|---|----------------|------|------|--------|-----|---|
|                  |          |           | ner (      | 2 DILSI | a carri E      | 101       | 3CI | SARONA-A  | 1 14           | arci  | 120       | 2317         | a pan Jat       |           |     |        |              |                |       |   |                |      |      |        |     |   |
| FILE             | TOOL     | S         |            |         |                |           |     |           |                |       |           |              |                 |           |     |        |              |                |       |   |                |      |      |        |     |   |
| I/0              | Inspect  | tor       |            | Expo    | orter          |           |     |           |                |       |           |              |                 |           |     |        |              |                |       |   |                |      |      |        |     |   |
| Binary<br>File   | C:\Use   | ers       | \Arp       | ban\D   | ownlo          | ads       | \st | arbleed_a | itta           | ack.  | _ne       | <i>u</i> Key | .bin            |           |     |        |              |                |       |   |                |      |      | Bro    | wse |   |
| NKY<br>File      | C:\Use   | ers       | \Arµ       | ban\D   | ownlo          | ads       | \al | l.nky     |                |       |           |              |                 |           |     |        |              |                |       |   |                |      |      | Bro    | wse |   |
| Recovery<br>Data |          |           |            |         |                |           |     |           |                |       |           |              |                 |           |     |        |              |                |       |   |                |      |      | Bro    | wse |   |
| Position         |          | 0         |            |         | Val<br>(He     |           |     | 0000000   | )              |       |           | ,            | Add             |           | R   | emove  |              | _ Att<br>_ Wit |       |   | ream<br>Traile |      | _    | rce Fa |     | d |
| Bitstrea         | am Brow  | vse       | r          |         |                |           |     |           |                |       |           |              |                 |           |     |        |              |                |       |   |                |      |      |        |     |   |
| Θ                |          |           | FF         |         |                | Dec       |     | ted Bits  |                |       |           | FF           |                 | FF        |     |        | <u>Λ</u>     |                |       | F | ault Lo        | ocat | ions |        |     |   |
|                  | Х        |           |            |         | Х              |           |     |           | Х              |       |           |              | Х               |           |     |        | T            |                |       |   |                |      |      |        |     |   |
| 16               | FF<br>X  | FF        | FF         | FF      | FF<br>X        | FF        | FF  |           | FF<br>×        | FF    | FF        | FF           | FF<br>X         | FF        | FF  | FF     |              |                |       |   |                |      |      |        |     |   |
| 32               | 00<br>×  | 00        | 00         | BB      | 11<br>×        | 22        | 00  |           | FF             | FF    | FF        | FF           | FF              | FF        | FF  | FF     |              |                |       |   |                |      |      |        |     |   |
| 48               | AA<br>×  | 99        | 55         | 66      |                | 00<br>NOP | 00  |           |                |       | E0<br>SPI |              | <b>0</b> 6<br>× | 00        | 00  | ΘB     |              |                |       |   |                |      |      |        |     |   |
| 64               | 30       |           | 80<br>MD 1 |         | 00             | 00<br>BSI |     | 12        |                | 00    |           | 00           | 30              | 00<br>W M |     |        |              |                |       |   |                |      |      |        |     |   |
| 80               | 00<br>×  | 00        | 00         | 40      |                | 00<br>W C |     |           | <b>00</b><br>× | 00    | 00        | 40           |                 | 01<br>W C |     |        |              |                |       |   |                |      |      |        |     |   |
| 96               | 00<br>X  | 00        | 00         | 00      | 20             | 00<br>NOP |     | 00        | 20<br>T1       |       | 00        | 00           | 20              | 00<br>NOP |     |        |              |                |       |   |                |      |      |        |     |   |
| 112              | 20       | 00<br>NOP | 00         | 00      | 20             |           | 00  | 00        |                | 00    | 00        | 00           | 20              | 00<br>NOP | 00  | 00     |              |                |       |   |                |      |      |        |     |   |
| 128              |          | 00        | 00         | 00      | 20             |           | 00  | 00        |                | 00    | 00        | 00           | 20              | 00<br>NOP | 00  | 00     |              |                |       |   |                |      |      |        |     |   |
| 144              |          | 00        | 00         | 00      | 20             | 00<br>NOP | 00  | 00        |                | 00    | 00        | 00           | 30              | 01<br>W C |     |        |              |                |       |   |                |      |      |        |     |   |
| 160              | 00<br>×  | 01        | 02         | 03      |                | 05        | 06  | 07        |                |       | 0A        | 0B           |                 | 0D        |     |        |              |                |       |   |                |      |      |        |     |   |
| 176              |          |           | 40<br>WC 1 |         | <b>00</b><br>× | 00        | 01  | 28        |                |       |           |              |                 |           |     |        |              |                |       |   |                |      |      |        |     |   |
| 184              | F6       | 77        | B4         | 35      | D2             | 53        | 90  | 11        | EE             | 6F    | AC        | 2D           | CA              | 4B        | 88  | 09     |              |                |       |   |                |      |      |        |     |   |
| 200              | 36       | 36        | 36         | 36      | 36             | 36        | 36  | 36        | 36             | 36    | 36        | 36           | 36              | 36        | 36  | 36     | $\downarrow$ |                |       |   |                |      |      |        |     |   |
| Ready            |          |           |            |         |                |           |     |           |                |       |           | B            | linary H        | Reco      | ver | y File | does         | NOT e          | exist |   |                |      |      |        |     |   |

- The tool works by adding faults in the required places (done manually).
- Removing extra superfluous code (makes the attack much faster)

#### **Starbleed Bitstream Creation: Tool**

|     |                                  | Decrypted Bitstream                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                     |                                   |
|-----|----------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-----------------------------------|
| Θ   | FF FF FF FF<br>X                 | FF     FF     FF     FF       X     X                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                   | FF FF FF FF<br>X                  |
| 16  | FF FF FF FF<br>X                 | FFFFFFFFFFXXX                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                           | FF FF FF FF<br>X                  |
| 32  | 00 00 00 BB<br>X                 | 11 22 00 44 FF FF FF FF<br>X X                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          | FF FF FF FF<br>X                  |
| 48  | <b>AA 99 55 66</b><br>X          | 20         00         00         30         03         E0         01           T1         NOP         T1         W         BSPI         1                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                               | 00 00 00 0B<br>×                  |
| 64  | <b>30 00 80 01</b><br>T1 W CMD 1 | 00         00         01         20         00         00         00           CMD         BSPI_READ         T1         NOP         NOP | 30 00 C0 01<br>T1 W MASK 1        |
| 80  | 00 00 00 40<br>×                 | <b>30 00 A0 01 00 00 40</b><br>T1 W CTL0 1 X                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            | <b>30 01 C0 01</b><br>T1 W COR1 1 |
| 96  | 00 00 00 00<br>X                 | 20         00         00         20         00         00           T1         NOP         T1         NOP                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                               | 20 00 00 00<br>T1 NOP             |
| 112 | <b>20 00 00 00</b><br>T1 NOP     | 20         00         00         20         00         00           T1         NOP         T1         NOP                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                               | 20 00 00 00<br>T1 NOP             |
| 128 | <b>20 00 00 00</b><br>T1 NOP     | 20         00         00         20         00         00           T1         NOP         T1         NOP                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                               | 20 00 00 00<br>T1 NOP             |
| 144 | <b>20 00 00 00</b><br>T1 NOP     | 20         00         00         20         00         00           T1         NOP         T1         NOP                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                               | <b>30 01 60 04</b><br>T1 W CBC 4  |
| 160 | <b>00 01 02 03</b><br>X          | 04 05 06 07 08 09 0A 0B<br>X X                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          | <b>0C 0D 0E 0F</b><br>X           |
| 176 | <b>30 03 40 01</b><br>T1 W DWC 1 | 00 00 01 28<br>X                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        |                                   |
| 184 | F6 77 B4 35                      | D2 53 90 11 EE 6F AC 2D                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                 | CA 4B 88 09                       |
| 200 | 36 36 36 36                      | 36 36 36 36 36 36 36 36                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                 | 36 36 36 36                       |
| 216 | 36 37 34 35                      | 32 33 30 31 3E 3F 3C 3D                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                 | 3A 3B 38 39                       |
| 232 | 3F DB 4B 21                      | BC C2 24 FF 48 76 2C 94                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                 | D0 FE 8B CF                       |

| Decrypted Bitstream |                                   |                              |                                   |                                       |  |  |  |  |  |  |
|---------------------|-----------------------------------|------------------------------|-----------------------------------|---------------------------------------|--|--|--|--|--|--|
| 232                 | 3F DB 4B 21                       | BC C2 24 FF                  | 48 76 2C 94                       | D0 FE 8B CF                           |  |  |  |  |  |  |
| 248                 | <b>30 02 20 01</b>                | 00 00 00 00                  | 30 02 00 26                       | 00 00 00 00                           |  |  |  |  |  |  |
|                     | T1 W TIMER 1                      | X                            | T1 W WBSTAR 38                    | X                                     |  |  |  |  |  |  |
| 264                 | <b>30 00 80 01</b>                | 00 00 00 00                  | 20 00 00 00                       | 30 00 80 01                           |  |  |  |  |  |  |
|                     | T1 W CMD 1                        | CMD NULL                     | T1 NOP                            | Ti w cmd i                            |  |  |  |  |  |  |
| 280                 | 00 00 00 07                       | <b>20 00 00 00</b>           | 20 00 00 00                       | <b>30 02 60 01</b>                    |  |  |  |  |  |  |
|                     | CMD RCRC                          | T1 NOP                       | T1 NOP                            | T1 W [U/D] 1                          |  |  |  |  |  |  |
| 296                 | 00 00 00 00                       | <b>30 01 20 01</b>           | <b>02 00 3F E5</b>                | <b>30 01 C0 01</b>                    |  |  |  |  |  |  |
|                     | X                                 | T1 W COR0 1                  | X                                 | T1 W COR1 1                           |  |  |  |  |  |  |
| 312                 | 00 00 00 00                       | <b>30 01 80 01</b>           | <b>03 64 C0 93</b>                | <b>30 00 80 01</b>                    |  |  |  |  |  |  |
|                     | ×                                 | T1 W IDCODE 1                | ×                                 | T1 W CMD 1                            |  |  |  |  |  |  |
| 328                 | <b>00 00 00 09</b><br>CMD SWITCH  | <b>20 00 00 00</b><br>T1 NOP | <b>30 00 C0 01</b><br>T1 W MASK 1 | X X X X X X X X X X X X X X X X X X X |  |  |  |  |  |  |
| 344                 | <b>30 00 A0 01</b><br>T1 W CTL0 1 | 00 00 05 49<br>×             | <b>30 00 C0 01</b><br>T1 W MASK 1 | FF FF FF FF                           |  |  |  |  |  |  |
| 360                 | <b>30 03 00 01</b>                | 00 01 E3 D0                  | 20 00 00 00                       | <b>20 00 00 00</b>                    |  |  |  |  |  |  |
|                     | T1 W CTL1 1                       | X                            | T1 NOP                            | T1 NOP                                |  |  |  |  |  |  |
| 376                 | 20 00 00 00                       | 20 00 00 00                  | 20 00 00 00                       | 20 00 00 00                           |  |  |  |  |  |  |
|                     | T1 NOP                            | T1 NOP                       | T1 NOP                            | Ti Nop                                |  |  |  |  |  |  |
| 392                 | EF C2 FE A8                       | <b>FE 10 7C BA</b>           | <b>F4 03 4F E4</b>                | D3 3F 44 62                           |  |  |  |  |  |  |
|                     | X                                 | X                            | X                                 | X                                     |  |  |  |  |  |  |
| 408                 | <b>30 00 80 01</b>                | 00 00 00 01                  | <b>20 00 00 00</b>                | <b>30 02 00 08</b>                    |  |  |  |  |  |  |
|                     | T1 W CMD 1                        | CMD WCFG                     | T1 NOP                            | T1 W WBSTAR 8                         |  |  |  |  |  |  |
| 424                 | <b>50 19 85 70</b>                | 00 00 00 00                  | 00 00 00 00                       | 00 00 00 04                           |  |  |  |  |  |  |
|                     | T2 W 1672560                      | X                            | X                                 | ×                                     |  |  |  |  |  |  |
| 440                 | <b>21 A1 16 93</b>                | <b>DC D9 DC 06</b>           | <b>7F 99 A0 56</b>                | <b>48 D1 E1 AC</b>                    |  |  |  |  |  |  |
|                     | T1 NOP                            | X                            | X                                 | T2 R 13754796                         |  |  |  |  |  |  |
| 456                 | 00 00 00 00                       | 00 00 00 00                  | 00 00 00 00                       | 00 00 00 00                           |  |  |  |  |  |  |
|                     | ×                                 | X                            | X                                 | X                                     |  |  |  |  |  |  |
| 472                 | 00 00 00 00                       | 00 00 00 00                  | 00 00 00 00                       | 00 00 00 00                           |  |  |  |  |  |  |
|                     | ×                                 | ×                            | ×                                 | ×                                     |  |  |  |  |  |  |

#### **Building Secure Boot Image from Victim Boot Image**



## **Building Attack Application:**

- Main Tasks:
  - **Task 1:** Fetch starbleed bitstreams from DDR memory and push them to PL through PCAP interface.
  - **Task 2:** Perform readback of the WBSTAR register through the PCAP interface.
- We utilized Xilinx Software Development Kit (XSDK) from Xilinx to develop the attack application running on the PS.
- □ We are able to successfully use the PCAP interface to configure PL with valid bitstreams.



















PS detects HMAC error!!!



PS detects HMAC error!!!



PS detects HMAC error!!!

**□** Readback through PCAP is only possible when the PL is fully configured with a valid bitstream.



PS detects HMAC error!!!

- **□** Readback through PCAP is only possible when the PL is fully configured with a valid bitstream.
- □ So, we attempted to use the JTAG interface to perform readback.



#### PS detects HMAC error!!!

- **□** Readback through PCAP is only possible when the PL is fully configured with a valid bitstream.
- □ So, we attempted to use the JTAG interface to perform readback.
- □ We were able to read the correct decrypted word in the WBSTAR register through JTAG interface.

### Can we rely on JTAG for Starbleed Attack

- □ JTAG is an external interface which might not be exposed on a deployed device.
- □ There is a fuse control bit that can permanently disable JTAG: **XSK\_EFUSEPK\_DISABLE\_JTAG\_CHAIN**

### Can we rely on JTAG for Starbleed Attack

- □ JTAG is an external interface which might not be exposed on a deployed device.
- □ There is a fuse control bit that can permanently disable JTAG: **XSK\_EFUSEPK\_DISABLE\_JTAG\_CHAIN**
- **C**an we perform the attack using just the PCAP interface (**without relying on external interface**)?

### Can we rely on JTAG for Starbleed Attack

- □ JTAG is an external interface which might not be exposed on a deployed device.
- □ There is a fuse control bit that can permanently disable JTAG: **XSK\_EFUSEPK\_DISABLE\_JTAG\_CHAIN**
- **C**an we perform the attack using just the PCAP interface (**without relying on external interface**)?
- □ We identified a "hack" to perform the starbleed attack only using the PCAP interface.



Limitation: PCAP readback possible only when PL is properly configured (PL Done High)



- Limitation: PCAP readback possible only when PL is properly configured (PL Done High)
- □ Attack Steps:



Limitation: PCAP readback possible only when PL is properly configured (PL Done High)

#### □ Attack Steps:

Step-1: We push a valid bitstream (encrypted bitstream in victim image) and fully configure the PL (PL DONE high)



Limitation: PCAP readback possible only when PL is properly configured (PL Done High)

#### □ Attack Steps:

Step-1: We push a valid bitstream (encrypted bitstream in victim image) and fully configure the PL (PL DONE high)



Limitation: PCAP readback possible only when PL is properly configured (PL Done High)

#### □ Attack Steps:

Step-1: We push a valid bitstream (encrypted bitstream in victim image) and fully configure the PL (PL DONE high)



Limitation: PCAP readback possible only when PL is properly configured (PL Done High)

#### □ Attack Steps:



Limitation: PCAP readback possible only when PL is properly configured (PL Done High)

#### □ Attack Steps:



Limitation: PCAP readback possible only when PL is properly configured (PL Done High)

#### □ Attack Steps:



Limitation: PCAP readback possible only when PL is properly configured (PL Done High)

#### □ Attack Steps:



Limitation: PCAP readback possible only when PL is properly configured (PL Done High)

#### □ Attack Steps:



Limitation: PCAP readback possible only when PL is properly configured (PL Done High)

#### □ Attack Steps:



Limitation: PCAP readback possible only when PL is properly configured (PL Done High)

#### □ Attack Steps:



Limitation: PCAP readback possible only when PL is properly configured (PL Done High)

#### □ Attack Steps:

Step-1: We push a valid bitstream (encrypted bitstream in victim image) and fully configure the PL (PL DONE high) Step-2: Without initializing the PL, we send in the Starbleed bitstream (not recommended)

- We then observe an HMAC error and the DONE LED is still high (FPGA still fully configured)



Limitation: PCAP readback possible only when PL is properly configured (PL Done High)

#### □ Attack Steps:

Step-1: We push a valid bitstream (encrypted bitstream in victim image) and fully configure the PL (PL DONE high) Step-2: Without initializing the PL, we send in the Starbleed bitstream (not recommended)

- We then observe an HMAC error and the DONE LED is still high (**FPGA still fully configured**) Step-3: We read the WBSTAR register through PCAP interface - We get the decrypted codeword!!!



Limitation: PCAP readback possible only when PL is properly configured (PL Done High)

#### □ Attack Steps:

Step-1: We push a valid bitstream (encrypted bitstream in victim image) and fully configure the PL (PL DONE high) Step-2: Without initializing the PL, we send in the Starbleed bitstream (not recommended)

- We then observe an HMAC error and the DONE LED is still high (**FPGA still fully configured**) Step-3: We read the WBSTAR register through PCAP interface - We get the decrypted codeword!!!



Limitation: PCAP readback possible only when PL is properly configured (PL Done High)

#### □ Attack Steps:

Step-1: We push a valid bitstream (encrypted bitstream in victim image) and fully configure the PL (PL DONE high) Step-2: Without initializing the PL, we send in the Starbleed bitstream (not recommended)

- We then observe an HMAC error and the DONE LED is still high (**FPGA still fully configured**) Step-3: We read the WBSTAR register through PCAP interface - We get the decrypted codeword!!! Step-4: PCAP goes into unknown state – **unresponsive** - requires a POR reset

# Automating Starbleed Attack (using PCAP)



- Starbleed bitstreams need to be created adaptively (based on knowledge of previously retrieved words)
- Since we have control of attack application, we use UART interface to communicate with target
- □ New bitstreams are fed to the Zynq device through the UART interface (then used by PS for the attack)
- U We have an Arduino based relay to perform automatic POR reset of the target

### Outline

#### Introduction

- **RSA** Authentication Attack on Zynq-7000
  - □ Background: Attack Model, Secure Boot and RSA Authentication
  - **U** Vulnerability in FSBL
  - □ Attack Implementation: Using SD Card Switcher Board
- **Starbleed on Zynq** 
  - Introduction and Working

### Experimental Results

- Analyzing SD Card Data Transfer
- BootROM
  - Possible BootROM Vulnerabilities
  - **D** PHT Transfer Analysis
  - **BootROM Data Transfer Analysis**
- Conclusion and Future Works

### **Starbleed on Zynq: Experimental Results**

- □ We are able to retrieve a single decrypted bitstream word in approx. 1 second.
- An encrypted bitstream of size 3.85 MB can be retrieved in 46 days.
- Attacker needs access to the target device for this duration.
- □ Maximum time spent in POR reset (target device goes through secure boot for every bitstream word)

# **Optimizing Starbleed Attack on Zynq**

- **G** Faster bitstream recovery is possible with dedicated PCB and faster relay
- □ Can have multiple target devices to speed-up the attack as well.
- □ Main Bottleneck: POR reset requirement ( when using secure boot )
- □ Can we perform attack without requiring POR reset?
  - Once we recover the HMAC key, we can create authenticated starbleed bitstreams (No HMAC error)
  - □ PCAP could potentially be retained in a working state
  - Complete bitstream recovery might be possible without POR reset for every recovered word
  - □ Some sound strategies may not work because of some unknown reason as well.

### **Attack Demo**

## Outline

#### Introduction

- **RSA** Authentication Attack on Zynq-7000
  - □ Background: Attack Model, Secure Boot and RSA Authentication
  - **U** Vulnerability in FSBL
  - □ Attack Implementation: Using SD Card Switcher Board

### **Gamma** Starbleed on Zynq

- Introduction and Working
- **Experimental Results**

### Analyzing SD Card Data Transfer

**BootROM** 

- Possible BootROM Vulnerabilities
- **D** PHT Transfer Analysis
- **BootROM Data Transfer Analysis**
- Conclusion and Future Works

### SD Card Interface: Background

- 9 wire interface:
  - □ CMD (Command)
  - □ CLK (Clock)
  - DATO-DAT3 (4 data lines)
- Commands and Response are exchanged over CMD line
   In the form of Packets
- SD card contains a few information registers:
   Control and Status of SD Card interface
- □ Reading/Writing in blocks of 512 bytes
- □ Important commands for read:
  - □ CMD17 To read single block
  - CMD18 To read multiple blocks





Single block read transfer, SD mode

#### CMD17:





#### CMD17:



Single block read transfer, SD mode





#### CMD17:





### Idea: Monitor the number of CMD17, CMD18 calls



#### CMD17:

Single block read transfer, SD mode



#### Idea:

Monitor the number of CMD17, CMD18 calls
 Gives us information about data blocks
 read by BootROM/FSBL over SD interface...



#### CMD17:

Single block read transfer, SD mode



#### Idea:

Monitor the number of CMD17, CMD18 calls
 Gives us information about data blocks
 read by BootROM/FSBL over SD interface...

### Use Logic Analyzer to analyze SD Card Interface



# Logic Analyzer for SD Card Interface

#### **DS Logic Plus Analyzer:**

- □ 400 MHz (16 channels)
- □ SDIO protocol decoder

#### □ Analysis of the following signals:

- CMD
- CLK
- DAT3 (Can be any other data line)



### Outline

#### Introduction

- **RSA** Authentication Attack on Zynq-7000
  - □ Background: Attack Model, Secure Boot and RSA Authentication
  - **U** Vulnerability in FSBL
  - □ Attack Implementation: Using SD Card Switcher Board
- **Gamma** Starbleed on Zynq
  - □ Introduction and Working
  - **Experimental Results**
- Analyzing SD Card Data Transfer
- **BootROM**

### Possible BootROM Vulnerabilities

- **PHT Transfer Analysis**
- **BootROM Data Transfer Analysis**
- Conclusion and Future Works

## **Possible BootROM Vulnerabilities**

#### □ What about **BootROM**?

- □ RSA Authentication, Decryption of FSBL (SD Card)
- □ Any vulnerabilities in BootROM?

#### **Challenges:**

- □ BootROM code is not available (hard-coded on chip)
- □ BootROM code cannot be changed

#### □ In this work:

- Black Box Vulnerability analysis of BootROM
- Updates on our previous attack on FSBL
- Probe the SD Card Interface between SoC and
   SD Card



### Analysis of SD Card Interface during Bootup



| Logic Analyzer 005 +0.18s - | 0.27s +0.36s +0.45s +0.54s +0.62s | +0.71s +0.80s +0.89s +0.98s +1.07s +1.16s |
|-----------------------------|-----------------------------------|-------------------------------------------|
|                             |                                   |                                           |
|                             |                                   |                                           |
|                             |                                   |                                           |

- □ How to differentiate between BootROM transfers and FSBL transfers?
  - **Observation:** FSBL is controllable software
  - **Idea:** Insert varying delays within the FSBL software and observe how the transfers are perturbed.
    - □ Insert delay just after start of FSBL
    - □ Insert delay after PHT transfer
    - □ Insert delays after bitstream transfer

# Full Boot up:

| BootROM Execution                                                                                                                                                                    |                      | FSBL Execution                              |                     |                          |               |
|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|----------------------|---------------------------------------------|---------------------|--------------------------|---------------|
| Logic Analyzer 005 +0.095 +0.185 -                                                                                                                                                   | +0.27s +0.36s        | +0.45s +0.                                  | 54s +0.62s +0.71s   | +0.80s +0.89s +0.98s     | +1.07s +1.16s |
|                                                                                                                                                                                      |                      |                                             |                     |                          |               |
|                                                                                                                                                                                      |                      |                                             |                     |                          |               |
| 2 <u>」</u> □ <u>□</u> <u>□</u> <u>□</u> □ <u>□</u> <u>□</u> |                      |                                             |                     |                          |               |
| 1                                                                                                                                                                                    | 1                    | 1                                           | 1                   | 1                        |               |
| InitSD                                                                                                                                                                               | Retrieval            | InitSD                                      | Retrieval of        | <b>Retrieval of</b>      |               |
| (BootROM)                                                                                                                                                                            | of FSBL<br>(BootROM) | Interface<br>And PHT<br>Retrieval<br>(FSBL) | Bitstream<br>(FSBL) | SW Application<br>(FSBL) |               |

### **Full Boot up:**



### Outline

#### Introduction

- **RSA** Authentication Attack on Zynq-7000
  - □ Background: Attack Model, Secure Boot and RSA Authentication
  - **U** Vulnerability in FSBL
  - □ Attack Implementation: Using SD Card Switcher Board
- **Starbleed on Zynq** 
  - □ Introduction and Working
  - **Experimental Results**
- Analyzing SD Card Data Transfer
- BootROM
  - Possible BootROM Vulnerabilities
  - **D** PHT Transfer Analysis
  - **BootROM Data Transfer Analysis**
- Conclusion and Future Works

### **PHT Transfer by FSBL**

- □ We know there are two PHT transfers (PHT1 and PHT2)
- **To identify PHT1**: Put an infinite while loop after PHT1

#### **FSBL Execution**



### **PHT Transfer by FSBL**

- □ We know there are two PHT transfers (PHT1 and PHT2)
- **To identify PHT2**: Put an infinite while loop after PHT2



Dependence on CMD line) PHT2 transfer: **448.5** msecs (from first clock edge on CMD line)

### Outline

#### Introduction

- **RSA** Authentication Attack on Zynq-7000
  - □ Background: Attack Model, Secure Boot and RSA Authentication
  - **U** Vulnerability in FSBL
  - □ Attack Implementation: Using SD Card Switcher Board
- **Gamma** Starbleed on Zynq
  - Introduction and Working
  - **Experimental Results**
- Analyzing SD Card Data Transfer
- BootROM
  - Possible BootROM Vulnerabilities
  - **PHT Transfer Analysis**

### **D** BootROM Data Transfer Analysis

Conclusion and Future Works

# **Analyzing BootROM Behaviour**

- □ Area of Interest: data blocks transferred during FSBL authentication
- □ We consider three cases:
  - □ Non-secure Boot (Nsec)
  - □ Secure with only encryption (Sec\_Encrypt)
  - □ Secure with both encryption and authentication (Sec\_Auth\_Encrypt)

### **BootROM Behaviour: Nsec Image**

- Read unencrypted FSBL
- □ 114.5 KB = 225 Blocks

### **BootROM Behaviour: Nsec Image**

- Read unencrypted FSBL
- □ 114.5 KB = 225 Blocks



### **BootROM Behaviour: Sec\_Encrypt Image**

- Read encrypted FSBL
- □ 115.5 KB = 227 Blocks

### BootROM Behaviour: Sec\_Encrypt Image

- Read encrypted FSBL
- □ 115.5 KB = 227 Blocks



### BootROM Behaviour: Sec\_Auth\_Encrypt Image

- □ Read encrypted FSBL + Certificate
- □ 116.8 KB = 230 Blocks

## BootROM Behaviour: Sec\_Auth\_Encrypt Image

- Read encrypted FSBL + Certificate
- □ 116.8 KB = 230 Blocks



# BootROM Behaviour: Sec\_Auth\_Encrypt Image

- Read encrypted FSBL + Certificate
- □ 116.8 KB = 230 Blocks



□ Inference: There are no duplicate data transfers of the FSBL data duing BootROM execution...

### **Conclusion:**

- We have identified a critical security flaw in the Zynq-7000 FSBL software, due to mishandling of the PHT data.
- U We experimentally validated exploitation of the flaw, using an SD card switcher board.
- A very minor modification to the FSBL is required to demonstrate successful attack with existing hardware.
- For real world attack, we need a specialized hardware between the target and the SD card switcher board.
- □ Xilinx/AMD has acknowledged the presence of the critical flaw to bypass RSA Authentication.
- □ A software patch for the FSBL is provided Xilinx to remove the vulnerability.
  - But all unpatched devices in the wild face recovery of unencrypted bitstream and application files.
- U We performed the first vulnerability analysis of the BootROM software of Zynq-7000 SoC
  - U We used a logic analyzer to probe the SD card interface during FSBL and BootROM execution
  - □ BootROM Analysis: showed that there is no duplicate transfer of FSBL during BootROM execution

### **Future Works:**

- □ After patching the PHT authentication vulnerability, are more attacks still possible??
- □ Fault Vulnerability Analysis of the FSBL, BootROM

# Thank you!!!