Added Xilinx UltraScale+ MPSoC CSU Support CSU support.

Enabled support for offloading SHA3 hashing to CSU hardware using PKA=1.
Added support for enabling JTAG at runtime if CSU_DEBUG is set. Requires patching PMUFW to enable register access. See: https://xilinx-wiki.atlassian.net/wiki/spaces/A/pages/2587197506/Zynq+UltraScale+MPSoC+JTAG+Enable+in+U-Boot

Author: dgarske

IDE/XilinxSDK/README.md

@@ -78,16 +78,7 @@ Note: If not using Position Independent Code (PIC) the linker script `ldscript.l
 
 ## Zynq UltraScale+ ARMv8 Crypto Extensions
 
-To enable ARM assembly speedups for SHA:
-
-1) Add these build symbols:
-
-```
-WOLFSSL_ARMASM
-WOLFSSL_ARMASM_INLINE
-```
-
-2) Add these compiler misc flags: `-mcpu=generic+crypto -mstrict-align -DWOLFSSL_AARCH64_NO_SQRMLSH`
+By default the ARM assembly speedups for SHA will be enabled. This uses inline assembly in wolfcrypt/src/port/arm/ and the armb8 crypto extensions. To disable set `NO_ARM_ASM=1`.
 
 
 ## Generate signing key
@@ -154,7 +145,7 @@ the_ROM_image:
 }
 ```
 
-You can also use exception level 3 or 1 depending on your needs.
+You can use exception level 3, 2 or 1 depending on your needs. See hal/zynq.h options EL3_SECURE, EL2_HYPERVISOR and EL1_NONSECURE for enabled/disabling entry support for each. Default is support for EL2.
 
 From the workspace root:
 
@@ -208,13 +199,12 @@ Hello World
 Successfully ran Hello World application
 ```
 
-
 ### Adding RSA Authentication
 
 1. Generate keys:
-    * `bootgen.exe -generate_keys auth pem -arch zynqmp -image boot.bif`
+    * `bootgen.exe -generate_keys auth pem -arch zynqmp -image boot_auth.bif`
 2. Create hash for primary key:
-    * `bootgen.exe -image boot.bif -arch zynqmp -w -o i BOOT.BIN -efuseppkbits ppkf_hash.txt`
+    * `bootgen.exe -image boot_auth.bif -arch zynqmp -w -o i BOOT.BIN -efuseppkbits ppkf_hash.txt`
 3. Import example project for programming eFuses:
     * New BSP project (program efuses , ZCU102_hw_platform, standalone, CPU: PSU_cortexa53_0)
     * Goto Xilinx Board Support Packet Settings.
@@ -235,11 +225,23 @@ Successfully ran Hello World application
     ```
 
 6. Build “boot.bin” image:
-    * `bootgen -image boot.bif -arch zynqmp -o i BOOT.BIN -w`
+    * `bootgen -image boot_auth.bif -arch zynqmp -o i BOOT.BIN -w`
+
+Note: During testing add `[fsbl_config] bh_auth_enable` to allow skipping of the eFuse check of the PPK hash. In production the RSA_EN eFuses must be blown to force checking of the PPK hash.
 
 Note: To generate a report of a boot.bin use the `bootgen_utility` or after 2022.1 use `bootgen -read`:
 `bootgen -arch zynqmp -read BOOT.BIN`
 
+
+# CSU Support
+
+Enabling PMU firmware support for access to the CSU.
+In PetaLinux menuconfig under PMU Configuration add compiler flag `-DSECURE_ACCESS_VAL=1`.
+```sh
+petalinux-build -c pmufw
+petalinux-build
+```
+
 ## Post Quantum
 
 ### PQ XMSS

arch.mk

@@ -75,6 +75,12 @@ ifeq ($(ARCH),AARCH64)
     # Support detection and skip of U-Boot legacy header */
     CFLAGS+=-DWOLFBOOT_UBOOT_LEGACY
     CFLAGS+=-DWOLFBOOT_DUALBOOT
+
+    ifeq ($(PKA),1)
+      # Use HAL for hash (see zynqmp.c)
+      PKA_HASH_HAL=1
+      CFLAGS+=-DWOLFBOOT_ZYNQMP_CSU
+    endif
   else
     ifeq ($(TARGET),nxp_ls1028a)
       ARCH_FLAGS=-mcpu=cortex-a72+crypto -march=armv8-a+crypto -mtune=cortex-a72

config/examples/zynqmp.config

@@ -8,6 +8,13 @@ SIGN?=RSA4096
 HASH?=SHA3
 IMAGE_HEADER_SIZE?=1024
 
+# Hashing Option
+# 1. ARMv8+Crypto Assembly: PKA=0 and NO_ARM_ASM=0 (default)
+# 2. CSU SHA3 hardware acceleration PKA=1 and NO_ARM_ASM=1
+# 3. C Only PKA=0 and NO_ARM_ASM=1
+NO_ARM_ASM?=0
+PKA?=0
+
 # XMSS/XMSS^MT is a post-quantum, stateful, hash-based signature scheme.
 # Use the helper script `tools/xmss/xmss_siglen.sh`
 # to calculate your signature length given an xmss parameter string.
@@ -36,14 +43,12 @@ CFLAGS_EXTRA+=-DDEBUG_ZYNQ=1
 VTOR?=1
 CORTEX_M0?=0
 NO_ASM?=0
-NO_ARM_ASM?=0
 ALLOW_DOWNGRADE?=0
 NVM_FLASH_WRITEONCE?=0
 V?=0
 SPMATH?=1
 RAM_CODE?=0
 DUALBANK_SWAP?=0
-PKA?=1
 WOLFTPM?=0
 EXT_FLASH?=1
 SPI_FLASH?=0