In order to demonstrate attacks against the content of the external memories of a SoC and also to test the efficiency of the SecBus architecture, we developed a programmable hardware attacker. The attacker, just like the AXI simple bridge, sits in the PL, between the CPU and the DDR. But while the simple bridge simply counts the AXI transactions, the AXI bridge can spy at them and even modify them on the fly. Please consult its documentation in the (download area) for details.
The AXI bridge can be used with the Xilinx [Zynq] cores and the ZedBoard prototyping board. Zynq cores embed a ARM processor and all its usual peripherals (USB, Ethernet, flash...) including external memory controllers. This part forms what is named Processing System (PS) in Xilinx terminology. Zynq cores also embed an FPGA matrix, the Programmable Logic (PL).
This page explains how to configure the PL and the software stack to boot a Linux kernel with all accesses to the external DDR flowing through the AXI bridge in the PL.
In Zynq cores, the Processing System (PS) usually accesses its external DDR memory in the
[0x0000_0000, 0x4000_0000[ address range (Regular Address Space or RAS in the following). In order to process the memory accesses it would be convenient to route them to the Programmable Logic (PL), instead. If this was possible, one could simply configure the PL to implement the desired processing and instruct the PS to access its DDR through the PL. Of course, in order for this to work, the PL would have to route the PS requests to the DDR and the DDR responses back to the PS. The kind of processing implemented in the PL can be anything from no processing, monitoring, tracing, cryptography...
Indeed, thanks to the Zynq architecture and its quite dense PS-PL interface, it is possible. The SecBus HSM uses this organization to implement cryptographic processing of the memory accesses (encryption, integrity checking). The AXI bridge presented here implements the same AXI transaction counters as its simple counterpart, plus programmable eavesdropping and tampering with the AXI transactions. It thus can be used to mount attacks against the content of the external memories, either to extract confidential information or to alter the nominal behaviour of the system. This is the reason why it has been developed: demonstrating attacks and also demonstrating how the SecBus architecture can prevent them.
The PS and the PL communicate through a set of AXI interfaces. The AXI bridge uses 3 of them:
AXI_GP0: 32 bits, master: PS, slave: PL, mapped in the
[0x4000_0000, 0x8000_0000[address range (Control Address Space or CAS in the following). The PS uses this interface to access the bridge internal registers. These registers are used for debugging (AXI transaction counters, programmable LED activity...) and to control the attacks (programming triggers, transactions capture, injection...).
AXI_GP1: 32 bits, master: PS, slave: PL, mapped in the
[0x8000_0000, 0xc000_0000[address range (Alternate Address Space or AAS in the following). The PS uses this interface to access the DDR through the bridge.
AXI_HP0: 32 or 64 bits, master: PL, slave: PS. Configured in 32 bits width. The bridge routes all PS requests falling in the AAS, that is, received on the
AXI_HP0, after shifting the addresses back in the RAS. This way, accessing an address
[0x8000_0000, 0xc000_0000[range is the same as accessing
[0x0000_0000, 0x4000_0000[range, except that it is routed through the PL.
Prepare a SDCard from which the ZedBoard will boot. Create a FAT32 first partition and make it large enough for the provided archive (you can create more partitions if you wish). Mount it on your host PC. In the following we assume its mount point is
Download an archive from the download area, section "AXI bridge".
Unpack the archive in the SDCard:
tar --directory=/media/SDCard -xf <archive>.tgz
Unmount the SDCard, plug it to the ZedBoard, configure the jumpers to boot from the SDCard and connect the USB-UART cable to your host PC.
Power on the ZedBoard and launch a serial console on your host PC (
minicom -D /dev/ttyACM0
Wait until the Linux kernel boots. Note: the CPU caches (L1 and L2) are disabled for better observability of the CPU memory accesses. This has been achieved with the method described [wiki:DisablingZynqCaches here]. Of course, this slows the CPU down; please be patient when the Linux kernel boots and loads the root file system...
You are done and you are running a minimal GNU/Linux OS with all accesses to the external memory routed to the PL:
The root password is
secbus. You can observe the bridge activity thanks to its internal registers. You can also mount attacks, retrieve passwords or cryptographic secret keys, achieve privilege escalations... Please read the documentation for detailed information about the AXI bridge features. Several aliases are defined to ease the interactions with the bridge, as summarized in the welcome banner that shows up in the serial console.
Note: the SD card partition from which the system booted is mounted on
/mnt, so, if you added some custom files on the SD card, they are in
Note: the bitstream embeds a Chipscope Integrated Logic Analyzer core allowing to observe the AXI signals from Vivado.