@@ -1027,6 +1027,48 @@ sudo dd if=fitImage_v1_signed.bin of=/dev/sdc3 bs=512 status=progress && sudo cm
10271027sudo dd if=../yocto-dev-polarfire/build/tmp-glibc/deploy/images/mpfs-video-kit/mchp-base-image-sdk-mpfs-video-kit.rootfs.ext4 of=/dev/sdc4 bs=4M status=progress
10281028```
10291029
1030+ ### PolarFire SoC Encryption
1031+
1032+ PolarFire SoC uses MMU mode with disk-based updates. The encryption key is stored in RAM rather than flash.
1033+
1034+ Enable encryption in your configuration with ` ENCRYPT=1 ` and one of: ` ENCRYPT_WITH_AES256=1 ` , ` ENCRYPT_WITH_AES128=1 ` , or ` ENCRYPT_WITH_CHACHA=1 ` .
1035+
1036+ | Algorithm | Key Size | Nonce/IV Size |
1037+ | -----------| ----------| ---------------|
1038+ | ChaCha20 | 32 bytes | 12 bytes |
1039+ | AES-128 | 16 bytes | 16 bytes |
1040+ | AES-256 | 32 bytes | 16 bytes |
1041+
1042+ The ` libwolfboot ` API provides the following functions for managing the encryption key:
1043+
1044+ ``` c
1045+ int wolfBoot_set_encrypt_key (const uint8_t * key, const uint8_t * nonce);
1046+ int wolfBoot_get_encrypt_key(uint8_t * key, uint8_t * nonce);
1047+ int wolfBoot_erase_encrypt_key(void); /* called automatically by wolfBoot_success() * /
1048+ ```
1049+
1050+ To sign and encrypt an image, create a key file with the concatenated key and nonce, then use the sign tool:
1051+
1052+ ```sh
1053+ # Create key file (32-byte key + 16-byte IV for AES-256)
1054+ echo -n "0123456789abcdef0123456789abcdef0123456789abcdef" > enc_key.der
1055+
1056+ # Sign and encrypt
1057+ ./tools/keytools/sign --ecc384 --sha384 --aes256 --encrypt enc_key.der \
1058+ fitImage wolfboot_signing_private_key.der 1
1059+ ```
1060+
1061+ In your application, set the encryption key before triggering an update:
1062+
1063+ ``` c
1064+ wolfBoot_set_encrypt_key (enc_key, enc_iv);
1065+ wolfBoot_update_trigger();
1066+ ```
1067+
1068+ During boot, wolfBoot decrypts the image headers from disk to select the best candidate, loads and decrypts the full image to RAM, then verifies integrity and authenticity before booting. On successful boot, `wolfBoot_success()` clears the key from RAM.
1069+
1070+ See the [Encrypted Partitions](encrypted_partitions.md) documentation for additional details.
1071+
10301072### PolarFire Soc Debugging
10311073
10321074Start GDB server:
@@ -1102,10 +1144,59 @@ Booting at 80200000
11021144...
11031145```
11041146
1147+ ### PolarFire Benchmarks
1148+
1149+ RISC-V 64-bit U54 (RV64GC1) 625 MHz
1150+
1151+ ```
1152+ ------------------------------------------------------------------------------
1153+ wolfSSL version 5.8.4
1154+ ------------------------------------------------------------------------------
1155+ Math: Multi-Precision: Wolf(SP) word-size=64 bits=3072 sp_int.c
1156+ Assembly Speedups: RISCVASM ALIGN
1157+ wolfCrypt Benchmark (block bytes 1048576, min 1.0 sec each)
1158+ RNG 5 MiB took 1.232 seconds, 4.058 MiB/s
1159+ AES-128-CBC-enc 10 MiB took 1.182 seconds, 8.457 MiB/s
1160+ AES-128-CBC-dec 10 MiB took 1.166 seconds, 8.573 MiB/s
1161+ AES-192-CBC-enc 10 MiB took 1.378 seconds, 7.257 MiB/s
1162+ AES-192-CBC-dec 10 MiB took 1.362 seconds, 7.344 MiB/s
1163+ AES-256-CBC-enc 10 MiB took 1.569 seconds, 6.373 MiB/s
1164+ AES-256-CBC-dec 10 MiB took 1.556 seconds, 6.426 MiB/s
1165+ AES-128-GCM-enc 10 MiB took 1.956 seconds, 5.113 MiB/s
1166+ AES-128-GCM-dec 10 MiB took 1.955 seconds, 5.115 MiB/s
1167+ AES-192-GCM-enc 5 MiB took 1.075 seconds, 4.650 MiB/s
1168+ AES-192-GCM-dec 5 MiB took 1.074 seconds, 4.654 MiB/s
1169+ AES-256-GCM-enc 5 MiB took 1.172 seconds, 4.268 MiB/s
1170+ AES-256-GCM-dec 5 MiB took 1.170 seconds, 4.275 MiB/s
1171+ GMAC Table 4-bit 15 MiB took 1.133 seconds, 13.245 MiB/s
1172+ CHACHA 20 MiB took 1.107 seconds, 18.064 MiB/s
1173+ CHA-POLY 15 MiB took 1.060 seconds, 14.152 MiB/s
1174+ POLY1305 75 MiB took 1.044 seconds, 71.812 MiB/s
1175+ SHA 20 MiB took 1.139 seconds, 17.561 MiB/s
1176+ SHA-256 10 MiB took 1.069 seconds, 9.350 MiB/s
1177+ SHA-384 15 MiB took 1.072 seconds, 13.994 MiB/s
1178+ SHA-512 15 MiB took 1.072 seconds, 13.990 MiB/s
1179+ SHA-512/224 15 MiB took 1.068 seconds, 14.041 MiB/s
1180+ SHA-512/256 15 MiB took 1.066 seconds, 14.070 MiB/s
1181+ HMAC-SHA 20 MiB took 1.140 seconds, 17.542 MiB/s
1182+ HMAC-SHA256 10 MiB took 1.068 seconds, 9.366 MiB/s
1183+ HMAC-SHA384 15 MiB took 1.066 seconds, 14.076 MiB/s
1184+ HMAC-SHA512 15 MiB took 1.066 seconds, 14.077 MiB/s
1185+ PBKDF2 1 KiB took 1.024 seconds, 1.129 KiB/s
1186+ RSA 2048 public 800 ops took 1.142 sec, avg 1.427 ms, 700.575 ops/sec
1187+ RSA 2048 private 100 ops took 8.450 sec, avg 84.504 ms, 11.834 ops/sec
1188+ DH 2048 key gen 60 ops took 1.010 sec, avg 16.841 ms, 59.379 ops/sec
1189+ DH 2048 agree 100 ops took 3.421 sec, avg 34.211 ms, 29.231 ops/sec
1190+ ECC [ SECP256R1] 256 key gen 100 ops took 1.304 sec, avg 13.039 ms, 76.691 ops/sec
1191+ ECDHE [ SECP256R1] 256 agree 100 ops took 1.299 sec, avg 12.992 ms, 76.970 ops/sec
1192+ ECDSA [ SECP256R1] 256 sign 100 ops took 1.338 sec, avg 13.383 ms, 74.723 ops/sec
1193+ ECDSA [ SECP256R1] 256 verify 200 ops took 1.846 sec, avg 9.231 ms, 108.333 ops/sec
1194+ Benchmark complete
1195+ ```
1196+
11051197### PolarFire TODO
11061198
11071199* Add eMMC/SD features:
1108- - Write support
11091200 - eMMC support (not just SD)
11101201* Add support for reading serial number and modifying ethernet MAC in device tree
11111202* Add support for QSPI NOR flash
0 commit comments