Design Advisory for Zynq-7000 AP SoC: Power-On/-Off Sequence Requirements for PS eFUSE Integrity

zynq加密上下电时序需要特别注意

http://www.xilinx.com/support/answers/65240.html

Description

Under certain conditions, during power-on and power-off the integrity of the Zynq-7000 AP SoC PS eFUSE settings can be affected.

If ALL of the following occur, then the integrity of the Zynq-7000 AP SoC PS eFUSE settings can be affected:

1. The recommended power-on and power-off sequences are not met
2. PS_CLK is running during power-on and/or power-off
3. PS_POR_B is not asserted as required during PS power-on or PS_POR_B is not asserted during power-off

Symptoms can include the following:

• Failure to boot due to unintended enable of RSA authentication or incorrect RSA PPK hash value
• Longer than expected boot times due to unintended enable of OCM ROM 128KB CRC check
• Error during PS eFUSE programming due to unintended write-protect setting or blank check error

Solution

Zynq-7000 AP SoC designs should be evaluated for potential impact to PS eFUSE integrity.

See the sections below for methods to evaluate potential impact.

How do I evaluate if my design is impacted during power-on?

If the answers to ALL three of the following power-on test questions are NO, then the PS eFUSE integrity might be impacted during power-on.

See the "When further analysis is needed" section below.

• Power-on test 1: Does PS_POR_B meet the datasheet requirements for power-on and is asserted low (GND) until V_CCPINT, V_CCPAUX , and V_{CCO_MIO0} have reached their minimum voltage levels? If YES, then NO RISK. Passing this test is represented in solution 1.
• Power-on test 2: Is the PS reference clock (PS_CLK) inactive until V_CCPINT has reached 0.80V? If YES, then NO RISK. Passing this test is represented in solution 2.
• Power-on test 3: Does the power supply sequence follow the recommended power-on sequence (1: V_CCPINT, 2: V_CCPAUX, 3: V_{CCO_MIO0})? 
  V_CCPINT must reach 0.80V before both V_CCPAUX reaches 0.70V and V_{CCO_MIO0} reaches 0.90V. 
  If YES, then NO RISK. Passing this test is represented in solution 3.

How do I evaluate if my design is impacted during power-off?

If the answers to ALL four of the preceding power-off tests are NO, then the PS eFUSE integrity might be impacted during power-off.

See the "When further analysis is needed" section below.

• Power-off test 1: Is PS_POR_B asserted (GND) before V_CCPINT reaches 0.80V and held asserted until V_CCPINT is lower than 0.40V or V_CCPAUX is lower than 0.70V or V_{CCO_MIO0} is lower than 0.90V? 
  If YES, then NO RISK. Passing this test is represented in solution 4.
• Power-off test 2: Is the PS reference clock (PS_CLK) inactive before V_CCPINT has reached 0.80V? 
  If YES, then NO RISK. Passing this test is represented in solution 5.
• Power-off test 3: Does the power supply sequence follow the recommended power-off sequence (1: V_{CCO_MIO0}, 2: V_CCPAUX, 3: V_CCPINT)? That is, does V_{CCO_MIO0} reach 0.90V or V_CCPAUX reach 0.70V before V_CCPINT reaches 0.80V? 
  If YES, then NO RISK. Passing this test is represented in solution 6.
• Power-off test 4: Is PS_POR_B held de-asserted (V_{CCO_MIO0}) and the voltage ramp downs on V_CCPINT, V_CCPAUXand V_{CCO_MIO0} are monotonic until at least one of the supplies reaches and stays below 0.40V, 0.70V and 0.90V respectively? 
  If YES, then NO RISK. Passing this test is represented in solution 7.

For systems exhibiting the symptoms, how do I check the integrity of my PS eFUSE?

See the Attachments section below for an XMD script that can read the PS eFUSE array for determining whether any PS eFUSE settings are different to the expected settings.

Follow the instructions in the ReadMe.txt file in the attachment.

When further analysis is needed for existing board designs

For further analysis of an existing board design, open a Xilinx Support Service Request and prepare to share the following:

• Symptoms, if any, of the issue.
• If symptoms are observed, then you will need the PS eFUSE array condition (ps_efuse.log file).  
  Get this by running the attached zynq_efuse_read_normal.zip utility. See the Attachments section.
• 4-channel scope shots of PS_POR_B, V _CCPINT, V _CCPAUX, V _{CCO_MIO0}
  • Zoom into power-on sequence
  • Zoom into power-off sequence
• Scope shot of PS_CLK activity relative to one or more of the above channels for power-on and power-off

Available Solutions for Ensuring PS eFUSE Integrity

Multiple solutions are available to ensure PS eFUSE integrity. At least one solution for power-on and at least one solution for power-off must be satisfied to ensure PS eFUSE integrity.

These solutions are classified into the following categories:

• Controlling PS_POR_B during power-on (solution 1) and power-off (solution 4) ramping phases
• Controlling PS_CLK during power-on (solution 2) and power-off (solution 5) ramping phases
• Controlling power-on (solution 3) and power-off (solution 6) sequences

Solution 1 for Power-On:

Meet the data sheet requirement for PS_POR_B. 
The PS_POR_B is required to be asserted until the V_CCPINT, V_CCPAUX and V_{CCO_MIO0} have reached minimum operating levels.

In addition, review the PS reset assertion timing requirements in the data sheet for concerns regarding (Xilinx Answer 63149)

Solution 2 for Power-On:

Disable PS reference clock (PS_CLK) until V_CCPINT > 0.80V.

Solution 3 for Power-On:

Follow the recommended PS power-on sequence in the data sheet.

Specifically, to ensure PS eFUSE integrity, V_CCPINT must reach 0.80V before both V_CCPAUX reaches 0.70V and V_{CCO_MIO0} reaches 0.90V.

Solution 4 for Power-Off:

Assert PS_POR_B to GND before V_CCPINT reaches 0.80V and hold asserted until V_CCPINT is lower than 0.40V, V_CCPAUX is lower than 0.70V, or VCCO_MIO0 is lower than 0.90V.

Solution 5 for Power-Off:

Disable the PS reference clock (PS_CLK) before V_CCPINT < 0.80V.

Solution 6 for Power-Off:

Follow the recommended PS power-off sequence in the data sheet.

Specifically, to ensure PS eFUSE integrity, V_{CCO_MIO0} must reach 0.90V or V_CCPAUX must reach 0.70V before V_CCPINTreaches 0.80V

Solution 7 for Power-Off:

PS_POR_B held de-asserted (V_{CCO_MIO0}) and the voltage ramp downs on V_CCPINT, V_CCPAUX and V_{CCO_MIO0} aremonotonic until at least one of the supplies reaches and stays below 0.40V, 0.70V and 0.90V respectively

PVT CONSIDERATION:

The above conditions for power on and power off must be satisfied for any variations in process, voltage and temperature.

The limits on VCCPINT, VCCPAUX and VCCMIO have been characterized considering different PVT conditions.

However, the user needs to confirm any variations on PS_CLK or PS_POR_B will not trigger a failing condition under different PVT scenarios.

Attachments

Associated Attachments

Name	File Size	File Type
zynq_efuse_read_normal.zip	832 KB	ZIP
AR65240_-_Example_PS_POR_B_Supervisor_Circuit.pdf	187 KB	PDF

https://www.xilinx.com/support/answers/63149.html

Description

On initial device power up, when the PS PS_POR_B de-asserts within a certain timing window in relationship to power up of  the last PL power supply (VCCINT, VCCBRAM, VCCAUX or VCCO_0), the device can enter Secure Lockdown state and will prevent boot from completing per the lockdown specification. 

This window is defined as a minimum and maximum time relative to the last PL power supply ramp:

 

Tslw (min) = Time from last PL power supply reaching 250mv  to start of Secure Lockdown Window

Tslw (max) = Time from last PL power supply reaching 250mv  to end of Secure Lockdown Window

 

 

Solution

How do I evaluate if my system is impacted?

  

Tests 1 and 2 below can be performed on design specifications or optionally on hardware to evaluate if a specific system is impacted.
 

Important Test Assumptions: eFuse for 128K CRC is not enabled AND PLLs are not bypassed.
  

Steps for hardware testing:
 

• Identify probe points for PS_POR_B, VCCINT (PL), VCCAUX (PL), VCCBRAM, VCCO_0 (PL).
• For PL supply, identify the probe points near to the die, typically on the supply bypass capacitor.
• Use an oscilloscope to measure the relative time between the signals for Test 1 and Test 2.

 

In the "Possible Risk" scenario, the power up sequence and de-assertion timing of PS_POR_B must be analyzed to determine if it falls within the Secure Lockdown timing window (Tslw).  

The Tslw min/max values are dependent on several system level factors (Zynq-7000 AP SoC Device, PS_CLK frequency, and PL power supply ramp time). 
 

A Power Up Timing Spreadsheet Calculator has been created to determine this range based on the values from the customers system. This spreadsheet is attached.
 

As an example, a 7Z020 device with a 33.33 MHz PS_CLK and a 6ms PL power supply ramp time has a Secure Lockdown timing window (Tslw) of 13.45ms to 38.99ms after the last PL power supply started to ramp.
 

If PS_POR_B is de-asserted during this window, the device can enter Secure Lockdown state.
If PS_POR_B is de-asserted either before or after this window, the device is not exposed this behavior.

 

How to confirm that boot did not complete because of this event?

 

All of the following specific symptoms need to be present to confirm this issue is the root cause:
 

1.       If you do an initial power-up AND

2.       If you see a hang during boot AND

3.       If you do not see an access to your boot device AND

4.       If you see the PL JTAG TAP in the JTAG chain AND

5.       If you do not see the PS JTAG TAP in the JTAG chain AND

6.       INIT_B goes HIGH and stays HIGH after secure lockdown AND

7.       If PS_POR_B de-assertion falls inside the Secure Lockdown window
 

What solutions are available?

 

Xilinx has created  multiple solutions to avoid the Secure Lockdown Window.

The solutions have been classified into the following categories.
 

• Change timing relationship between last PL power ramp and PS_POR_B using PCB level circuits (Preferred Solution)
  
• Change PS BootROM code execution time (*) to shift the window by
   
  
  • enabling 128K CRC check by burning a PS eFuse bit
  • enabling PLL Bypass (**)

IMPORTANT: Contact your local Xilinx FAE or open a support webcase for further assistance.
Please, open a webcase with "Secure Lockdown Window" in the title ONLY after collecting the following:

•  Results of the attached spreadsheet analysis (a snapshot of the timing in the spreadsheet)
•  Scope-shots of PS_POR_B, VCCINT (PL), VCCAUX (PL), VCCBRAM, VCCO_0 (PL) and INIT_B (the time relationship between the signals is required)

 

NOTES:
 

(*): Changing the PS BootROM code execution time in systems that have stringent startup timing may not be desirable.

Longer execution times can be mitigated by using the register initialization functionality to optimize boot time (Refer Chapter 3 of   Zynq 7000 Software Developers Guide and section 6.3.3 of   Zynq 7000 Technical Reference Manual )
 

(**): A patch for 2014.4 FSBL is required for this method. See  (Xilinx Answer 63576).