Paper 2017/625

How to Break Secure Boot on FPGA SoCs through Malicious Hardware

Nisha Jacob, Johann Heyszl, Andreas Zankl, Carsten Rolfes, and Georg Sigl


Embedded IoT devices are often built upon large system on chip computing platforms running a significant stack of software. For certain computation-intensive operations such as signal processing or encryption and authentication of large data, chips with integrated FPGAs, FPGA SoCs, which provide high performance through configurable hardware designs, are used. In this contribution, we demonstrate how an FPGA hardware design can compromise the important secure boot process of the main software system to boot from a malicious network source instead of an authentic signed kernel image. This significant and new threat arises from the fact that the CPU and FPGA are connected to the same memory bus, so that FPGA hardware designs can interfere with secure boot routines on FPGA SoCs that are without any interruption on regular SoCs. An enabling factor is that integrated hardware designs are likely bought from external partners and there is a realistic lack of security review at the system integrators. This facilitates flaws or even unwanted functionality in such hardware designs. We perform a proof of concept on a Xilinx Zynq-7000 FPGA SoC, and the threat can be generalized to other devices. We also present as effective mitigation, an easy-to-review and re-usable wrapper module which prevents any unauthorized memory access by included hardware designs.

Note: Camera ready version for CHES 2017

Available format(s)
Publication info
Published by the IACR in CHES 2017
FPGA SoCssecure boothardware designoutsourcedthreat
Contact author(s)
nisha jacob @ aisec fraunhofer de
2017-06-27: received
Short URL
Creative Commons Attribution


      author = {Nisha Jacob and Johann Heyszl and Andreas Zankl and Carsten Rolfes and Georg Sigl},
      title = {How to Break Secure Boot on FPGA SoCs through Malicious Hardware},
      howpublished = {Cryptology ePrint Archive, Paper 2017/625},
      year = {2017},
      note = {\url{}},
      url = {}
Note: In order to protect the privacy of readers, does not use cookies or embedded third party content.