Zynq UltraScale+ MPSoCs has a 256-bit AES-GCM hardware engine that supports confidentiality of your boot images, and can also be used by you post-boot to encrypt and decrypt your data.
The AES cryptographic engine has access to a diverse set of key sources. For more information on the key sources, see Zynq UltraScale+ Device Technical Reference Manual (UG1085).
The red key is used to encrypt the image. During the generation of the boot file
(BOOT.bin), the red key, and the initialization
vector (IV) must be provided to the Bootgen tool in .nky
file format.
PMU firmware can be loaded by CSU bootROM or FSBL. The CSUROM treats the FSBL and PMU firmware as separate partitions and hence, decrypts each of them individually. If both the FSBL and PMU firmware are encrypted, the AES Key/IV will be reused, which is a violation of the standard.
The following BIF file is for encrypted image, where PMU firmware is loaded by FSBL:
the_ROM_image:
{
[aeskeyfile] bbram.nky [keysrc_encryption] bbram_red_key
[bootloader, encryption=aes, destination_cpu=a53-0] ZynqMP_Fsbl.elf [destination_cpu = pmu, encryption=aes] pmufw.elf
}