Encrypting Versal Device Partitions - 2020.2 English

Bootgen User Guide (UG1283)

Document ID
UG1283
Release Date
2020-12-15
Version
2020.2 English

The Versalâ„¢ device uses the AES-GCM core, which has support for a 256-bit key. When creating a secure image, each partition in a boot image can be optionally encrypted. Key source and aes key file are the prerequisites for encryption.

Note: For Versal ACAP, it is mandatory to specify AES key file and the key source for each partition when encryption is enabled. Based on the key source used, same Key0 should be used in the aes key files specified respectively and vice-versa.

Key Management

Good key management practice includes minimizing the use of secret or private keys. This can be accomplished this by using different key/IV pairs across different partitions in the boot image. The result is that the AES key stored on the device, in either the BBRAM or eFUSEs, is used for only 384 bits, which significantly limits its exposure to side channel attacks.

all: {
  image
  {
    {type=bootloader, encryption=aes, keysrc=bbram_red_key, aeskeyfile=plm.nky, dpacm_enable, file=plm.elf}
    {type=pmcdata, load=0xf2000000, aeskeyfile = pmc_data.nky, file=pmc_data.cdo}
    {core=psm, file=psm.elf}
    {type=cdo, encryption=aes, keysrc=bbram_red_key, aeskeyfile=ps_data.nky, file=ps_data.cdo}
    {type=cdo, file=subsystem.cdo}
    {core=a72-0, exception_level = el-3, file=a72-app.elf}
  }
}