The user key is encrypted with the family key, which is embedded in the metal layers of the device. This family key is the same for all devices in the Zynq® UltraScale+™ MPSoC. The result is referred to as the obfuscated key. The obfuscated key can reside in either the Authenticated Boot Header or or in eFUSEs.
image:
{
[keysrc_encryption] efuse_gry_key
[bh_key_iv] bhiv.txt
[
bootloader,
destination_cpu = a53-0,
encryption = aes,
aeskeyfile = aes_p1.nky
] fsbl.elf
[
destination_cpu = r5-0,
encryption = aes,
aeskeyfile = aes_p2.nky
] hello.elf
}
Bootgen does the following while creating an image:
- Places the IV from
bhiv.txt
in the field BH IV in Boot Header. - Places the IV 0 from
aes.nky
in the field "Secure Header IV" in Boot Header. - Encrypts the partition, with Key0 and IV0 from aes.nky.
Another example of using the gray/family key is found in Use Cases and Examples.
For more details about this feature, refer to the Zynq UltraScale+ Device Technical Reference Manual (UG1085).