Multiple Encryption Key Files - 2021.1 English

Bootgen User Guide (UG1283)

Document ID
UG1283
Release Date
2021-06-16
Version
2021.1 English

Earlier versions of Bootgen supported creating the boot image by encrypting multiple partitions with a single encryption key. The same key is used over and over again for every partition. This is a security weakness and not recommended. Each key should be used only once in the flow.

Bootgen supports separate encryption keys for each partition. In case of multiple key files, ensure that each encryption key file uses the same Key0 (device key), IV0, and Operational Key. Bootgen does not allow creating boot images if these are different in each encryption key file. You must specify multiple encryption key files, one for each of partition in the image. The partitions are encrypted using the key that is specified for the partition.

Note: You can have unique key files for each of the partition created due to multiple loadable sections by having key file names appended with .1, .2, .n, and so on in the same directory of the key file meant for that partition.

The following snippet shows a sample encryption key file:

all:
{
	[keysrc_encryption] bbram_red_key
	// FSBL (Partition-0)
	[
		bootloader, 
		destination_cpu = a53-0, 
		encryption = aes,
		aeskeyfile = key_p0.nky
		
	]fsbla53.elf
				 
	// application (Partition-1)
	[
		destination_cpu = a53-0,
		encryption = aes,
		aeskeyfile = key_p1.nky
			
	]hello.elf  
}
  • The partition fsbla53.elf is encrypted using the keys from key_p0.nky file.
  • Assuming hello.elf has three partitions because it has three loadable sections, then partition hello.elf.0 is encrypted using keys from the test2.nky file.
  • Partition hello.elf.1 is then encrypted using keys from test2.1.nky.
  • Partition hello.elf.2 is encrypted using keys from test2.2.nky.