BIF File for Obfuscated Form (Gray) Key Stored in eFUSE - 2021.2 English

Zynq UltraScale+ MPSoC Software Developer Guide

Document ID
Release Date
2021.2 English

If you would like to have the device key store in obfuscated form, you can encrypt the actual red key with the family key which is an encryption key. Device will decrypt the obfuscated key to get the actual red key. Hence, you need to provide the required inputs to Bootgen. The obfuscated key can be stored in either eFUSE or the Boot Header.

For more details, see Storing Keys in Obfuscated Form (Gray) section in the Zynq UltraScale+ Device Technical Reference Manual (UG1085).

Note: The family key is the same for all devices within a given Zynq UltraScale+ MPSoCs family. This solution allows you to distribute the obfuscated key to contract manufacturer's without disclosing the actual user key.

The following example shows storage of the obfuscated key in eFUSE:

[aeskeyfile]	red.nky 
[keysrc_encryption] efuse_gry_key 
[bh_key_iv] bhkeyiv.txt
[bootloader, encryption=aes, destination_cpu=a53-0]	fsbl.elf

The following example shows storage of the obfuscated form (gray) key in boot header:

[aeskeyfile]	red.nky [keysrc_encryption] bh_gry_key [bh_key_iv] bhkeyiv.txt
[bh_keyfile]	bhkey.txt
[bootloader, encryption=aes, destination_cpu=a53-0]	fsbl.elf

To Generate Obfuscated Key with Family Key:

Use Xilinx tools (Bootgen) to create the Obfuscated key. However, the family key is not distributed with the Xilinx development tools. It is provided separately. The family key received from Xilinx should be provided in the bif as shown in the example below.

Important: To receive the family key, please contact

Sample bif to generate Obfuscated key:

[aeskeyfile] aes.nky 
[familykey] familyKey.cfg 
[bh_key_iv] bhiv.txt

For more information, see Bootgen User Guide (UG1283)

Using Bootgen to Generate Keys

If you are using Bootgen to create keys, NIST approved KDF is used, which is Counter Mode KDF with CMAC as the PRF.

With a Single Key/IV pair:

  • If seed is specified - Key Generation is based on Seed.
  • If seed is NOT specified - Key Generation is based on Key0.
Important: For production devices, make sure that the Seed or Key0 has been generated by a cryptographically strong generator such as a true random number generator.

If an empty file is mentioned, Bootgen generates a seed with time based randomization. This is not a standard like the KDF. This seed will in turn be the input for KDF to generate the Key/IV pairs.