Using Op Key to Protect the Device Key in a Development Environment - 2021.2 English

Zynq UltraScale+ MPSoC Software Developer Guide

Document ID
UG1137
Release Date
2021-10-27
Version
2021.2 English
The following steps provide a solution in a scenario where two development teams Team-A (secure team), which manages the secret red key and Team-B (non-secure team) work collaboratively to build an encrypted image without sharing the secret red key. Team-A manages the secret red key. Team-B builds encrypted images for development and test. However, it does not have access to the secret red key.

Team-A encrypts the boot loader with the device key (using the Op Key option) and delivers the encrypted bootloader to Team-B. Team-B encrypts all the other partitions using the Op Key.

Team-B takes the encrypted partitions that they created and the encrypted boot loader they received from the Team-A and uses Bootgen to ‘stitch’ everything together into a single boot.bin.

The following procedures describe the steps to build an image:

Procedure 1

In the initial step, Team-A encrypts the boot loader with the device key using the opt_key option, delivers the encrypted boot loader to Team-B. Now, Team-B can create the complete image at a go with all the partitions and the encrypted boot loader using the operational key as device key.

  1. Encrypt boot loader with device key:
    bootgen -arch zynqmp -image stage1.bif -o fsbl_e.bin -w on -log error

    Example stage1.bif:

    stage1:
    {
    [aeskeyfile] aes.nky 
    [fsbl_config] opt_key 
    [keysrc_encryption] bbram_red_key
    [bootloader,destination_cpu=a53-0,encryption=aes]fsbl.elf
    }
    

    Example aes.nky for stage1:

    Device xc7z020clg484;
    Key 0 AD00C023E238AC9039EA984D49AA8C819456A98C124AE890ACEF002100128932;
    IV 0 F7F8FDE08674A28DC6ED8E37;
    Key Opt 229C993D1310DD27B6713749B6D07FCF8D3DCA01EC9C64778CBAF457D613508F;
    
  2. Attach the encrypted boot loader and rest of the partitions with the operational key as device key to form a complete image:
    bootgen -arch zynqmp -image stage2a.bif -o final.bin -w on -log error

    Example of stage2.bif:

    stage2:
    {
    [aeskeyfile] aes-opt.nky 
    [bootimage]fsbl_e.bin
    [destination_cpu=a53-0,encryption=aes]hello.elf 
    [destination_cpu=a53-1,encryption=aes]hello1.elf
    }
    

    Example aes-opt.nky for stage2:

    Device xc7z020clg484;
    Key 0 229C993D1310DD27B6713749B6D07FCF8D3DCA01EC9C64778CBAF457D613508F;
    IV 0 F7F8FDE08674A28DC6ED8E37;
    

Procedure 2

In the initial step, Team-A encrypts the boot loader with the device key using the opt_key option and delivers the encrypted boot loader to Team-B. Now, Team-B can create encrypted images for each partition independently, using the operational key as the device key. Finally, Team-B can use Bootgen to stitch all the encrypted partitions and the encrypted boot loader, to get the complete image.

  1. Encrypt boot loader with device key:
    bootgen -arch zynqmp -image stage1.bif -o fsbl_e.bin -w on -log error

    Example stage1.bif:

    stage1:
    {
    [aeskeyfile] aes.nky 
    [fsbl_config] opt_key 
    [keysrc_encryption] bbram_red_key
    [bootloader,destination_cpu=a53-0,encryption=aes]fsbl.elf
    }
    

    Example aes.nky for stage1:

    Device xc7z020clg484;
    Key 0 AD00C023E238AC9039EA984D49AA8C819456A98C124AE890ACEF002100128932;
    IV 0 F7F8FDE08674A28DC6ED8E37;
    Key Opt 229C993D1310DD27B6713749B6D07FCF8D3DCA01EC9C64778CBAF457D613508F;
    
  2. Encrypt the rest of the partitions with operational key as device key:
    bootgen -arch zynqmp -image stage2a.bif -o hello_e.bin -w on -log error

    Example of stage2a.bif:

    stage2a:
    {
    [aeskeyfile] aes-opt.nky
    [destination_cpu=a53-0,encryption=aes]hello.elf
    }
    bootgen -arch zynqmp -image stage2b.bif -o hello1_e.bin -w on -log error
    

    Example of stage2b.bif:

    stage2b:
    {
    [aeskeyfile] aes-opt.nky
    [destination_cpu=a53-1,encryption=aes]hello1.elf
    

    Example of aes-opt.nky for stage2a and stage2b:

    Device xc7z020clg484;
    Key 0 229C993D1310DD27B6713749B6D07FCF8D3DCA01EC9C64778CBAF457D613508F;
    IV 0 F7F8FDE08674A28DC6ED8E37;
    
  3. Use Bootgen to stitch the above to form a complete image:

    Example of stage3.bif:

    stage3:
    {
    [bootimage]fsbl_e.bin [bootimage]hello_e.bin [bootimage]hello1_e.bin
    }
    
Note: Key Opt of aes.nky is same as Key 0 in aes-opt.nky and IV 0 must be same in both nky files.