Using Op Key to Protect the Device Key in a Development Environment - 2021.2 English

Bootgen User Guide (UG1283)

Document ID
UG1283
Release Date
2021-10-22
Version
2021.2 English

The following steps provide a solution in a scenario where two development teams, Team-A (secure team), which manages the secret red key and Team-B, (Not so secure team), work collaboratively to build an encrypted image without sharing the secret red key. Team-A manages the secret red key. Team-B builds encrypted images for development and test. However, it does not have access to the secret red key.

Team-A encrypts the boot loader with the device key (using the Op_key option) - delivers the encrypted bootloader to Team-B. Team-B encrypts all the other partitions using the Op_key.

Team-B takes the encrypted partitions that they created, and the encrypted boot loader they received from the Team-A and uses bootgen to stitch everything together into a single boot.bin.

The following procedures describe the steps to build an image:

Procedure-1

In the initial step, Team-A encrypts the boot loader with the device Key using the opt_key option, delivers the encrypted boot loader to Team-B. Now, Team-B can create the complete image at a go with all the partitions and the encrypted boot loader using Operational Key as Device Key.

  1. Encrypt Bootloader with device key:
    bootgen -arch zynqmp -image stage1.bif -o fsbl_e.bin -w on -log error
    Example stage1.bif:
    stage1:
    {
    	[fsbl_config] opt_key
    	[keysrc_encryption] bbram_red_key
    	[
    	  bootloader,
    	  destination_cpu=a53-0,
    	  encryption=aes,aeskeyfile=aes.nky
    	] fsbl.elf
    }
    Example aes.nky for stage1:
    Device xc7z020clg484;
    Key 0 AD00C023E238AC9039EA984D49AA8C819456A98C124AE890ACEF002100128932;
    IV 0 F7F8FDE08674A28DC6ED8E37;
    Key Opt 229C993D1310DD27B6713749B6D07FCF8D3DCA01EC9C64778CBAF457D613508F;
  2. Attach the encrypted bootloader and rest of the partitions with Operational Key as device Key, to form a complete image:
    bootgen -arch zynqmp -image stage2a.bif -o final.bin -w on -log error
    Example of stage2.bif:
    stage2:
    {
    	[bootimage]fsbl_e.bin
    	
    	[
    	  destination_cpu=a53-0,
    	  encryption=aes,
    	  aeskeyfile=aes-opt.nky
    	] hello.elf
    	
    	[
    	  destination_cpu=a53-1,
    	  encryption=aes,
    	  aeskeyfile=aes-opt1.nky
    	] hello1.elf
    }
    Example aes-opt.nky for stage2:
    Device xc7z020clg484;
    Key 0 229C993D1310DD27B6713749B6D07FCF8D3DCA01EC9C64778CBAF457D613508F;
    IV 0 F7F8FDE08674A28DC6ED8E37;

Procedure-2

In the initial step, Team-A encrypts the boot loader with the device Key using the opt_key option, delivers the encrypted boot loader to Team-B. Now, Team-B can create encrypted images for each partition independently, using the Operational Key as Device Key. Finally, Team-B can use bootgen to stitch all the encrypted partitions and the encrypted boot loader, to get the complete image.

  1. Encrypt Bootloader with device key:
    bootgen -arch zynqmp -image stage1.bif -o fsbl_e.bin -w on -log error
    Example stage1.bif:
    stage1:
    {
    	[fsbl_config] opt_key
    	[keysrc_encryption] bbram_red_key
    	
    	[
    	  bootloader,
    	  destination_cpu=a53-0,
    	  encryption=aes,aeskeyfile=aes.nky
    	] fsbl.elf
    }
    Example aes.nky for stage1:
    Device xc7z020clg484;
    Key 0 AD00C023E238AC9039EA984D49AA8C819456A98C124AE890ACEF002100128932;
    IV 0 F7F8FDE08674A28DC6ED8E37;
    Key Opt 229C993D1310DD27B6713749B6D07FCF8D3DCA01EC9C64778CBAF457D613508F
  2. Encrypt the rest of the partitions with Operational Key as device key:
    bootgen -arch zynqmp -image stage2a.bif -o hello_e.bin -w on -log error
    Example of stage2a.bif:
    stage2a:
    {
    	[
    	  destination_cpu=a53-0,
    	  encryption=aes,
    	  aeskeyfile=aes-opt.nky
    	] hello.elf
    }
    bootgen -arch zynqmp -image stage2b.bif -o hello1_e.bin -w on -log error
    Example of stage2b.bif:
    stage2b:
    {
    	[aeskeyfile] aes-opt.nky
    	[
    	  destination_cpu=a53-1,
    	  encryption=aes,
    	  aeskeyfile=aes-opt.nky
    	] hello1.elf
    }
    Example of aes-opt.nky for stage2a and stage2b:
    Device xc7z020clg484;
    Key 0 229C993D1310DD27B6713749B6D07FCF8D3DCA01EC9C64778CBAF457D613508F;
    IV 0 F7F8FDE08674A28DC6ED8E37;
  3. Use Bootgen to stitch the above example to form a complete image:
    Use bootgen to stitch the above, to form a complete image.
    Example of stage3.bif:
    stage3:
    {
    	[bootimage]fsbl_e.bin
    	[bootimage]hello_e.bin
    	[bootimage]hello1_e.bin
    }
    Note: opt_key of aes.nky is same as Key 0 in aes-opt.nky and IV 0 must be same in both nky files.