The black key is produced after the red key is encrypted using the PUF generated key encryption key (KEK).
Note: The KEK
is unique per Versal device and cannot be read
out of the device.
The black key can be stored in eFUSE, BBRAM, or in the boot header for secure boot. If encrypt-only boot mode is selected, the black key can only be stored in eFUSEs.
Important: The physical
unclonable function (PUF) is only supported when using a nominal VCC_PMC of 0.70V.
Refer to the Versal ACAP Security Manual (UG1508) in
the Security Lounge (registration required) for detailed information on PUF
usage.