The black key storage solution uses a cryptographically strong key encryption key (KEK), which is generated from a PUF, to encrypt the user key. The resulting black key can then be stored either in the eFUSE or as a part of the authenticated boot header.
image:
{
[puf_file] pufdata.txt
[bh_key_iv] black_iv.txt
[bh_keyfile] black_key.txt
[fsbl_config] puf4kmode, shutter=0x0100005E, pufhd_bh
[keysrc_encryption] bh_blk_key
[
bootloader,
destination_cpu = a53-0,
encryption = aes,
aeskeyfile = aes_p1.nky
] fsbl.elf
[
destination_cpu = r5-0,
encryption = aes,
aeskeyfile = aes_p2.nky
] hello.elf
}For another example of using the black key, see Use Cases and Examples.