Encrypting Versal Device Partitions - 2021.2 English

Vitis Unified Software Platform Documentation: Embedded Software Development (UG1400)

Document ID
UG1400
Release Date
2021-12-15
Version
2021.2 English

The Versal® device uses the AES-GCM core, which has support for a 256-bit key. When creating a secure image, each partition in a boot image can be optionally encrypted. Key source and aes key file are the prerequisites for encryption.

Note: For Versal ACAP, it is mandatory to specify AES key file and the key source for each partition when encryption is enabled. Based on the key source used, same Key0 should be used in the aes key files specified respectively and vice-versa.

Key Management

Good key management practice includes minimizing the use of secret or private keys. This can be accomplished by using different key/IV pairs across different partitions in the boot image. The result is that the AES key stored on the device, in either the BBRAM or eFUSEs, is used for only 384 bits, which significantly limits its exposure to side channel attacks.

all: {
  image
  {
    {type=bootloader, encryption=aes, keysrc=bbram_red_key, aeskeyfile=plm.nky, dpacm_enable, file=plm.elf}
    {type=pmcdata, load=0xf2000000, aeskeyfile = pmc_data.nky, file=pmc_data.cdo}
    {core=psm, file=psm.elf}
    {type=cdo, encryption=aes, keysrc=bbram_red_key, aeskeyfile=ps_data.nky, file=ps_data.cdo}
    {type=cdo, file=subsystem.cdo}
    {core=a72-0, exception_level = el-3, file=a72-app.elf}
  }
}