Zynq®-7000 SoC devices use the embedded, Progammable Logic (PL), hash-based message authentication code (HMAC) and an advanced encryption standard (AES) module with a cipher block chaining (CBC) mode.
Example BIF File
To create a boot image with encrypted partitions, the AES key file is
specified in the BIF using the aeskeyfile attribute. Specify an encryption=aes
attribute for each image file listed in the BIF file to be encrypted. The example BIF file
(secure.bif) is shown
below:
image:
{
[aeskeyfile] secretkey.nky
[keysrc_encryption] efuse
[bootloader, encryption=aes] fsbl.elf
[encryption=aes] uboot.elf
}
From
the command line, use the following command to generate a boot image with encrypted
fsbl.elf and uboot.elf.
bootgen -arch zynq -image secure.bif -w -o BOOT.bin
Key Generation
Bootgen can generate AES-CBC keys. Bootgen uses the AES key file specified in the BIF for encrypting the partitions. If the key file is empty or non-existent, Bootgen generates the keys in the file specified in the BIF file. If the key file is not specified in the BIF, and encryption is requested for any of the partitions, then Bootgen generates a key file with the name of the BIF file with extension .nky in the same directory as of BIF. The following is a sample key file.