A good key management practice includes minimizing the use of secret or private keys. This can be accomplished using the operational key option enabled in Bootgen.
Bootgen creates an encrypted, secure header that contains the operational key
(opt_key), which is user-specified, and the
initialization vector (IV) needed for the first block of the configuration file when
this feature is enabled. The result is that the AES key stored on the device, in either
the BBRAM or eFUSEs, is used for only 384 bits, which significantly limits its exposure
to side channel attacks. The attribute opt_key is used
to specify operational key usage. See fsbl_config
for more information about the opt_key value that is an
argument to the fsbl_config attribute. The following is
an example of using the opt_key attribute.
image:
{
[fsbl_config] opt_key
[keysrc_encryption] bbram_red_key
[bootloader,
destination_cpu = a53-0,
encryption = aes,
aeskeyfile = aes_p1.nky]fsbl.elf
[destination_cpu = a53-3,
encryption = aes,
aeskeyfile = aes_p2.nky]hello.elf
}The operation key is given in the AES key (.nky) file with name Key
Opt as shown in the following example.
Bootgen generates the encryption key file. The operational key opt_key is then generated in the .nky
file, if opt_key has been enabled in the BIF file, as
shown in the previous example.
For another example of using the operational key, refer to Using Op Key to Protect the Device Key in a Development Environment.
For more details about this feature, see the Key Management section of the "Security" chapter in the Zynq UltraScale+ Device Technical Reference Manual (UG1085).