Encrypting Zynq-7000 Device Partitions - 2022.1 English

Bootgen User Guide (UG1283)

Document ID
UG1283
Release Date
2022-04-26
Version
2022.1 English

Zynq®-7000 SoC devices use the embedded, Progammable Logic (PL), hash-based message authentication code (HMAC) and an advanced encryption standard (AES) module with a cipher block chaining (CBC) mode.

Example BIF File

To create a boot image with encrypted partitions, the AES key file is specified in the BIF using the aeskeyfile attribute. Specify an encryption=aes attribute for each image file listed in the BIF file to be encrypted. The example BIF file (secure.bif) is shown below:

image: 
{
	[aeskeyfile] secretkey.nky
	[keysrc_encryption] efuse
	[bootloader, encryption=aes] fsbl.elf
	[encryption=aes] uboot.elf
}
From the command line, use the following command to generate a boot image with encrypted fsbl.elf and uboot.elf.
bootgen -arch zynq -image secure.bif -w -o BOOT.bin

Key Generation

Bootgen can generate AES-CBC keys. Bootgen uses the AES key file specified in the BIF for encrypting the partitions. If the key file is empty or non-existent, Bootgen generates the keys in the file specified in the BIF file. If the key file is not specified in the BIF, and encryption is requested for any of the partitions, then Bootgen generates a key file with the name of the BIF file with extension .nky in the same directory as of BIF. The following is a sample key file.

Figure 1. Sample Key File