For a Versal ACAP, bootgen encrypts the meta header when encryption is specifically mentioned under the "metaheader" attribute. The aeskeyfile that is to be used can be specified in the bif using the parameters under "metaheader". A snippet of the usage is shown below.
Note: Meta Header encryption includes all the
headers except the Image Header Table.
metaheader
{
encryption = aes,
keysrc = bbram_red_key,
aeskeyfile = headerkey.nky,
}
The following conditions apply.
- If a specific aeskeyfile is not specified for meta header, Bootgen generates a file named meta_header.nky, and uses it during encryption.
- If a boot loader is present in the bif, it is mandatory to encrypt boot loader to encrypt meta header. For a partial PDI, meta header can be optionally chosen to be encrypted.
- To ensure the correctness of Image Header Table, it is added as additional authenticated data when encrypting the Meta Header.