Rolling Keys - 2022.1 English

Bootgen User Guide (UG1283)

Document ID
UG1283
Release Date
2022-04-26
Version
2022.1 English

The AES-GCM also supports the rolling keys feature, where the entire encrypted image is represented in terms of smaller AES encrypted blocks/modules. Each module is encrypted using its own unique key. The initial key is stored at the key source on the device, while keys for each successive module are encrypted (wrapped) in the previous module. You can generate the boot images with rolling keys using Bootgen. The BIF attribute blocks is used to specify the pattern to create multiple smaller blocks for encryption.

Note: For Versal ACAP, a default key rolling is done on 32 KB of data. The key rolling you choose with the attribute blocks is applied in each 32 KB chunk. This is to compliment the hashing scheme used. If the DPA key rolling countermeasure is enabled, boot time is impacted. Refer to the boot time estimator spreadsheet for calculations.
all:
{
	id_code = 0x04ca8093
	extended_id_code = 0x01
	id = 0x2

	metaheader
	{
		encryption = aes,
		keysrc = bbram_red_key,
		aeskeyfile = efuse_red_metaheader_key.nky,
		dpacm_enable
	}

	image
	{
		name = pmc_subsys, id = 0x1c000001
		partition
		{
			id = 0x01, type = bootloader,
			encryption = aes,
			keysrc = bbram_red_key,
			aeskeyfile = bbram_red_key.nky,
			dpacm_enable,
			blocks = 4096(2);1024;2048(2);4096(*),
			file = plm.elf
		}
		partition
		{
			id = 0x09, type = pmcdata, load = 0xf2000000,
			aeskeyfile = pmcdata.nky,
			file = pmc_data.cdo
		}
	}

	image
	{
		name = lpd, id = 0x4210002
		partition
		{
			id = 0x0C, type = cdo,
			encryption = aes,
			keysrc = bbram_red_key,
			aeskeyfile = key1.nky,
			dpacm_enable,
			blocks = 8192(20);4096(*),
			file = lpd_data.cdo
		}
		partition
		{
			id = 0x0B, core = psm,
			encryption = aes,
			keysrc = bbram_red_key,
			aeskeyfile = key2.nky,
			dpacm_enable,
			blocks = 4096(2);1024;2048(2);4096(*),
			file = psm_fw.elf
		}
	}

	image
	{
		name = fpd, id = 0x420c003
		partition
		{
			id = 0x08, type = cdo,
			encryption = aes,
			keysrc = bbram_red_key,
			aeskeyfile = key5.nky,
			dpacm_enable,
			blocks = 8192(20);4096(*),
			file = fpd_data.cdo
		}
	}
}
Note:
  • Number of keys in the key file should always be equal to the number of blocks to be encrypted.
  • If the number of keys are less than the number of blocks to be encrypted, Bootgen returns an error.
  • If the number of keys are more than the number of blocks to be encrypted, Bootgen ignores the extra keys.