Zynq UltraScale+ MPSoCs has a 256-bit AES-GCM hardware engine that supports confidentiality (via AES) and authentication (via GCM) of your boot images, and can also be used post-boot to encrypt and decrypt data.
The AES-GCM cryptographic engine has access to a diverse set of key sources. For more information on the key sources, see Zynq UltraScale+ Device Technical Reference Manual (UG1085).
The red key is used to encrypt the image. During the generation of the boot file
(BOOT.bin), the red key, and the initialization
vector (IV) must be provided to the Bootgen tool in .nky
file format.
PMU firmware can be loaded by CSU BootROM or FSBL.
The following BIF file is an example encrypted image, where PMU firmware is loaded by FSBL:
the_ROM_image:
{
[aeskeyfile] bbram.nky
[keysrc_encryption] bbram_red_key
[bootloader, encryption=aes, destination_cpu=a53-0] ZynqMP_Fsbl.elf
[destination_cpu = pmu, encryption=aes] pmufw.elf
}