When creating a secure boot image for Spartan UltraScale+
devices, each partition within the image can be optionally encrypted. To enable
encryption, the following two key parameters must be provided for each partition:
- keysrc
- The source of the AES key (for example, eFUSE).
- aeskeyfile
- A file containing the AES encryption key (in .nky format).
Note: Only eFuse based key source is applicable for Spartan UltraScale+.
Key Management Best Practices
Effective key management is crucial for reducing security risks which are specifically related to side-channel attacks. The following practices are recommended to minimize the exposure of sensitive AES keys stored in hardware (eFUSE):
- Use distinct Key/IV pairs for each partition
- Avoid reusing the same AES key across multiple partitions
- Limit the effective use of any one hardware-stored key to 384-bit of encrypted data and aligning with best practices for cryptographic containment.