The secure boot functionality in Zynq devices allows you to support the confidentiality, integrity, and authentication of partitions.
Secure boot in Zynq UltraScale+ MPSoCs is accomplished by combining the Hardware Root of Trust (HWRoT) capabilities with the option of encrypting all boot partitions. The HWRoT is based on the RSA-4096 asymmetric algorithm with SHA-3/384, which is hardware accelerated. Confidentiality is provided using 256-bit Advanced Encryption Standard Galois Counter Mode (AES-GCM).
This section focuses on how to use and implement the following:
Hardware Root of Trust with key revocation
Partition encryption with differential power analysis (DPA) countermeasures
Black key storage using the physically unclonable function (PUF)
The section Secure Boot System Design Decisions outlines high-level secure boot decisions which should be made early in design development.
The Hardware Root of Trust section discusses the use of a Root of Trust (RoT) in boot.
The Boot Image Confidentiality and DPA section discusses the use of the operational key and key rolling techniques as countermeasures to a DPA attack. Changing the AES key reduces the exposure of both the key and the data protected by the key.
A red key is a key in unencrypted format. The Black Key Storage section provides a method for storing the AES key in encrypted, or black format. Black key storage uses the physically unclonable function (PUF) as a Key Encryption Key (KEK).
The Example: Practical Methods in Secure Boot section provides steps to develop and test systems that use AES encryption and RSA authentication.