When creating a secure boot image for Spartan
UltraScale+ devices, each partition within the image can be optionally
encrypted. To enable encryption, the following two key parameters must be provided for
each partition:
- keysrc
- The source of the AES key (for example, eFUSE).
- aeskeyfile
- A file containing the AES encryption key (in .nky format).
Note: Only eFuse based key source is applicable for Spartan UltraScale+.
Key Management Best Practices
Effective key management is crucial for reducing security risks which are
specifically related to side-channel attacks. To minimize the exposure of sensitive
AES keys stored in hardware (eFUSE), it is recommended to:
- Use distinct Key/IV pairs for each partition
- Avoid reusing the same AES key across multiple partitions
- Limit the effective use of any one hardware-stored key to 384 bits of encrypted data, aligning with best practices for cryptographic containment.