Encrypting Versal AI Edge Series Gen 2 and Versal Prime Series Gen 2 Device Partitions - 2025.1 English

Encrypting Versal AI Edge Series Gen 2 and Versal Prime Series Gen 2 Device Partitions - 2025.1 English - UG1283

Bootgen User Guide (UG1283)

Document ID

UG1283

Release Date

2025-05-29

Version

2025.1 English

The Versal AI Edge Series Gen 2 and Versal Prime Series Gen 2 device uses advanced encryption techniques to secure data across various partitions. It uses the AES-GCM core supporting 256-bit key for robust encryption when creating secure boot image. Encrypting partitions on a Versal AI Edge Series Gen 2 and Versal Prime Series Gen 2 device ensures that sensitive data is protected from unauthorized access.

AES Key File

Required for encryption, specifying the key source, and AES key file for each partition.

Key Source

The source of the encryption key, such as BBRAM or eFuses.

Note:

It is mandatory to specify AES key file and the key source for each partition when encryption is enabled. Based on the key source used, use same Key0 in the AES key files specified respectively and vice-versa.

Key Management

Effective key management is crucial for ensuring the security of the encrypted data. This is accomplished by using different key/IV pairs across different partitions in the boot image. Keys can be sourced from various locations, including BBRAM, eFuse, or boot headers. To enhance security, keys are rolled for every 32 KB chunk of data.

all: {  
    image {  
        {type = bootloader, encryption = aes,keysrc = bbram_red_key,aeskeyfile = plm.nky,dpacm_enable,file = plm.elf} 
        {type = pmcdata, load = 0xf2000000, aeskeyfile = pmc_data.nky, file = pmc_data.cdo}  
        {core = psm, file = psm.elf}  
        {type=cdo, encryption=aes, keysrc=bbram_red_key, aeskeyfile=ps_data.nky, file=ps_data.cdo}
        {type=cdo, file=subsystem.cdo}
        {core=a72-0, exception_level = el-3, file=a72-app.elf}
    }  
}