AMD Zynq™ 7000 SoC devices use the embedded, Progammable Logic (PL), hash-based message authentication code (HMAC) and an advanced encryption standard (AES) module with a cipher block chaining (CBC) mode.
Example BIF File
To create a boot image with encrypted partitions, the AES key file is
specified in the BIF using the aeskeyfile attribute. Specify an encryption=aes attribute for each image file listed in the BIF file to be encrypted. The example BIF file
(secure.bif) is shown
below:
image:
{
[aeskeyfile] secretkey.nky
[keysrc_encryption] efuse
[bootloader, encryption=aes] fsbl.elf
[encryption=aes] uboot.elf
}bootgen -arch zynq -image secure.bif -w -o BOOT.binKey Generation
Bootgen can generate AES-CBC keys. Bootgen uses the AES key file specified in the BIF for encrypting the partitions. If the key file is empty or non-existent, Bootgen generates the keys in the file specified in the BIF file. If the key file is not specified in the BIF, and encryption is requested for any of the partitions, then Bootgen generates a key file with the name of the BIF file with extension .nky in the same directory as of BIF. The following is a sample key file.
Device xc7z020clg484
Key 0 f878b838d8589818e868a828c8488808
Key StartCBC 5C9D95ECBFEC8A1F12A8EB312362C596
Key HMAC 00001111222233334444555566667777