Gray/Obfuscated Keys - 2024.2 English

Bootgen User Guide (UG1283)

Document ID
UG1283
Release Date
2024-11-13
Version
2024.2 English

The user key is encrypted with the family key, which is embedded in the metal layers of the device. This family key is the same for all devices in the AMD Zynq™ UltraScale+™ MPSoC. The result is referred to as the obfuscated key. The obfuscated key can reside in either the Authenticated Boot Header or or in eFUSEs.

image:
{
	[keysrc_encryption] efuse_gry_key 
	[bh_key_iv] bhiv.txt
	[
		bootloader, 
		destination_cpu = a53-0,
		encryption      = aes, 
		aeskeyfile      = aes_p1.nky
	]    fsbl.elf 
	[
		destination_cpu = r5-0,
		encryption      = aes,
		aeskeyfile      = aes_p2.nky 
	]    hello.elf
}

Bootgen does the following while creating an image:

  1. Places the IV from bhiv.txt in the field BH IV in Boot Header.
  2. Places the IV 0 from aes.nky in the field "Secure Header IV" in Boot Header.
  3. Encrypts the partition, with Key0 and IV0 from aes.nky.

Another example of using the gray/family key is found in Use Cases and Examples.

For more details about this feature, refer to the Zynq UltraScale+ Device Technical Reference Manual (UG1085).