In the Versal AI Edge Series Gen 2and Versal Prime Series Gen 2 device, Bootgen supports encryption of the meta header when explicitly configured using the metaheader attribute in the BIF file. The meta header encryption secures all image headers includes the Image Header Table (IHT).
Example BIF Snippet for Meta Header Encryption:
metaheader
{
encryption = aes,
keysrc = bbram_red_key,
aeskeyfile = headerkey.nky,
}
image
{
{type=bootloader, encryption=aes, keysrc=bbram_red_key, aeskeyfile=bootloader_key.nky, file=plm.elf}
{type=cdo, file=ps_data.cdo}
{core=a72-0, exception_level=el-3, file=secure_app.elf}
}
Meta Header Key File
If an aeskeyfile is not explicitly provided for the meta header, Bootgen
automatically generates a key file named meta_header.nky and use it
for encryption.
Bootloader Requirement
- If the BIF file includes a bootloader, meta header encryption requires that the bootloader is also encrypted. This ensures that the key source and AES key used to encrypt the meta header match secure boot expectations.
- For partial PDIs, meta header encryption is optional and can be configured independently.