There is an option to boot using an obfuscated key. Red/User key is encrypted using Family key and is stored in the Obfuscated form. While the process is to encrypt the user key with the family key, you must not call it black/encrypted key to differentiate it from using the PUF.
The Family key value is NOT in Bootgen, but is delivered separately to you with the product. The key is named familyKey.cfg.
Bootgen Support for Obfuscated Key
- Bootgen takes the family key as an input from user [familyKey.cfg]
- Encrypts the red key [again an input from user - aes.nky] with the family key and a user provided IV [ bhiv.txt]
- Then generate the obfuscated key as output.
The intent is to keep the customer key (red) away from the third party vendor who has (obfuscated) key to program.
Usage
To generate obfuscated key, Bootgen takes the following inputs from the bif.
Example : all.bif
all:
{
[aeskeyfile] aes.nky
[familykey] familyKey.cfg
[bh_key_iv] bhiv.txt
}
Bootgen Command
bootgen -arch spartanup -image all.bif -generate_keys obfuscatedkeyaes.nky
spartanup;
Key 0 1234567890ABCDEF1234567890ABCDEF1234567890ABCDEF1234567890ABCDEF;
IV 0 1234567890ABCDEF12345678;
Key Opt 0101010101010101010101010101010101010101010101010101010101010101;bhiv.txt
abcdef12abcdef34abcdef56Now, to generate Obfuscated Key that is, obfuscatedkey.txt
Key 0 (Red key/User key) in aes.nky is encrypted using:
- Family Key
- IV in bhiv.txt
Notes
To generate a bootable image, with the key source for encryption as Grey Key -
Sample.bif
generate_obfuscated_key:
{
aeskeyfile = aes.nky
familykey = familyKey.cfg
bh_key_iv = kek.iv
}When generating a boot image -
- Bootgen places the IV from bhiv.txt in the field Grey/Black IV in Boot Header.
- Bootgen places the IV 0 from aes.nky in the field Secure Header IV in Boot Header
- Bootgen encrypts the partition PLM, with Key 0 and IV 0 from aes.nky.
While decrypting -
- BootRom uses -
- IV in the field Grey/Black IV of Boot Header
- Family Key in the device