The following steps provide a solution in a scenario where two development teams, Team-A (secure team), which manages the secret red key and Team-B, (not so secure team), work collaboratively to build an encrypted image without sharing the secret red key. Team-B builds encrypted images for development and test. However, it does not have access to the secret red key.
Team-A encrypts the boot loader with the device key (using the Op_key
option) and delivers the encrypted bootloader
to Team-B. Team-B encrypts all the other partitions using the Op_key
.
Team-B takes the encrypted partitions that they created, and the encrypted boot loader they received from the Team-A and uses Bootgen to stitch everything together into a single boot.bin.
The following procedures describe the steps to build an image:
Procedure-1
In the initial step, Team-A encrypts the boot loader with the device key
using the opt_key
option, and delivers the
encrypted boot loader to Team-B. Now, Team-B can create the complete image at a go
with all the partitions and the encrypted boot loader using Operational Key as
Device Key.
- Encrypt Bootloader with device
key:
Example stage1.bif:bootgen -arch zynqmp -image stage1.bif -o fsbl_e.bin -w on -log error
Examplestage1: { [fsbl_config] opt_key [keysrc_encryption] bbram_red_key [ bootloader, destination_cpu=a53-0, encryption=aes,aeskeyfile=aes.nky ] fsbl.elf }
aes.nky
for stage1:Device xc7z020clg484; Key 0 AD00C023E238AC9039EA984D49AA8C819456A98C124AE890ACEF002100128932; IV 0 F7F8FDE08674A28DC6ED8E37; Key Opt 229C993D1310DD27B6713749B6D07FCF8D3DCA01EC9C64778CBAF457D613508F;
- Attach the encrypted bootloader and rest of the partitions with
Operational Key as device Key, to form a complete
image:
Example of stage2.bif:bootgen -arch zynqmp -image stage2a.bif -o final.bin -w on -log error
Example aes-opt.nky for stage2:stage2: { [bootimage]fsbl_e.bin [ destination_cpu=a53-0, encryption=aes, aeskeyfile=aes-opt.nky ] hello.elf [ destination_cpu=a53-1, encryption=aes, aeskeyfile=aes-opt1.nky ] hello1.elf }
Device xc7z020clg484; Key 0 229C993D1310DD27B6713749B6D07FCF8D3DCA01EC9C64778CBAF457D613508F; IV 0 F7F8FDE08674A28DC6ED8E37;
Procedure-2
In the initial step, Team-A encrypts the boot loader with the device Key using the opt_key option, delivers the encrypted boot loader to Team-B. Now, Team-B can create encrypted images for each partition independently, using the Operational Key as Device Key. Finally, Team-B can use Bootgen to stitch all the encrypted partitions and the encrypted boot loader, to get the complete image.
- Encrypt Bootloader with device
key:
Example stage1.bif:bootgen -arch zynqmp -image stage1.bif -o fsbl_e.bin -w on -log error
Examplestage1: { [fsbl_config] opt_key [keysrc_encryption] bbram_red_key [ bootloader, destination_cpu=a53-0, encryption=aes,aeskeyfile=aes.nky ] fsbl.elf }
aes.nky
for stage1:Device xc7z020clg484; Key 0 AD00C023E238AC9039EA984D49AA8C819456A98C124AE890ACEF002100128932; IV 0 F7F8FDE08674A28DC6ED8E37; Key Opt 229C993D1310DD27B6713749B6D07FCF8D3DCA01EC9C64778CBAF457D613508F
- Encrypt the rest of the partitions with Operational Key as
device
key:
Example of stage2a.bif:bootgen -arch zynqmp -image stage2a.bif -o hello_e.bin -w on -log error
Example of stage2b.bif:stage2a: { [ destination_cpu=a53-0, encryption=aes, aeskeyfile=aes-opt.nky ] hello.elf } bootgen -arch zynqmp -image stage2b.bif -o hello1_e.bin -w on -log error
Example ofstage2b: { [aeskeyfile] aes-opt.nky [ destination_cpu=a53-1, encryption=aes, aeskeyfile=aes-opt.nky ] hello1.elf }
aes-opt.nky
for stage2a and stage2b:Device xc7z020clg484; Key 0 229C993D1310DD27B6713749B6D07FCF8D3DCA01EC9C64778CBAF457D613508F; IV 0 F7F8FDE08674A28DC6ED8E37;
- Use Bootgen to stitch the above example to form a complete
image:
Example of stage3.bif:bootgen -arch zynqmp -image stage3.bif -o boot.bin -w on -log error
stage3: { [bootimage]fsbl_e.bin [bootimage]hello_e.bin [bootimage]hello1_e.bin }
Note: opt_key ofaes.nky
is same as Key 0 inaes-opt.nky
and IV 0 must be same in both nky files.