AES-GCM 还支持密钥滚动功能,其中整个加密镜像以较小的 AES 加密块/模块形式来展示。每个模块均使用其专用密钥进行加密。初始密钥存储在器件上的密钥源中,而每个后续模块的密钥则在前一个模块中进行加密(封装)。您可使用 Bootgen,通过密钥滚动来生成启动镜像。BIF 属性 blocks 可指定在创建多个较小的块以便加密时所采用的模式。
注释: 对于 Versal 自适应 SoC,默认密钥滚动以 32 KB 数据为单位来执行。您通过 blocks 属性所选的密钥滚动将应用于每个 32 KB 区块内。这是对所使用的散列方法的补充。如果启用 DPA 密钥滚动对应措施,则会影响启动时间。请参阅启动时间估算其电子数据表以了解计算方式。
all:
{
id_code = 0x04ca8093
extended_id_code = 0x01
id = 0x2
metaheader
{
encryption = aes,
keysrc = bbram_red_key,
aeskeyfile = efuse_red_metaheader_key.nky,
dpacm_enable
}
image
{
name = pmc_subsys, id = 0x1c000001
partition
{
id = 0x01, type = bootloader,
encryption = aes,
keysrc = bbram_red_key,
aeskeyfile = bbram_red_key.nky,
dpacm_enable,
blocks = 4096(2);1024;2048(2);4096(*),
file = plm.elf
}
partition
{
id = 0x09, type = pmcdata, load = 0xf2000000,
aeskeyfile = pmcdata.nky,
file = pmc_data.cdo
}
}
image
{
name = lpd, id = 0x4210002
partition
{
id = 0x0C, type = cdo,
encryption = aes,
keysrc = bbram_red_key,
aeskeyfile = key1.nky,
dpacm_enable,
blocks = 8192(20);4096(*),
file = lpd_data.cdo
}
partition
{
id = 0x0B, core = psm,
encryption = aes,
keysrc = bbram_red_key,
aeskeyfile = key2.nky,
dpacm_enable,
blocks = 4096(2);1024;2048(2);4096(*),
file = psm_fw.elf
}
}
image
{
name = fpd, id = 0x420c003
partition
{
id = 0x08, type = cdo,
encryption = aes,
keysrc = bbram_red_key,
aeskeyfile = key5.nky,
dpacm_enable,
blocks = 8192(20);4096(*),
file = fpd_data.cdo
}
}
}
注释:
- 密钥文件中的密钥数量始终与要加密的块数相等。
- 如果密钥数量少于要加密的块数,那么 Bootgen 会返回错误。
- 如果密钥数量多于要加密的块数,那么 Bootgen 会忽略额外的密钥。