We have detected your current browser version is not the latest one. Xilinx.com uses the latest web technologies to bring you the best online experience possible. Please upgrade to a Xilinx.com supported browser:Chrome, Firefox, Internet Explorer 11, Safari. Thank you!

Showing results for 
Search instead for 
Did you mean: 
Registered: ‎02-12-2016

Storage location for multiple AES keys (one per partition)

Zynq UltraScale+ and secure boot with both authentication and decryption and keys stored in eFUSE only, not BBRAM.

In UG1137 The sample bif for "One AES key / partition" and "One AES key / each partition" is the same. 

It is now (or there will be) a requirement for each partition to have a unique key as the same IV and key combination should never be reused. How is this done in practice? 

 [aeskeyfile] test1.nky
 [bootloader, encryption=aes] fsbl.elf
 [aeskeyfile] test2.nky
 [encryption=aes] hello.elf
 [aeskeyfile] test3.nky
 [encryption=aes] app.elf

It's easy to specify that test1.nky is stored in bbram, but where is test2.nky stored? is this some sort of OP key setup? If I wish to use eFUSE instead of BBRAM, is the situation different?

Tags (3)
0 Kudos
2 Replies
Xilinx Employee
Xilinx Employee
Registered: ‎10-11-2011

Re: Storage location for multiple AES keys (one per partition)

Only the first key is stored in eFUSe or BBRAM.

All the other keys are stored withong the encrypted part of the image.

UG1085 Figure 12-12: Key Rolling shows the structure used.

0 Kudos
Registered: ‎02-12-2016

Re: Storage location for multiple AES keys (one per partition)

This seems like an OP key concept, but how is it different?

In the figure, Unless there is an OP key present, the device key is used repeatedly. I take it from this that OP key is mandatory?
Wouldn't the last key enclosed in the encrypted PFW block N be the key used for block 0 of the FSBL? not a dummy key.

0 Kudos