UPGRADE YOUR BROWSER

We have detected your current browser version is not the latest one. Xilinx.com uses the latest web technologies to bring you the best online experience possible. Please upgrade to a Xilinx.com supported browser:Chrome, Firefox, Internet Explorer 11, Safari. Thank you!

cancel
Showing results for 
Search instead for 
Did you mean: 
Contributor
Contributor
558 Views
Registered: ‎04-19-2018

Ultrascale+ AES Encryption

I am looking to use the AES encryption to protect the IP of our boot image on and Ultrascale+.

 

I would also like some way of storing two separate different decryption keys on the device.

One for the boot image and one for the user application.

 

If I understand correctly we only have one Efuse for an encryption key in the AES GCM encryption block?

Can you use an encryption key in an Efuse and a differnet one in BBRAM?

 

 

Thanks

Tim

0 Kudos
2 Replies
Highlighted
Contributor
Contributor
508 Views
Registered: ‎04-19-2018

Re: Ultrascale+ AES Encryption

Further reading of the Ultrascale TRM it appears you can use the AES encryption engine once booted using the Key Update Register.

 

Key Update Register

The key update register is used during boot to support the key rolling feature, where the

different AES key must be loaded multiple times. After boot, any key can be loaded into this

register via APB by software running on the PS. A 256-bit KUP key is stored in the eight AES

key update registers.

 

The Key Update register (KUP) is shown below, and after your have securely booted you can use this key instead of the selected device key (which is locked until next POR)

I am unsure on how you would securely get a secret Key into the Key update register (KUP)?

key_selection.PNG

 

I welcome any information or pointers to assist me.

 

Thanks

Tim

0 Kudos
Xilinx Employee
Xilinx Employee
469 Views
Registered: ‎02-01-2008

Re: Ultrascale+ AES Encryption

One possibility would be to authenticate/decrypt a data file from boot.bin via a slightly modified FSBL. The data file would contain the key, and FSBL would decrypt it to local memory (possibly an array within FSBL or TCM). The PMU can be instructed to then fetch the key from a user supplied address and only FSBL and PMU would have access to the local unencrypted copy.