08-09-2018 03:21 AM
I am looking to use the AES encryption to protect the IP of our boot image on and Ultrascale+.
I would also like some way of storing two separate different decryption keys on the device.
One for the boot image and one for the user application.
If I understand correctly we only have one Efuse for an encryption key in the AES GCM encryption block?
Can you use an encryption key in an Efuse and a differnet one in BBRAM?
08-17-2018 01:06 AM - edited 08-17-2018 01:07 AM
Further reading of the Ultrascale TRM it appears you can use the AES encryption engine once booted using the Key Update Register.
Key Update Register
The key update register is used during boot to support the key rolling feature, where the
different AES key must be loaded multiple times. After boot, any key can be loaded into this
register via APB by software running on the PS. A 256-bit KUP key is stored in the eight AES
key update registers.
The Key Update register (KUP) is shown below, and after your have securely booted you can use this key instead of the selected device key (which is locked until next POR)
I am unsure on how you would securely get a secret Key into the Key update register (KUP)?
I welcome any information or pointers to assist me.
08-28-2018 10:49 AM
One possibility would be to authenticate/decrypt a data file from boot.bin via a slightly modified FSBL. The data file would contain the key, and FSBL would decrypt it to local memory (possibly an array within FSBL or TCM). The PMU can be instructed to then fetch the key from a user supplied address and only FSBL and PMU would have access to the local unencrypted copy.