For customers who would like to have the device key stored encrypted when not in use,
the physical unclonable function (PUF) can be used. Here, the actual red key is
encrypted with the PUF key encryption key (KEK), which is an encryption key that is
generated by the PUF. The device will decrypt the black key to get the actual red
key, so you need to provide the required inputs to Bootgen. The black key can be
stored in either eFUSE or the Boot Header. Shutter value indicates the time for
which the oscillator values can be captured for PUF. This value must always be
0x100005E
.
For more details, refer to “Storing Keys in Encrypted Form (Black)” in the Zynq UltraScale+ Device Technical Reference Manual (UG1085).
The following example shows storage of the black key in eFUSE.
the_ROM_image:
{
[pskfile]PSK.pem
[sskfile]SSK.pem
[aeskeyfile]red.nky
[keysrc_encryption] efuse_blk_key
[fsbl_config] shutter=0x0100005E
[auth_params] ppk_select=0
[bootloader, encryption = aes, authentication = rsa, destination_cpu=a53-0]fsbl.elf
[bh_key_iv] black_key_iv.txt
}