For customers who would like to have the device key stored encrypted when not
in use, the physical unclonable function (PUF) can be used. Here, the actual red key
is encrypted with the PUF key encryption key (KEK), which is an encryption key that
is generated by the PUF. The device will decrypt the black key to get the actual red
key, so you need to provide the KEK details in BIF, such as shutter value, KEK IV to
Bootgen. The black key can be stored in either eFUSE or the Boot Header. Shutter
value indicates the time for which the oscillator values can be captured for PUF.
This value must always be 0x100005E.
For more details, refer to “Storing Keys in Encrypted Form (Black)” in the Zynq UltraScale+ Device Technical Reference Manual (UG1085).
The following BIF example shows storage of the black key in eFUSE.
the_ROM_image:
{
[pskfile]PSK.pem
[sskfile]SSK.pem
[aeskeyfile]red.nky
[keysrc_encryption] efuse_blk_key
[fsbl_config] shutter=0x0100005E
[auth_params] ppk_select=0
[bootloader, encryption = aes, authentication = rsa, destination_cpu=a53-0]fsbl.elf
[bh_key_iv] black_key_iv.txt
}