If you would like to have the device key store in obfuscated form, you can encrypt the actual red key with the family key which is an encryption key. Device will decrypt the obfuscated key to get the actual red key. Hence, you need to provide the required inputs to Bootgen. The obfuscated key can be stored in either eFUSE or the Boot Header.
For more details, see Storing Keys in Obfuscated Form (Gray) section in the Zynq UltraScale+ Device Technical Reference Manual (UG1085).
The following example shows storage of the obfuscated key in eFUSE:
the_ROM_image:
{
[aeskeyfile] red.nky
[keysrc_encryption] efuse_gry_key
[bh_key_iv] bhkeyiv.txt
[bootloader, encryption=aes, destination_cpu=a53-0] fsbl.elf
}
The following example shows storage of the obfuscated form (gray) key in boot header:
the_ROM_image:
{
[aeskeyfile] red.nky [keysrc_encryption] bh_gry_key [bh_key_iv] bhkeyiv.txt
[bh_keyfile] bhkey.txt
[bootloader, encryption=aes, destination_cpu=a53-0] fsbl.elf
}
To Generate Obfuscated Key with Family Key:
Use Xilinx tools (Bootgen) to create the Obfuscated key. However, the family key is not distributed with the Xilinx development tools. It is provided separately. The family key received from Xilinx should be provided in the bif as shown in the example below.
Sample bif to generate Obfuscated key:
all:
{
[aeskeyfile] aes.nky
[familykey] familyKey.cfg
[bh_key_iv] bhiv.txt
}
For more information, see Bootgen User Guide (UG1283)
Using Bootgen to Generate Keys
If you are using Bootgen to create keys, NIST approved KDF is used, which is Counter Mode KDF with CMAC as the PRF.
With a Single Key/IV pair:
- If seed is specified - Key Generation is based on Seed.
- If seed is NOT specified - Key Generation is based on Key0.
If an empty file is mentioned, Bootgen generates a seed with time based randomization. This is not a standard like the KDF. This seed will in turn be the input for KDF to generate the Key/IV pairs.