Encryption - 2021.1 English

Zynq UltraScale+ MPSoC Software Developer Guide (UG1137)

Document ID
UG1137
Release Date
2021-07-13
Version
2021.1 English

Zynq UltraScale+ MPSoCs has a 256-bit AES-GCM hardware engine that supports confidentiality of your boot images, and can also be used post-boot to encrypt and decrypt data.

The AES cryptographic engine has access to a diverse set of key sources. For more information on the key sources, see Zynq UltraScale+ Device Technical Reference Manual (UG1085).

The red key is used to encrypt the image. During the generation of the boot file (BOOT.bin), the red key, and the initialization vector (IV) must be provided to the Bootgen tool in .nky file format.

PMU firmware can be loaded by CSU bootROM or FSBL.

Important: If both the FSBL and PMU firmware are encrypted, the PMU firmware must be loaded by the FSBL (and not the CSU bootROM) to avoid reusing the AES Key/IV pair. For more information, see Xilinx Answer 70622.

The following BIF file is an example encrypted image, where PMU firmware is loaded by FSBL:

the_ROM_image:
{
[aeskeyfile] bbram.nky [keysrc_encryption] bbram_red_key
[bootloader, encryption=aes, destination_cpu=a53-0] ZynqMP_Fsbl.elf [destination_cpu = pmu, encryption=aes] pmufw.elf
}