For creating a boot image using Bootgen with an operational key (op key), you must provide the tool with the operational key, along with the red key and IV in an .nky file. Bootgen places this operational key in a header and encrypts it with the device red key. The result is what is called an encrypted secure header. The main advantage of this is that it minimizes the use of the device key, thus limiting its exposure. For more details, refer to “Minimizing Use of the AES Boot Key (OP Key Option)” in the Zynq UltraScale+ Device Technical Reference Manual (UG1085).
the_ROM_image:
{
[aeskeyfile] bbram.nky [fsbl_config] opt_key [keysrc_encryption] bbram_red_key
[bootloader, encryption=aes, destination_cpu=a53-0] ZynqMP_Fsbl.elf
[destination_cpu = a53-0, encryption=aes] App_A53_0.elf
}