The Versal adaptive SoC AES-GCM cryptographic engine has access to a diverse set of key sources. Non-volatile key sources include eFUSE, BBRAM, and PUF key encryption key (KEK). These keys maintain their values even when the device is powered down. Volatile key sources include a boot header (BH) key, eight user keys, and a key update (KUP) register key.
The device provides a variety of options for securing both boot images and user data. Boot image keys can be stored in BBRAM, eFUSE, or in the boot image itself. These keys can be in plain text (red) or encrypted with the PUF KEK (black).
| Key Name | Description |
|---|---|
| Device | Symmetric key that is stored on the device (eFUSE, BBRAM, boot header) |
| PPK: Primary public key | Public key for asymmetric authentication, used to authenticate the secondary public key |
| SPK: Secondary public key | Public key for asymmetric authentication, used to authenticate partitions |
| AES | Symmetric key used for AES encrypt/decrypt |
The following table provides the different key options used by the AES core. The AES key selection values are included in the Versal Register Reference (NDA-version) (AM018). Available under NDA from Design Security Lounge.
| Key Name | Source | Size (bits) | Description |
|---|---|---|---|
| BBRAM | BBRAM | 256 | The BBRAM key is used to store an AES key for boot. This key can be protected by the PUF KEK. |
| BH | Register | 256 | The BH (boot header) key is stored encrypted inside the programmable device image (PDI) boot header and once decrypted it is stored inside the BH key register. |
| EFUSE | eFUSE | 256 | The eFUSE key is used for boot and is stored in the eFUSEs. It can be plain text or encrypted with the PUF KEK. |
| EFUSE_USER (x2) | eFUSE | 256, 128 | The two eFUSE user keys are key storage available for user runtime keys and stored in eFUSE. |
| Key update register (KUP) | Register | 256,128 | Key source used when key rolling is employed. The next user defined block of data is stored in the KUP. |
| PUF KEK | PUF | 256 | The PUF KEK is a key-encryption key that is generated by the PUF. |
| USER (x8) | Register | 256, 128 | Write only registers available for holding user runtime keys. Each register can be individually locked. |