The device key source selection is exclusively performed by the RCU ROM based on the authenticated boot image header. The AES key management block selects the appropriate key that needs to be input to the AES core.
The AES_KEY_SEL register determines which of the keys available is used for the encryption and decryption operation. The AES_KEY_SIZE register determines if the key is 128 bits or 256 bits. The AES_KEY_LOAD register loads the key value into the AES core.
In addition to the BBRAM and eFUSE key storage locations, the Versal adaptive SoC also allows for the device key to be stored in the boot header from the boot device. This key can be stored in its black form (i.e., encrypted with the PUF KEK).
The AES key selection register details are included in the Versal Register Reference (NDA-version) (AM018). Available under NDA from Design Security Lounge.