The CSU automatically locks out the AES key, stored in either BBRAM or eFUSEs, as a key source to the AES engine if the FSBL is not encrypted. This prevents using the BBRAM or eFUSE as the key source to the AES engine during run-time applications.
Note: A user key can still be used by loading it into the key update register (KUP).
Systems that choose not to encrypt the FSBL and employ only the hardware root of trust boot mechanism can still use the AES key, post-boot, if the Auth-Only option is set.
After a hardware root of trust boot, to leverage the AES cryptographic accelerator and use the key stored in either the BBRAM or eFUSE as a potential key source, the Auth Only option must be selected in bootgen.
Note: This option is part of the configuration file that is authenticated.