The AES-GCM accelerator supports the rolling keys feature, where the entire encrypted image is represented in terms of smaller AES encrypted messages. Each message is encrypted using its own unique key. The initial key is stored at the key source on the device (e.g., BBRAM or eFUSE), while keys for each successive message are encrypted (wrapped) in the prior message. During boot, all partitions can be decrypted through key rolling. In This Figure, “IV” illustrates the decryption flow and image format for the PMU firmware and FSBL. The same format is used for other partitions.