Storing Keys in Encrypted Form (Black)

Zynq UltraScale+ Device Technical Reference Manual (UG1085)

Document ID
UG1085
Release Date
2022-09-15
Revision
2.3 English

The black key storage solution, as shown in This Figure, uses a cryptographically strong KEK generated from a PUF to encrypt the user key. The resulting black key can then be stored either in eFUSEs or as part of the authenticated boot header resident in external memory.   The black key storage provides the following advantages.

The user key is the same for all devices. Consequently, the encrypted boot images are the same for all devices that use the same user key.

The PUF KEK is unique for each device. Consequently, the black key stored with the device is unique for each device.

The PUF KEK value is only known by the device (cannot be read by the user).

The silicon manufacturing process includes inherent, random, and uncontrollable variations that cause unique and different characteristics from device to device. The Xilinx devices operate within these variations and device functionality is not affected. PUFs are tiny circuits that exploit these chip-unique variations to generate unique keys. The type of PUF used to generate the KEK is also an important consideration. The Zynq UltraScale+ MPSoC PUF uses an asymmetric technology (i.e., a ring oscillator based type PUF licensed from Verayo), which is different from the device key storage technology (e.g., SRAM or eFUSE). This asymmetric technology increases the security level above what can be achieved with a single technology.

 

IMPORTANT:   PUF regeneration can only be performed when authentication is enabled. The PUF is disabled in the encrypt-only secure boot mode.

Figure 12-5:      Black Key Storage

X-Ref Target - Figure 12-5

X18921-black-key.jpg