The black key is produced after the red key is encrypted using the PUF generated key encryption key (KEK).
Note: The KEK is unique per Versal device and cannot be read out of the device.
The black key can be stored in eFUSE, BBRAM, or in the boot header for secure boot. If encrypt-only boot mode is selected, the black key can only be stored in eFUSEs.
Important: The physical unclonable function (PUF) is only supported when using a nominal VCC_PMC of 0.70V. Refer to the Versal Adaptive SoC Security Manual (UG1508) in the Security Lounge (registration required) for detailed information on PUF usage.