AES Key Generation

External Secure Storage Using the PUF (XAPP1333)

Document ID
Release Date
1.2 English

Create a new directory in the Xilinx Vitis workspace root directory (called Keys) . The Vitis root directory can be found the same level as the HelloWorld folder. Generate a device key and its associated IV, an operational key, and one partition block key and its associated IV. Combine these keys and IVs into a file named multiple_keys.nky . Alternatively, copy the Keys folder found in the reference design documents to use for this lab or, if desired, use them as a template and insert your own key and IV values.

Device  zcu9eg;

Key 0   0123456789012345678901234567890123456789012345678901234567890123;

IV      01DBD60260A7EC34DE5F6A494;

Key Opt E070C542B6680A855724793A75222391E663CBD35F45D070F22F703A5CA31B45;

Key 1   0000000100000001000000010000000100000001000000010000000100000001;

IV 1    000000010000000100000001;

Encrypting the boot image is not required to use the PUF for encrypting user data. However, Xilinx highly recommends doing so, which is used throughout this application note.

IMPORTANT: Be sure to use your own AES keys and associated IVs for operational devices. The keys provided in this lab are for demonstration purposes and are not cryptographically strong. Per the NIST Special Publication (SP) 800-38D Recommendation for Block Cipher Modes of Operation: Galois/Counter Mode (GCM) , new IVs need to be used each time a key is used to encrypt new data. This means that if the boot image is updated, a new IV needs to be selected and provided to Bootgen.