Gray/Obfuscated Keys - 2022.2 English

Vitis Unified Software Platform Documentation: Embedded Software Development (UG1400)

Document ID
UG1400
Release Date
2023-01-02
Version
2022.2 English

The user key is encrypted with the family key, which is embedded in the metal layers of the device. This family key is the same for all devices in the Zynq® UltraScale+™ MPSoC. The result is referred to as the obfuscated key. The obfuscated key can reside in either the Authenticated Boot Header or or in eFUSEs.

image:
{
	[keysrc_encryption] efuse_gry_key 
	[bh_key_iv] bhiv.txt
	[
		bootloader, 
		destination_cpu = a53-0,
		encryption      = aes, 
		aeskeyfile      = aes_p1.nky
	]    fsbl.elf 
	[
		destination_cpu = r5-0,
		encryption      = aes,
		aeskeyfile      = aes_p2.nky 
	]    hello.elf
}

Bootgen does the following while creating an image:

  1. Places the IV from bhiv.txt in the field BH IV in Boot Header.
  2. Places the IV 0 from aes.nky in the field "Secure Header IV" in Boot Header.
  3. Encrypts the partition, with Key0 and IV0 from aes.nky.

Another example of using the gray/family key is found in Use Cases and Examples.

For more details about this feature, refer to the Zynq UltraScale+ Device Technical Reference Manual (UG1085).