...
Generate the obfuscated key from red key using bootgen and below bif template file.
Code Block theme Midnight generate_obfuscated_key: { [aeskeyfile] <path_to_aes_red_key_file> [familykey] <path_to_family_key_file> [bh_key_iv] <path_to_obfuscated_key_init_vector_file> }
Execute below command to generate obfuscated key from red key provided in .bif file. This command generates obfuscated key in obfuscatedkey.txt file.
Code Block theme Midnight bootgen -generate_keys obfuscatedobfuscatedkey -arch zynqmp -image <path_to_bif_file>
Generate the encrypted boot image using bootgen and one of the below bif template file. Note that Key 0 and IV 0 should be same across all .nky files used in bif file for encrypting the partition and should also match with the red key used for obfuscation in step 1 .
Bif file for generating boot image with obfuscated key stored in eFUSE.
Code Block theme Midnight boot_img: { [keysrc_encryption] efuse_gry_key [bh_key_iv] <path_to_obfuscated_key_init_vector_file> [ bootloader, destination_cpu = a53-0, encryption = aes, aeskeyfile = <path_to_aes_red_key_file> ] <path_to_fsbl_elf_file> [ destination_cpu = a53-3, encryption = aes, aeskeyfile = <path_to_aes_red_key_file> ] <path_to_app_elf_file> }
Bif file for generating boot image with obfuscated key stored in boot header.
Code Block theme Midnight boot_img: { [keysrc_encryption] bh_gry_key [bh_keyfile] <path_to_obfuscated_key_file> [bh_key_iv] <path_to_obfuscated_key_init_vector_file> [ bootloader, destination_cpu = a53-0, encryption = aes, aeskeyfile = <path_to_aes_red_key_file> ] <path_to_fsbl_elf_file> [ destination_cpu = a53-3, encryption = aes, aeskeyfile = <path_to_aes_red_key_file> ] <path_to_app_elf_file> }
Info title Info: If user want bootgen to generate AES key file, user should provide part # as argument for -p option (e.g. -p xczu9eg).
- bootgen accepts file associated with aeskeyfile tag in .nky format. If the key file is not present in the path specified in bif file, then a new encryption key is generated in the same path.
- bootgen expects two AES keys (Key 0, Key 1) and associated initialization vectors (IV 0, IV 1) in .nky file. Key 0 and IV 0 is used to encrypt boot header and Key 1 and IV 1 is used to encrypt the partition. It is highly recommended to use different AES keys and IV for each partition. Note that Key 0 and IV 0 should be same across all .nky files used in bif file for encrypting the partition .
- Attribute [bh_key_iv] should be same as used in step 1.
- If key source specified as efuse_gry_key during generation of encrypted image in step 2, program AES eFUSEs to store the obfuscated AES key (obfuscatedkey.txt) created in step 1.
- Load boot image to any of the configured/selected boot device(SD/QSPI/NAND) and boot.
...