Versions Compared

Old Version 35

changes.mady.by.user Terry O'Neal

Saved on

compared with

New Version Current

changes.mady.by.user Mohan Marutirao Dhanawade

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

  1. Generate the obfuscated key from red key using bootgen and below bif template file.

    Code Block
    themeMidnight
    generate_obfuscated_key:
{ 
   [aeskeyfile] <path_to_aes_red_key_file> 
   [familykey] <path_to_family_key_file> 
   [bh_key_iv] <path_to_obfuscated_key_init_vector_file>
}

    Execute below command to generate obfuscated key from red key provided in .bif file. This command generates obfuscated key in obfuscatedkey.txt  file.

    Code Block
    themeMidnight
    bootgen -generate_keys obfuscatedobfuscatedkey -arch zynqmp -image <path_to_bif_file>


  2. Generate the encrypted boot image using bootgen and one of the below bif template file.  Note that Key 0 and IV 0 should be same across all .nky files used in bif file for encrypting the partition and should also match with the red key used for obfuscation in step 1 .

    Bif file for generating boot image with obfuscated key stored in eFUSE.

    Code Block
    themeMidnight
    boot_img:
{
   [keysrc_encryption] efuse_gry_key
   [bh_key_iv] <path_to_obfuscated_key_init_vector_file>
  
   [ bootloader,
     destination_cpu = a53-0,
     encryption = aes,
     aeskeyfile = <path_to_aes_red_key_file> 
   ] <path_to_fsbl_elf_file>

   [ destination_cpu = a53-3,
     encryption = aes,
     aeskeyfile = <path_to_aes_red_key_file>
   ] <path_to_app_elf_file>
}

    Bif file for generating boot image with obfuscated key stored in boot header.

    Code Block
    themeMidnight
    boot_img:
{
   [keysrc_encryption] bh_gry_key
   [bh_keyfile] <path_to_obfuscated_key_file>
   [bh_key_iv] <path_to_obfuscated_key_init_vector_file>
  
   [ bootloader,
     destination_cpu = a53-0,
     encryption = aes,
     aeskeyfile = <path_to_aes_red_key_file> 
   ] <path_to_fsbl_elf_file>


   [ destination_cpu = a53-3,
     encryption = aes,
     aeskeyfile = <path_to_aes_red_key_file>
   ] <path_to_app_elf_file>
}


    Info
    titleInfo:

    • If user want bootgen to generate AES key file, user should provide part # as argument for -p option (e.g. -p xczu9eg).

    • bootgen accepts file associated with aeskeyfile tag in .nky format. If the key file is not present in the path specified in bif file, then a new encryption key is generated in the same path.
    • bootgen expects two AES keys (Key 0, Key 1) and associated initialization vectors (IV 0, IV 1) in .nky file. Key 0 and IV 0 is used to encrypt boot header and Key 1 and IV 1 is used to encrypt the partition. It is highly recommended to use different AES keys and IV for each partition. Note that Key 0 and IV 0 should be same across all .nky files used in bif file for encrypting the partition .
    • Attribute [bh_key_iv] should be same as used in step 1.


  3. If key source specified as efuse_gry_key during generation of encrypted image in step 2, program AES eFUSEs to store the obfuscated AES key (obfuscatedkey.txt) created in step 1.
  4. Load boot image to any of the configured/selected boot device(SD/QSPI/NAND) and boot.

...