> For the complete documentation index, see [llms.txt](https://carloss-organization-4.gitbook.io/tech/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://carloss-organization-4.gitbook.io/tech/ecus/zynq_documents/zynq-loading-an-encrypted-linux-kernel-at-u-boot-with-a-kup-key.md).

# \[ZYNQ] Loading an Encrypted Linux kernel at U-Boot with a KUP Key

Zynq MPSoC devices support loading an image encrypted with the user key (KUP key) at run time. Users can encrypt any data with their own key and provide the encrypted image and key at the U-Boot stage to decrypt the image. Moreover, the [DMA](https://en.wikipedia.org/wiki/Direct_memory_access) and [CPU caches ](https://en.wikipedia.org/wiki/CPU_cache)(D-Cache/I-Cache) have been enabled, so these hardware mechanisms can improve the running speed. This blog is intended to show how to load an encrypted image at the U-Boot stage.

**Key Update Register:**

The key update register is used during boot to support the key rolling feature, where the different AES key must be loaded multiple times. After boot, any key can be loaded into this register via APB by software running on the PS. A 256-bit KUP key is stored in the eight AES key update registers. You can refer to the <https://app.gitbook.com/o/eTBeA3vhkOtihTJASkhd/s/tqiX1ZbXhRorHX3bwk1r/~/changes/25/ecus/zynq_documents/zynq-encrypt-external-files-based-on-file-system-using-puf-key>

Load the encrypted image and KUP key onto DDR at U-Boot from the SD card.

**Bif file to create an encrypted image with a KUP key:**

```
the_ROM_image:
{
[keysrc_encryption]kup_key
[encryption=aes, aeskeyfile=kup_key.nky, load=0x10000000]image.ub
}
```

Bootgen command to generate the encrypted image:

`bootgen -arch zynqmp -image output.bif -o linux.bin -w on -log error`

At U-Boot, use the below command to decrypt the image:

`zynqmp secure <encrypted_img_addr> <size_of_img> <KUP_key_addr>`

Where:&#x20;

* &#x20;encrypted\_img\_addr is the DDR address where the encrypted image is loaded.
* Size\_of\_img is the size of the encrypted image in bytes.
* KUP\_Key\_addr is the DDR address of the KUP key (**note:** this needs to be loaded as plain text).

Please copy the boot image and encrypted image and key file (a text file containing plain text key in hex format).\
Power on the board and stop the boot flow at U-Boot.\
Load the encrypted image and KUP key onto the DDR from the SD using fatload commands.

Example of loading the encrypted image and KUP key:&#x20;

<figure><img src="/files/fZqHTHGWMztGg5tKXrsz" alt=""><figcaption></figcaption></figure>

Once you have loaded the encrypted image and KUP key onto DDR, perform the decryption with the above-mentioned secure command. See the below image for an example:

<figure><img src="/files/6w7V0LghQiOCPs1jtbUv" alt=""><figcaption></figcaption></figure>

The U-Boot returns the start address of the decrypted image once it has decrypted successfully. If it fails, it returns an error code. Please check the XilSecure library for error codes.If the load address is specified when encrypting the image, then the decrypted image is loaded at the given address. If the load address is not provided, then the decrypted image is available at the 0x2800 offset where the encrypted image

loaded.UART log:&#x20;

<figure><img src="/files/HuLAQqVrJBSCbf4qt0hJ" alt=""><figcaption></figcaption></figure>

When we entered the Linux kernel address to boot, the kernel can be booted.

<figure><img src="/files/j8nSJssecacRr7Y8I0Qk" alt=""><figcaption></figcaption></figure>

When we load the encrypted linux kernel directly, the kernel cannot be booted.

<figure><img src="/files/bSwJMToujVWui7pP001Q" alt=""><figcaption></figcaption></figure>

* <https://docs.xilinx.com/r/en-US/ug1283-bootgen-user-guide>
* <https://docs.xilinx.com/r/2021.1-English/ug1400-vitis-embedded/Boot-Time-Security?tocId=c_pbdXPlhLEGLP5eIvxhYg>
* <https://docs.xilinx.com/v/u/en-US/ug1085-zynq-ultrascale-trm>
* <https://support.xilinx.com/s/article/Zynq-MPSoC-Security-1-Introduction-of-Boot-Time-Security?language=en_US>
* <https://support.xilinx.com/s/article/Zynq-MPSoC-Security-2-Using-BBRAM-for-AES-and-BH-auth-for-RSA?language=en_US>


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://carloss-organization-4.gitbook.io/tech/ecus/zynq_documents/zynq-loading-an-encrypted-linux-kernel-at-u-boot-with-a-kup-key.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.