Key management for on-the-fly hardware decryption within integrated circuits

What is claimed is: 1. A method for an integrated circuit, comprising: receiving encrypted information from an external memory that is external to the integrated circuit, the encrypted information comprising an encrypted key blob having a secret key for an encrypted software image also stored within the external memory; communicating with an internal memory within the integrated circuit to obtain a key-encryption key (KEK) code; scrambling the KEK code within the integrated circuit to generate a key-encryption key (KEK) for the encrypted key blob; decrypting the encrypted key blob within the integrated circuit with the KEK to obtain the secret key; decrypting encrypted code associated with the encrypted software image within the integrated circuit with the secret key to generate decrypted code; storing the decrypted code within an output buffer within the integrated circuit; and outputting the decrypted code to additional processing circuitry within the integrated circuit; wherein the receiving, communicating, scrambling, decrypting, storing, and outputting are performed within the integrated circuit. 2. The method of claim 1 , wherein the receiving, communicating, scrambling, storing, and decrypting are performed such that the KEK and the secret key are accessible to decryption hardware within the integrated circuit and inaccessible to any software-accessible mechanism. 3. The method of claim 1 , wherein the encrypted information comprises a plurality of encrypted key blobs for a plurality of encrypted software images stored within the external memory, and wherein each encrypted key blob is associated with one of the encrypted software images and comprises a secret key for that encrypted software image. 4. The method of claim 3 , wherein the KEK code is scrambled to provide a KEK for each encrypted key blob, and wherein the decrypting comprises decrypting the plurality of encrypted key blobs to obtain the secret keys and decrypting encrypted code for each encrypted software image using the secret key for that software image. 5. The method of claim 1 , wherein the internal memory comprises a one-time programmable (OTP) memory that is programmed to store the KEK code. 6. The method of claim 1 , further comprising storing a bypass indicator within the internal memory, and further comprising using the bypass indicator to determine whether to apply scrambling to the KEK code or to bypass scrambling for the KEK code. 7. The method of claim 1 , wherein the encrypted code associated with the encrypted software image and the encrypted key blob are encrypted with an AES (Advanced Encryption Standard) encryption algorithm. 8. A system for an integrated circuit, comprising: an input buffer within the integrated circuit configured to receive and to store encrypted information from an external memory, the encrypted information comprising an encrypted key blob having a secret key for an encrypted software image also stored within the external memory; an internal memory within the integrated circuit configured to store a key-encryption key (KEK) code; a decryption system configured to generate a key-encryption key (KEK) from the key-encryption key (KEK) code, to decrypt the encrypted key blob using the KEK to obtain the secret key, to decrypt encrypted code from the encrypted software image using the secret key to generate decrypted code, and to output the decrypted code to additional processing circuitry within the integrated circuit; and a scrambler within the decryption system configured to receive the KEK code and to scramble the KEK code to generate the KEK for encrypted key blob; wherein the input buffer, the internal memory, and the decryption system including the scrambler are within the integrated circuit. 9. The system of claim 8 , wherein the decryption system is configured to operate such that the KEK and the secret key are accessible to decryption hardware within the integrated circuit and inaccessible to any software-accessible mechanism. 10. The system of claim 8 , wherein the encrypted information comprises a plurality of encrypted key blobs for a plurality of encrypted software images stored within the external memory, and wherein each encrypted key blob is associated with one encrypted software image and comprises a secret key for that encrypted software image. 11. The system of claim 10 , wherein the decryption system is further configured to scramble the KEK code to provide a KEK for each encrypted key blob, to decrypt the plurality of encrypted key blobs to obtain the secret keys, and to decrypt the encrypted code for each encrypted software image using the secret key for that software image. 12. The system of claim 8 , wherein the internal memory comprises a one-time-programmable (OTP) memory. 13. The system of claim 8 , wherein the internal memory is further configured to store a bypass indicator, and wherein a scrambler is configured to use the bypass indicator to determine whether to apply scrambling to the KEK code to generate the KEK for the encrypted key blob or to bypass scrambling for the KEK code to use the KEK code as the KEK for the encrypted key blob. 14. The system of claim 8 , wherein the encrypted software code associated with the encrypted software image and the encrypted key blob are encrypted with an AES (Advanced Encryption Standard) encryption algorithm. 15. The system of claim 8 , further comprising an output buffer within the decryption system configured to store the decrypted code for output to the additional processing circuitry within the integrated circuit.