Security - 2021.1 English

Versal ACAP Design Guide (UG1273)

Document ID
UG1273
Release Date
2021-06-30
Version
2021.1 English

The security architecture of Versal ACAP is significantly enhanced from previous generations. The root of trust starts with the BootROM, which authenticates and optionally, decrypts the PLM firmware. The BootROM can only be loaded into and run from the RCU in the PMC. After the PLM firmware is authenticated, the PLM ensures secure loading of the remaining firmware and software. For more information, see the Versal ACAP System Software Developers Guide (UG1304) and Versal ACAP Technical Reference Manual (AM011). For detailed security-related information, including usage instructions, see the Versal ACAP Security Manual (UG1508) available from the Design Security Lounge (registration required) on the Xilinx website. The following table highlights the possible secure boot configurations for Versal ACAP and shows a comparison with Zynq UltraScale+ MPSoC.

Note: Although there are similarities between the Zynq UltraScale+ MPSoC Encrypt Only (EO) flow and the Versal ACAP Symmetric Hardware Root of Trust (S-HWRoT), the two modes are significantly different in implementation.
Table 1. Cumulative Secure Boot Operations
Boot Type Operations Hardware Crypto Engines
Authentication Decryption Integrity (Checksum Verification) Zynq UltraScale+ MPSoC Versal ACAP
Non-secure No No No N/A N/A
Hardware Root-of-Trust (HWRoT) Yes Optional Integrity via Authentication RSA, SHA3 N/A
Encrypt Only (EO) Yes via GCM Yes Integrity via Authentication AES-GCM N/A
Asymmetric Hardware Root-of-Trust (A-HWRoT) Yes Optional Integrity via Authentication N/A RSA/ECDSA and SHA3
Symmetric Hardware Root-of-Trust (S-HWRoT) Yes via GCM and eFUSEs

Yes

Must use PUF KEK

Integrity via Authentication N/A AES-GCM/PUF
A-HWRoT + S-HWRoT Yes

Yes

Must use PUF KEK

Integrity via Authentication N/A RSA/ECDSA, SHA3, AES-GCM, PUF
Authentication + Decryption Yes Yes Integrity via Authentication RSA, SHA3, AES-GCM RSA/ECDSA, SHA3, AES-GCM
Decrypt Only No Yes Yes AES-GCM AES-GCM
Checksum Verification No No Yes SHA3 SHA3