The security architecture of Versal ACAP is significantly enhanced from previous generations. The root of trust starts with the BootROM, which verifies the security state of the device. If all checks pass, the BootROM authenticates and then loads the PLM firmware. If you chose to encrypt the PLM, the BootROM also decrypts the PLM after authentication. The BootROM is only run from the RCU in the PMC. After the PLM firmware is loaded and running, the PLM ensures secure loading of the remaining firmware and software. For detailed security-related information, including usage instructions, see the Versal ACAP Security Manual (UG1508) available from the Design Security Lounge (registration required) on the Xilinx website. The following table highlights the possible secure boot configurations for Versal ACAP and shows a comparison with Zynq UltraScale+ MPSoC.
| Boot Type | Operations | Hardware Crypto Engines | |||
|---|---|---|---|---|---|
| Authentication | Decryption | Integrity (Checksum Verification) | Zynq UltraScale+ MPSoC | Versal ACAP | |
| Non-secure | No | No | No |
Yes Does not use built-in engines |
Yes Does not use built-in engines |
| Hardware Root-of-Trust (HWRoT) | Yes | Optional | Integrity via Authentication |
Yes RSA, SHA3 |
No Does not use built-in engines |
| Asymmetric Hardware Root-of-Trust (A-HWRoT) | Yes | Optional | Integrity via Authentication |
No Does not use built-in engines |
Yes RSA/ECDSA, SHA3 (AES-GCM and PUF optional) |
| Symmetric Hardware Root-of-Trust (S-HWRoT) | Yes via GCM and eFUSEs |
Yes Must use PUF KEK |
Integrity via Authentication |
No Does not use built-in engines |
Yes AES-GCM, PUF |
| A-HWRoT + S-HWRoT | Yes |
Yes Must use PUF KEK |
Integrity via Authentication |
No Does not use built-in engines |
Yes RSA/ECDSA, SHA3, AES-GCM, PUF |
| Checksum Verification | No | No | Yes |
Yes SHA3 |
Yes SHA3 |