Asymmetric Hardware Root of Trust Secure Boot

Versal Adaptive SoC Technical Reference Manual (AM011)

Document ID
Release Date
1.6 English

The Versal adaptive SoC A-HWRoT boot mode is built upon the use of RSA-4096 or ECDSA P-384 asymmetric authentication algorithms along with SHA-3/384 for hashing. The PPK is only used for verifying the signature of the SPK, while the SPK is used to authenticate the contents of the image itself. The following table lists the characteristics of each public key type.

Table 1. Public Key Types
Public Key Number Location Revocable
Primary (PPK) 3 or 5 External memory with hash in eFUSEs Yes
Secondary (SPK) 256 Boot image Yes

To reduce the number of fuses required in the device, the full public key is stored in the boot image while 256 bits of a SHA-3/384 hash of each key is securely stored inside the device using eFUSEs. During the secure boot process, the RCU BootROM code first validates the integrity of the full public key stored externally by hashing it (SHA-3/384) and taking 256 bits of that hash and comparing against the value stored in eFUSEs.

There are also 256 SPKs available, each of which are also revocable. The SPK is delivered inside the authenticated boot image, and is signed by the PPK, which is the primary purpose of the PPK. The SPK is intended to authenticate everything else.

PPK Instances

Depending on the device, the Versal adaptive SoC allows for the use of three or five PPKs, each of which is revocable. The following devices have three PPKs, and others have five PPKs. For details on how to use them, see the Versal Adaptive SoC Security Manual (UG1508), which is available on the Design Security Lounge (access controlled site).

  • Versal AI Core Series: VC1502, VC1702, VC1802, VC1902, VC2602 (ES) and VC2802 (ES)
  • Versal AI Edge Series: VE1752, VE2202 (ES), VE2302 (ES), VE2602 (ES), and VE2802 (ES)
  • Versal HBM Series: VH1522, VH1542, VH1582, VH1742, and VH1782
  • Versal Premium Series: VP1102, VP1202, VP1402, VP1502, VP1552, VP1702, VP1802, VP2502, VP2802
  • Versal Prime Series: VM1102 (ES), VM1302, VM1402, VM1502, VM1802, VM2202 (ES), VM2302, VM2502, VM2902
Note: Some devices get updated from three PPKs in engineering samples (ES) to five PPKs in production devices.