The battery-backed RAM (BBRAM) includes 288 bits of memory for a 256-bit AES security key and 32 bits for additional information. The additional 32 bits can be left unused, used for configuration counting by the PLM, or used for user-defined purposes.
For security applications, software writes the AES key into the lower 256 bits using the eight write-only BBRAM_[0:7] registers. After writing the AES key, software writes 32 ECC bits to the BBRAM_AES_CRC register. For non-security applications, the entire BBRAM is available for general purpose storage.
The write to the BBRAM_AES_CRC register causes the CRC engine to read back the AES key from memory and calculate its own CRC. The BBRAM controller CRC engine calculated CRC is then compared to the software CRC to verify the AES key was written correctly to the BBRAM memory. The BBRAM_STATUS register indicates when the verification is complete and indicates the result of the CRC using the [AES_CRC_DONE] and [AES_CRC_PASS] bits, respectively.
The 256-bit AES key can only be read by the AES engine. Software cannot read the 256-bit AES security key in the BBRAM.
The upper 32 bits are read/write using the BBRAM_8 register. These 32 bits can be used to store the configuration count information for the PLM. When configuration count information is not required, the 32 bits are available for user applications. The BBRAM_8 register is write protected by writing a 1 to the BBRAM_MSW_LOCK [VAL] bit. Once the bit is set, it remains set and the register becomes read-only. The PMC must be reset to clear the [VAL] lock bit.
The 256-bit AES key can be securely updated by writing to the BBRAM APB programming interface. After the key is updated, subsequent boots of the device will use the new key. Access to the BBRAM can be protected by the PMC XPPU protection unit.
The following figure shows the BBRAM block diagram.
For additional details, see the Versal Adaptive SoC Security Manual (UG1508). This manual requires an active NDA to download from the Design Security Lounge.