Secure Boot Flow

Versal ACAP Technical Reference Manual (AM011)

Document ID
AM011
Release Date
2022-04-26
Revision
1.4 English

This chapter describes the VersalĀ® ACAP secure boot features. The Versal device supports two secure boot modes: Asymmetric Hardware Root of Trust (A-HWRoT) and Symmetric Hardware Root of Trust (S-HWRoT). The A-HWRoT achieves authenticity of the boot image using asymmetric authentication algorithms (RSA or ECC). The S-HWRoT achieves authenticity of the boot image using symmetric means via the GCM mode of AES-256 by encrypting all portions of the boot and configuration files (excluding the boot header). In this mode, confidentiality, integrity, and authentication are provided simultaneously. For additional details, see the Versal ACAP Security Manual (UG1508). This manual requires an active NDA to download from the Design Security Lounge.

Note: Because authentication in S-HWRoT mode is only provided by the encryption process, the boot header is not authenticated and cannot be relied upon for security critical information. As such, security critical information contained in the boot header is ignored in lieu of information stored in eFUSEs. See Symmetric Hardware Root of Trust Secure Boot for more details.
Note: The Versal device allows for two methods to protect its secret symmetric keys from differential power analysis (DPA): protocol and built-in leakage reduction. Each method can be used individually or together to create enhanced protection.

The functional blocks in a secure boot process are:

  • Dedicated hardware state machines in the PMC
  • PMC ROM code unit (RCU)
  • PMC Platform processing unit (PPU)

The high-level boot flow summary is shown in the following figure.

Figure 1. High-Level Secure Boot Flow Summary

After the power is applied to the device, the dedicated hardware state machines perform a series of mandatory tasks. First, all test interfaces (e.g., JTAG) initialize to a known secure state. Second, all registers in the PMC are zeroized (reset + verification of reset state). Before execution of the PMC BootROM, the dedicated hardware hashes the immutable BootROM code using the SHA-3/384 engine and compares the calculated cryptographic hash against a golden copy stored in the device. If the hashes match, the integrity of the BootROM is validated, and the PMC RCU is released from reset. If the hash comparison fails an error is flagged. The default action is to log and continue until the PLM can determine what action to take. However, eFUSEs can be programmed to halt the secure boot process immediately and go into a secure lockdown state when an error occurs.

Once released, the PMC RCU becomes the center of the secure boot process. It is responsible for all mandatory and optional security operations, as well as the secure loading of the PLM. A list of all security checks at this stage are listed in the following table. Optional checks are enabled by programming eFUSEs.

Table 1. Security Checks
Security Operation Description Optional?
Zeroize PMC RAM The PMC RAM has zeros written to it and read back to confirm the write was successful No
User-defined environmental monitoring Temperature and voltage are monitored to ensure operation within user-defined limits Yes
Known answer tests Known answer tests are performed on the cryptographic engines used for loading the PLM prior to them being used Yes
NoC configuration (SSI technology devices only) Configuration of the NoC on SSI technology devices No

The RCU also enforces the secure boot modes (A-HWRoT or S-HWRoT), if enabled, and is responsible for governing that transition of security state by prohibiting the transition from secure to non-secure or non-secure to secure without a full power-on reset (POR).

After all checks pass, the RCU securely loads the PLM (authenticated and, if desired, encrypted). Once loaded, the PLM can check the error messages from inside the device to determine what security actions, if any, are necessary.

The PLM runtime configuration registers area (RTCA) is a reserved space in the PMC RAM that stores status information about the Versal ACAP including the secure boot state. The SECURE_BOOT_STATE register shows if the device was booted with encryption or authentication and what secure countermeasures were enabled.