Secure Key Storage and Management

Versal ACAP Technical Reference Manual (AM011)

Document ID
Release Date
1.4 English

The Versal ACAP AES-GCM cryptographic engine has access to a diverse set of key sources. Non-volatile key sources include eFUSE, BBRAM, and PUF key encryption key (KEK). These keys maintain their values even when the device is powered down. Volatile key sources include a boot header (BH) key, eight user keys, and a key update (KUP) register key.

The device provides a variety of options for securing both boot images and user data. Boot image keys can be stored in BBRAM, eFUSE, or in the boot image itself. These keys can be in plain text (red) or encrypted with the PUF KEK (black).

Table 1. General Key Terms
Key Name Description
Device Symmetric key that is stored on the device (eFUSE, BBRAM, boot header)
PPK: Primary public key Public key for asymmetric authentication, used to authenticate the secondary public key
SPK: Secondary public key Public key for asymmetric authentication, used to authenticate partitions
AES Symmetric key used for AES encrypt/decrypt

The following table provides the different key options used by the AES core. The AES key selection values are included in the Versal ACAP Security Register Reference Manual (AM018). This manual requires an active NDA to download from the Design Security Lounge.

Table 2. Key Sources
Key Name Source Size (bits) Description
BBRAM BBRAM 256 The BBRAM key is used to store an AES key for boot. This key can be protected by the PUF KEK.
BH Register 256 The BH (boot header) key is stored encrypted inside the programmable device image (PDI) boot header and once decrypted it is stored inside the BH key register.
EFUSE eFUSE 256 The eFUSE key is used for boot and is stored in the eFUSEs. It can be plain text or encrypted with the PUF KEK.
EFUSE_USER (x2) eFUSE 256, 128 The two eFUSE user keys are key storage available for user run-time keys and stored in eFUSE.
Key update register (KUP) Register 256,128 Key source used when key rolling is employed. The next user defined block of data is stored in the KUP.
PUF KEK PUF 256 The PUF KEK is a key-encryption key that is generated by the PUF.
USER (x8) Register 256, 128 Write only registers available for holding user run-time keys.

Each register can be individually locked.