Boot Flow

Zynq UltraScale+ Device Technical Reference Manual (UG1085)

Document ID
Release Date
2.3 English

The PMU performs a number of mandatory and optional security operations, including the following.

Optional function: zeroize low power domain (LPD) registers. When the LPD_SC eFUSEs are programmed, the PMU zeroizes all registers in the LPD.

Optional function: zeroize full power domain (FPD) registers. When the FPD_SC eFUSEs are programmed, the PMU zeroizes all registers in the FPD.

Zeroize PMU RAM: the PMU RAM has zeros written to it and read back to confirm the write was successful.

Zeroize the PMU processor's TLB memory.

Voltage checks: the PMU checks the supply voltage of the LPD, AUX, and dedicated I/O to confirm that the voltages are within specification.

Zeroize memories: the PMU zeroizes memories located in the CSU, LPD, and FPDs.

Once these security operations are complete, the PMU sends the CSU immutable ROM code through the SHA-3/384 engine and compares the calculated cryptographic checksum to the golden copy stored in the device. If the cryptographic checksums enabled in the bif file match, the integrity of the CSU ROM is validated and the reset to the CSU is released.

The PMU is responsible for handling the primary pre-boot tasks and management of the PS for reliable power up/power down of system resources. The power-on reset (POR) initiates the PMU operation which directly or indirectly releases resets to any other blocks that are expected to be powered up. In this paradigm, the PMU requires ROM code to hold the initial power-up sequence. The PMU is running even after the boot-up process and is responsible for handling various system resets. It is also used while changing the power state of the system (like power-up, sleep, and wake-up).

During initial boot, the PMU is brought out of reset by the POR, which is then followed by PMU ROM execution. The following describes the sequence of operations done by the PMU processor by executing PMU ROM pre-boot code after a POR reset.

1.Initialize the PS SYSMON unit and the PLL required for boot.

2.Clear the PMU RAM and CSU RAM (external POR only).

3.Validate the PLL locks.

4.Validate the LPD, AUX, and I/O supply ranges using the PS SYSMON unit.

5.Clear the low-power and full-power domains.

6.If there is no error in the previous steps, the PMU releases the CSU reset and enters the PMU service mode. If not, generate and flag a boot error.

Note:   When PMUFW is not used PMU goes to sleep state after boot-up.

When the CSU reset is released, it performs following sequence.

1.Initialize OCM.

2.Determines the boot mode by reading the boot mode register from the captured boot mode state PMU FW, at the POR.

3.The CSU continues by loading the FSBL in OCM for execution by either the RPU or the APU. The CSU then loads the PMU user firmware (PMU FW) into the PMU RAM for execution by the PMU firmware.

The PMU FW provides platform management services in conjunction with the PMU ROM code. The PMU FW is required in most systems and must be present for the Xilinx-based FSBL and system software. The PMU is described in Platform Management Unit.

The CSU is the central configuration processor that manages secure and non-secure system-level configuration. Triple redundancy and built-in ECC (in the embedded processor and surrounding logic) is for system reliability and strong SEU resilience. The CSU also contains the key management unit, crypto accelerators, and the PS/PL programming interface.

The CSU is composed of two main blocks:

A triple-redundant secure processor. It contains the triple-redundant embedded processor(s), associated ROM, a small private RAM for security sensitive data storage, and the necessary control/status registers required to support all secure operations.

A crypto interface contains AES-GCM, a key vault for key storage, DMA, SHA3, RSA, and the processor configuration-access port (PCAP) interface.