PS eFUSEs

Zynq UltraScale+ Device Technical Reference Manual (UG1085)

Document ID
UG1085
Release Date
2022-09-15
Revision
2.3 English

An eFUSE is a small, one-time programmable, non-volatile memory element. The eFUSE arrays store various types of important information. The definition of each bit of an eFUSE is represented in the eFUSE map shown in Table: Zynq UltraScale+ MPSoC Security eFUSEs. The device caches the eFUSE values into registers so that reading the eFUSE value means reading the eFUSE cache and not the physical device eFUSEs. Loading the eFUSE cache occurs during the pre-boot phase, via a register command (EFUSE.EFUSE_CACHE_LOAD) or automatically when the XilSKey library is used. Reading is done from the eFUSE registers at 0xFFCC0000 (see the Zynq UltraScale+ MPSoC Register Reference (UG1087) [Ref 4]).

Because readback is not available on the AES key, a CRC check has been built in to validate that the AES key eFUSE has been programmed correctly. Before the CRC check can be performed on a newly programmed eFUSE, the eFUSE cache must be reloaded.

eFUSEs can be programmed using the Xilinx XilSKey library. Inputs are provided in the application header file xilskey_efuseps_zynqmp_input.h. The corresponding macro names are listed in Table: Zynq UltraScale+ MPSoC Security eFUSEs. For PUF usage, input is provided via the xilskey_puf_registration.h file. For more information on XilSKey library usage, see the Xilinx library documentation.

For details on how to program eFUSEs, see Programming BBRAM and eFUSEs Application Note (XAPP1319) [Ref 20].

Table 12-13:      Zynq UltraScale+ MPSoC Security eFUSEs

Size

Name

Description

XilSKey Name:
XSK_EFUSEPS_

32

USER_{0:7}

256 user defined eFUSEs:

Note:   In the input.h file (see text), write data in the XSK_EFUSEPS_USER{0:7}_FUSES macro and execute the write by setting the XSK_EFUSEPS_USER{0:7}_FUSE macro = True.

USER{0:7}_FUSE

1

USER_WRLK

8 user-defined eFUSE locks.
USER_WRLK columns:
0: Locks USER_0,
1: Locks USER_1,
...
7: Locks USER_7,

Note:   Each eFUSE permanently locks the entire corresponding user-defined USER_{0:7} eFUSE row so it cannot be changed.

USER_WRLK_{0:7}

1

LBIST_EN

Enables logic BIST to run during boot.

LBIST_EN

3

LPD_SC

Enables zeroization of registers in low power domain (LBD) during boot.

Note:   Any of the eFUSE programmed will perform zeroization. Xilinx recommends programming all of them.

LPD_SC_EN

3

FPD_SC

Enables zeroization of registers in full power domain (FBD) during boot.

Note:   MGTs must be powered to perform zeroization of the FPD.

Note:   Any of the eFUSE programmed will perform zeroization. Xilinx recommends programming all of them.

FPD_SC_EN

3

PBR_BOOT_
ERROR

When programmed, boot is halted on any PMU error.

PBR_BOOT_ERR

32

CHASH

PUF helper data

N/A - handled by PUF registration software directly.

24

AUX

PUF helper data: ECC vector

N/A - handled by PUF registration software directly.

1

SYN_INVLD

Invalidates PUF helper data stored in eFUSEs.

XSK_PUF_SYN_INVALID

1

SYN_LOCK

Locks PUF helper data from future programming.

XSK_PUF_SYN_WRLK

1

REG_DIS

Disables PUF registration.

XSK_PUF_REGISTER_DISABLE

1

AES_RD

Disables the AES key CRC integrity check for eFUSE key storage.

AES_RD_LOCK

1

AES_WR

Locks AES key from future programming.

AES_WR_LOCK

1

ENC_ONLY(1)(2)

When programmed, all partitions are required to be encrypted. Xilinx recommends using this only if security is required and the hardware root of trust (RSA_EN) is not used.

ENC_ONLY

1

BBRAM_DIS

Disables the use of the AES key stored in BBRAM.

BBRAM_DISABLE

1

ERR_DIS

Prohibits error messages from being read via JTAG (ERROR_STATUS register).

Note:   The error is still readable from inside the device.

ERR_DISABLE

1

JTAG_DIS(1)

Disables JTAG. IDCODE and BYPASS are the only allowed commands.

JTAG_DISABLE

1

DFT_DIS(1)

Disables design for test (DFT) boot mode.

DFT_DISABLE

3

PROG_GATE

When programmed, these fuses prohibit the PROG_GATE feature from being engaged. If any of these are programmed, the PL is always reset when the PS is reset.

Note:   Only one eFUSE needs to be programed to prohibit the PROG_GATE feature from being engaged. Xilinx recommends programming all three.

PROG_GATE_DISABLE

1

SEC_LK

When programmed, the device does not enable BSCAN capability while in secure lockdown.

SECURE_LOCK

15

RSA_EN(1)(2)

When any one of the eFUSEs is programmed, every boot must be authenticated using RSA. Xilinx recommends programming all 15 eFUSEs.

RSA_ENABLE

1

PPK0_WR

Primary public key write lock. When programmed, this prohibits future programming of PPK0.

PPK0_WR_LOCK

2

PPK0_INVLD

When either of the eFUSEs are programmed, PPK0 is revocated. Xilinx recommends programming both eFUSEs when revocating PPK0.

PPK0_INVLD

1

PPK1 WR

Primary public key write lock. When programmed this prohibits future programming of PPK1.

PPK1_WR_LOCK

2

PPK1_INVLD

When either of the eFUSEs are programmed, PPK1 is revocated. Xilinx recommends programming both eFUSEs when revocating PPK1.

PPK1_INVLD

32

SPK_ID

Secondary public key ID.

Note:   Write the SPK ID bits into the XSK_EFUSEPS_SPK_ID eFUSE array and set XSK_EFUSEPS_SPKID = True.

SPK_ID

256

AES

User AES key

Note:   Write data in the XSK_EFUSEPS_AES_KEY macro and execute the write by setting the XSK_EFUSEPS_WRITE_AES_KEY
macro = True.

AES_KEY

384

PPK0

User primary public key0 HASH

Note:   Write data in the XSK_EFUSEPS_PPK0_HASH macro. To program 256 bits, use the LSBs and set XSK_EFUSEPS_PPK0_IS_SHA3 = False. To program 384 bits, set XSK_EFUSEPS_PPK0_IS_SHA3 = True. Execute the write by setting the XSK_EFUSEPS_WRITE_PPK0_HASH macro = True.

PPK0_HASH

384

PPK1

User primary public key1 HASH

Note:   Write data in the XSK_EFUSEPS_PPK1_HASH macro. To program 256 bits, use the LSBs and set XSK_EFUSEPS_PPK1_IS_SHA3 = False. To program 384 bits, set XSK_EFUSEPS_PPK1_IS_SHA3 = True. Execute the write by setting the XSK_EFUSEPS_WRITE_PPK1_HASH macro = True.

PPK1_HASH

N/A

PUF_HD

Syndrome of PUF HD. These eFUSEs are programmed using Xilinx provided software, Xilskey

N/A - handled by PUF registration software directly.

Note:   

1.IMPORTANT. Programming any of the noted eFUSE settings preclude Xilinx test access. Consequently, Xilinx does not accept return material authorization (RMA) requests.

2.When the ENC_ONLY or RSA_EN eFUSE is blown, the JTAG boot mode is no longer available. If this was the only mechanism used to program the boot flash, a secondary means should be employed. Xilinx recommends some other form of in-system flash programming and not relying on booting the device successfully to update the flash contents.