PUF Operations

Zynq UltraScale+ Device Technical Reference Manual (UG1085)

Document ID
Release Date
2.3 English

Access to the PUF is restricted by the CSU. The CSU offers the PUF as a CSU service. The PUF can be accessed through the CSU registers. The CSU supports the user commands listed in Table: CSU User Commands.

Table 12-7:      CSU User Commands




Create a new KEK and associated helper data (first time).


Create a new KEK and associated new helper data.


Encrypt/decrypt with the existing KEK and associated helper data (valid for eFUSE helper data only).

This Figure shows a block diagram of how the PUF is connected inside the CSU.

Figure 12-6:      Block Diagram of PUF Connection in CSU

X-Ref Target - Figure 12-6


The PUF undergoes a registration process when a key is initially loaded into the device. The registration process initializes the PUF so that a KEK is created. The registration software can then use the KEK to encrypt the user key and program the eFUSEs. Alternatively, the encrypted user key can be output for inclusion into a boot image. The registration software also programs the helper data into the eFUSEs. Alternatively, the helper data can be output for inclusion into a boot image. The helper data and the encrypted user key must be stored in the same location (i.e., both in eFUSE or both in the boot image).

When the device powers on, the CSU bootROM examines the authenticated boot image header. The boot image header contains information on whether the PUF is used, where the encrypted key is stored (eFUSE or boot image), and where the helper data is stored (eFUSE or boot image). The CSU then initializes the PUF, loads the helper data, and regenerates the KEK. This process is called regeneration. Once the KEK is regenerated, the CSU bootROM can use it to decrypt the user key, which is then used to decrypt the rest of the boot image.