Security - 2023.2 English

Versal Adaptive SoC Design Guide (UG1273)

Document ID
UG1273
Release Date
2023-10-25
Version
2023.2 English

The security architecture of Versal adaptive SoC is significantly enhanced from previous generations. The root of trust starts with the BootROM, which verifies the security state of the device. If all checks pass, the BootROM authenticates and then loads the PLM firmware. If you chose to encrypt the PLM, the BootROM also decrypts the PLM after authentication. The BootROM is only run from the RCU in the PMC. After the PLM firmware is loaded and running, the PLM ensures secure loading of the remaining firmware and software. For detailed security-related information, including usage instructions, see the Versal Adaptive SoC Security Manual (UG1508) available from the Design Security Lounge (registration required) on the AMD website. The following table highlights the possible secure boot configurations for Versal adaptive SoC and shows a comparison with Zynq UltraScale+ MPSoC.

Table 1. Cumulative Secure Boot Operations
Boot Type Operations Hardware Crypto Engines
Authentication Decryption Integrity (Checksum Verification) Zynq UltraScale+ MPSoC Versal Adaptive SoC
Non-secure No No No

Yes

Does not use built-in engines

Yes

Does not use built-in engines

Hardware Root-of-Trust (HWRoT) Yes Optional Integrity via Asymmetric Authentication

Yes

RSA, SHA3

N/A
Asymmetric Hardware Root-of-Trust (A-HWRoT) Yes Optional Integrity via Asymmetric Authentication N/A Yes

RSA/ECDSA, SHA3

(AES-GCM and PUF optional)

Symmetric Hardware Root-of-Trust (S-HWRoT) Yes via GCM and eFUSEs

Yes

Must use PUF KEK

Integrity via Asymmetric Authentication N/A Yes

AES-GCM, PUF

A-HWRoT + S-HWRoT Yes

Yes

Must use PUF KEK

Integrity via Asymmetric Authentication N/A Yes

RSA/ECDSA, SHA3, AES-GCM, PUF

Checksum Verification No No Yes Yes

SHA3

Yes

SHA3