Versal® introduces a new hashing scheme that minimizes boot time and buffer space required by the PLM while authenticating partitions. The hashing scheme centers on including the hash for the next block of data in the current block of data (similar to what is done with key rolling). This allows a single signature to be used for the entire partition, regardless of partition size, and removes the need to buffer hashes inside the PLM itself. This scheme is used on all partitions except for the bootloader. This block of data, that is hashed each time, is referred to as secure chunk. This chunk size is 32KB for Versal.
The hashing scheme as per the table below:
Partition Chunk Count | Partition Chunking Scheme | Notes |
---|---|---|
CHUNK 0 | [ Authentication Certificate - Partition Sign Field + SECURE HEADER + GCM TAG + SECURE_CHUNK_SIZE + HASH OF CHUNK 1 ] | This data is hashed and then signed. This signature sits in the Partition Signature field of AC |
CHUNK 1 | SECURE_CHUNK_SIZE + HASH OF CHUNK 2 ] | |
CHUNK 2 | SECURE_CHUNK_SIZE + HASH OF CHUNK 3 ] | |
CHUNK n-1 | SECURE_CHUNK_SIZE + HASH OF CHUNK n] | |
CHUNK n | [ REMAINING LENGTH ] |
The SECURE_CHUNK_SIZE applicable to Versal® is 32KB.