Configuration Update with Partition Revocation

Versal Adaptive SoC Technical Reference Manual (AM011)

Document ID
Release Date
1.6 English

Key revocation, as described in the A-HWRoT secure boot mode, is not available in the S-HWRoT secure boot mode. However, it is still important to support the revocation of individual partitions if an update is required and for protection against a rollback attack. In S-HWRoT secure boot mode, rollback protection is achieved via the use of the revocation ID (stored in eFUSEs) associated with each partition. While key revocation itself is not supported, it is possible to render that key inoperable by revoking the ID of the partition encrypted with that key and replacing it with a partition encrypted with a new key/IV pair and a new (valid) revocation ID.