The Versal adaptive SoC A-HWRoT boot mode is built upon the use of RSA-4096, LMS, or ECDSA P-384 asymmetric authentication algorithms along with hardware acceleration hashing. The PPK is only used for verifying the signature of the SPK, while the SPK is used to authenticate the contents of the image itself. The following table lists the characteristics of each public key type.
| Public Key | Number | Location | Revocable |
|---|---|---|---|
| Primary (PPK) | 3 | External memory with hash in eFUSEs | Yes |
| Secondary (SPK) | 256 | Boot image | Yes |
The SHA-3/384 hash of each key is securely stored inside the device eFUSEs. During the secure boot process, the RCU BootROM code first validates the integrity of the full public key stored in the authenticated boot image by hashing it (SHA-3/384) and comparing against the value stored in eFUSEs.
There are also 256 SPKs available, each of which are also revocable. The SPK is delivered inside the authenticated boot image, and is signed by the PPK, which is the primary purpose of the PPK. The SPK is intended to authenticate everything else.