Embedded Microprocessor Code - Embedded Microprocessor Code - AM026

Versal AI Edge Series Gen 2 and Prime Series Gen 2 Technical Reference Manual (AM026)
Document ID
AM026
Release Date
2025-12-23
Revision
1.3 English

There are three embedded microprocessors.

  • ROM code unit (RCU) executes the BootROM code, for more information refer to the RCU ROM Code Unit chapter.
  • PPU processor executes the platform loader and manager (PLM) firmware with access to its local PPU RAM and the PMC RAM.
  • Application security unit (ASU) processor executes the ASU firmware to provide runtime security services to the APU, RPU, and PL.

The functionality of the BootROM code is described in Platform Boot, Control, and Status.

RCU BootROM Code

The deeply embedded RCU is the first processor to start up after a system reset (SRST) or power-on reset (POR). The RCU executes its BootROM code to initialize the hardware and validate the boot device, which includes processing the boot header that is accessed from the boot device. The RCU downloads the PLM firmware into the PPU RAM. When the PMC hardware is ready, the RCU releases the reset on the PPU processor to begin execution of the PLM firmware.

The RCU BootROM code and PLM firmware work together to provide platform attestation services. The platform attestation services make use of platform configuration registers (PCRs), open compute project (OCP), and device identifier composition engine (DICE) support. Information about OCP can found at https://www.opencompute.org.

PLM Firmware Code

The PLM firmware runs on the MicroBlaze-based platform processing unit (PPU). The PLM firmware is generated by the AMD Vivado™ and AMD Vitis™ tools and configures the system for device boot. The PLM firmware includes code to support a single image or a series of image downloads. After system boot, the PLM goes on to manage system resources.

The PLM reads the programmable device image (PDI) from the boot source, and initializes and configures the system components for the APU and RPU subsystems. The PLM configuration normally includes NoC initialization, DDR memory controller initialization, programmable logic configuration, and loading real-time and application software in the processing system. The operations and responsibilities of the PLM firmware support the adaptive SoC application. When the processing system takes control of the adaptive SoC, the PLM monitors system activity and responses to system requests from the real-time and application processing units, RPU, APU, and the programmable logic.

ASU Firmware Code

The ASU firmware is securely authenticated and/or decrypted by the PLM firmware and runs on the dedicated ASU MicroBlaze RISC-V processor. The ASU provides SAE J3101-2020 Hardware Protected Security For Ground Vehicles compliant runtime security services to software running in the APU, RPU, and PL. The ASU security services include:

  • Key management
    • Key generation and destruction
    • Exportable and importable key vault only accessible by the ASU
    • Key wrap and unwrap support
    • NIST SP 800-108r1 key generation function (KDF) support
  • AES encryption and decryption with 128-bit and 256-bit key support with hardware counter measures in the following modes:
    • Galois counter mode (GCM) and message authentication code (GMAC)
    • Electronic code block (ECB)
    • Cipher block chaining (CBC)
    • Counter (CTR)
    • Output feedback (OFB)
    • Cipher feedback (CFB)
    • Cipher block chaining message authentication code (CCM)
    • Cipher-based message authentication code (CMAC)
  • RSA public key and private key operations
    • 2048, 3076, and 4096-bit key size support
    • Raw RSA encrypt and decrypt
    • OAEP encrypt and decrypt
    • PSS sign and verify
    • Manufacturing endorsement keys
  • Elliptical curve digital signature algorithm (ECDSA), supporting multiple curves
    • NIST P-192, P-256, P-384, P-521
    • Edwards Curve25519, Curve448
    • Brainpool P256r1, P320r1, P384r1, P512r1
  • LMS
    • Signature verification
    • SHA-256 and SHAKE256
  • Elliptic curve Diffie-Hellman (ECDH), key exchange, supporting multiple curves
  • 256-bit true random number generation (TRNG)
    • Supports key generation for all algorithms listed
  • Secure hash algorithms (SHA)
    • SHA-256, SHA-384, SHA-512 (SHA-2 family)
    • SHA3-256, SHA3-384, SHA3-512, SHAKE-256
  • Elliptic curve integrated encryption scheme (ECIES)
    • Encrypt and decrypt operations
  • All algorithms listed support known answer test (KAT) functionality
  • Hash-based message authentication code (HMAC)
    • SHA-256, SHA-384, SHA-512, SHA3-256, SHA3-384, and SHA3-512
  • Software based module-lattice-based key-encapsulation mechansim (ML-KEM) CRYSTALS-Kyber
  • Software based module-lattice-based digital signature algorithm (ML-DSA) CRYSTALS-Dilithium
  • Stateless hash-based digital signature algorithm (SLH-DSA) SPINCS+
  • Open computer platform (OCP) device identifier composition engine (DICE) support
  • Unique device endorsement (UDE) support

The ASU is physically embedded into the low-power domain (LPD) near the processing system. The ASU architecture and a list of functional units are included the ASU Interconnect Diagram section.