The security architecture of Versal adaptive SoC is significantly enhanced from previous generations. The root of trust starts with the BootROM, which verifies the security state of the device. If all checks pass, the BootROM authenticates and then loads the PLM firmware. If you chose to encrypt the PLM, the BootROM also decrypts the PLM after authentication. The BootROM is only run from the RCU in the PMC. After the PLM firmware is loaded and running, the PLM ensures secure loading of the remaining firmware and software. For detailed security-related information, including usage instructions, see the Versal Adaptive SoC Security Manual (UG1508) available from the Design Security Lounge (registration required) on the AMD website. The following table highlights the possible secure boot configurations for Versal adaptive SoC and shows a comparison with Zynq UltraScale+ MPSoC.
Boot Type | Operations | Hardware Crypto Engines | |||
---|---|---|---|---|---|
Authentication | Decryption | Integrity (Checksum Verification) | Zynq UltraScale+ MPSoC | Versal Adaptive SoC | |
Non-secure | No | No | No |
Yes Does not use built-in engines |
Yes Does not use built-in engines |
Hardware Root-of-Trust (HWRoT) | Yes | Optional | Integrity via Asymmetric Authentication |
Yes RSA, SHA3 |
N/A |
Asymmetric Hardware Root-of-Trust (A-HWRoT) | Yes | Optional | Integrity via Asymmetric Authentication | N/A | Yes RSA/ECDSA, SHA3 (AES-GCM and PUF optional) |
Symmetric Hardware Root-of-Trust (S-HWRoT) | Yes via GCM and eFUSEs |
Yes Must use PUF KEK |
Integrity via Asymmetric Authentication | N/A | Yes AES-GCM, PUF |
A-HWRoT + S-HWRoT | Yes |
Yes Must use PUF KEK |
Integrity via Asymmetric Authentication | N/A | Yes RSA/ECDSA, SHA3, AES-GCM, PUF |
Checksum Verification | No | No | Yes | Yes SHA3 |
Yes SHA3 |