Secure Boot Modes - 2024.1 English

Vivado Design Suite User Guide: Dynamic Function eXchange (UG909)

Document ID
Release Date
2024.1 English

Versal devices support secure boot capabilities. You can use encryption (AES-GCM) and authentication (RSA or ECDSA) features with DFX designs, within monolithic or SSI technology devices.

If encryption is enabled, you must apply the same AES key for both full and partial PDI images. Mismatched encryption key values between full and partial images are not permitted. Encrypted partial images cannot follow an unencrypted initial boot of a device. However, unencrypted partial images can be delivered to a device that was initially configured with an encrypted full image but only via paths from internal, trusted memory locations.

When using authentication, you can use the authentication algorithms (RSA-4096 or ECDSA P-384) as needed, and there is no dependency between the initial full-design boot image and the partial images based on the scheme used. You can send authenticated partial images after an unauthenticated initial boot image and vice versa. You can add authentication capabilities to encrypted or unencrypted programming images.

For more information on secure boot modes, see the Versal Adaptive SoC System Software Developers Guide (UG1304) and the Versal Adaptive SoC Technical Reference Manual (AM011).