Boot With Trust: How PolarFire® SoC FPGAs Provide Secure Startup

In modern embedded systems, the boot process is the foundation of trust. If attackers compromise the initial boot stage, they can insert malicious firmware and bypass security control and extract sensitive data. To address this, our PolarFire^® System-on-Chip Field-Programmable Gate Arrays (SoC FPGAs) implement a secure boot mechanism that authenticates firmware payloads before beginning execution. This affirms that only verified, trusted firmware runs on the hardware—establishing a root of trust.

The Problem: A Boot Process Open to Exploitation

Every embedded device starts by executing boot flow, but unprotected systems, configurations and firmware are often stored in external unencrypted memory, leaving them exposed to serious risks. These risks include tampering, where malicious firmware can be injected to compromise entire networks, or downgrade attacks, where older and vulnerable firmware versions are reintroduced. Such attacks can compromise the entire system before higher-level protections are even activated.

Real-World Incidents Demonstrating the Importance of Secure Boot

1. LoJax UEFI Rootkit: ESET researchers discovered LoJax, a UEFI rootkit that modified the system firmware to persist below the OS, surviving reinstalls. Hardware-enforced secure boot would block unauthorized UEFI modules from executing, preventing persistent firmware compromise.
2. Stuxnet Malware: Stuxnet used stolen digital certificates to run malicious kernel drivers undetected, enabling manipulation of industrial control systems. Secure boot with a device-bound root of trust reduces the risk of executing firmware signed with stolen keys.

These incidents demonstrate how firmware-level attacks can evade all OS and application-level protections if the boot process is unsecured.

Secure Boot in PolarFire^® SoC FPGAs

To address these vulnerabilities, the PolarFire^® SoC FPGAs employ a secure boot methodology. At power-up, the system controller initiates the secure boot process. Its behavior depends on the configured boot mode:

Boot Mode 3:

The system controller loads a secure boot loader from its protected internal memory onto the tightly integrated memory (8KB DTIM) of the E51 monitor core.

The bootloader checks the integrity of the eNVM contents using hash and authenticates the signature using Elliptical curve cryptography. If the integrity check and authentication passes, the code in the eNVM is executed and the next levels of firmware payloads are loaded, and application codes are booted. If the verification or authentication fails, a BOOT_FAIL tamper flag is raised in the FPGA fabric tamper macro and the next stage payloads are not loaded for execution. The user may choose to handle the BOOT_FAIL tamper flag in the FPGA fabric design as they see fit for their application.

Boot Mode 2:

PolarFire SoC users may choose to develop their own proprietary boot code, and they can use boot mode 2 to implement it. The user can use the PUF protected Secure NVM (sNVM) to store their boot loader code. In Boot mode 2, the system controller loads a boot loader code on to the monitor core’s 8 KB DTIM and checks the integrity and authenticates the contents of the sNVM. If the integrity check or signature authentication fails, BOOT_FAIL tamper flag is raised. The user application in the FPGA fabric can handle the tamper flag as per the application requirements.

Subsequent Boot Stages:

After the system controller secure boot completes (Boot Mode 2 or 3), the device may transition into subsequent bootloaders such as the Hart Software Services (HSS) or U-Boot for booting subsequent workloads such as Linux/ RTOS. These are considered second-stage bootloaders, and they can enforce their own security policies:

• In the case of Boot mode 3, the eNVM contains the HSS. The HSS initializes system peripherals and performs ECDSA authentication of the next-stage payload before passing the execution flow. If authentication fails, the code enters boot_secure_failure_ () loop, spinning indefinitely until a watchdog (if enabled) resets the Core Complex.
• No tamper flags are raised at this stage. However, user code retains control and can implement appropriate mechanisms as needed.

Hardware Root of Trust on PolarFire SoC

The secure boot process is anchored in a Hardware Root of Trust (HwRoT) that certifies the first instructions executed at power-up are immutable and trustworthy. This secure boot flow is anchored in silicon. An immutable boot ROM initiates the process, while PUF-protected sNVM secures keys and proprietary loaders. On-chip cryptographic engines accelerate authentication, and tamper flags enforce failure responses. Together, these features provide an HRoT that confirms only verified firmware ever runs.

Real-World Importance: Why Secure Boot Matters

• Defense and Aerospace: Protects mission-critical systems from adversaries attempting to implant malicious payloads. Sometimes these hackers may have infinite resources, making physical security a necessity.
• Automotive ECUs with OTA Firmware updates: Allowed only authentic software updates to be applied, safeguarding safety-critical functions.
• Industrial IoT: These applications involve networks of interconnected devices. If one edge node is compromised, it can jeopardize the entire network. Secure boot at every edge is critical to prevent malware injection and provide system-wide security.

Case studies (Stuxnet, LoJax) in both automotive and defense have shown that unprotected boot processes are a favorite target for attackers. A single compromised bootloader can lead to IP theft or full system takeover.

Hardware-Rooted Security Builds Cyber Resilience

When it comes to building trusted systems, everything starts at the boot. Our PolarFire SoC FPGAs deliver a hardware-enforced secure boot that permits only authorized firmware to be executed, integrating authentication, encryption and tamper detection into a seamless defense. Learn more at PolarFire Family FPGA Security User Guide.

If the boot process isn’t secure, nothing is—it’s the cornerstone of trust.