January 5, 2026
Article
iWave has validated Secure Boot on its Zynq™ UltraScale+™ MPSoC–based System on Modules (SoMs), enabling customers to implement a verified and hardware-enforced boot process that ensures system integrity from power-on
As embedded systems increasingly power industrial, edge AI, defense, and connected applications, security has become a foundational requirement rather than an optional feature. To address this need, iWave has validated Secure Boot on its Zynq™ UltraScale+™ MPSoC based System on Modules (SoMs), enabling customers to build platforms that are protected against unauthorized firmware, code tampering, and supply-chain threats from the very first instruction executed.
Secure Boot on iWave’s Zynq™ UltraScale+™ MPSoC SoMs establishes a hardware root of trust (HWRoT) at power-on, ensuring that only authenticated and authorized firmware is allowed to run. During device reset, the on-chip Boot ROM verifies the first-stage bootloader (FSBL) before any user code executes, forming a trusted boot chain that safeguards the system throughout startup. This validation allows customers to confidently deploy iWave SoMs in security-critical applications while meeting stringent reliability and compliance requirements.
iWave has validated multiple Secure Boot mechanisms on Zynq™ UltraScale+™ MPSoC System on Modules to support different security and lifecycle requirements.
| Description | Pros | Cons | |
|---|---|---|---|
| BBRAM-Based Secure Boot | Stores cryptographic keys in battery-backed RAM used by the hardware root of trust to authenticate or decrypt boot images during power-up. |
|
|
| Boot Header Authentication | Uses a signed authentication header within the boot image. The device verifies the signature before executing the firmware. |
|
|
| Boot Header Authentication | Stores cryptographic keys or hashes in one-time programmable on-chip fuses, forming a permanent hardware root of trust. |
|
|
Secure Boot on Zynq™ UltraScale+™ MPSoC–based System on Modules (SoMs) ensures that only trusted and authenticated firmware is allowed to execute on the device. At power-on or reset, the device’s on-chip security engine validates both the integrity and authenticity of the boot image before any user code is executed.
By enforcing cryptographic verification at boot time, Secure Boot protects embedded platforms against a wide range of threats, including firmware modification, malicious code injection, and supply-chain attacks.
This cryptographic combination provides strong protection against firmware tampering, key substitution, and unauthorized code execution.
In iWave’s production flow, customers retain full ownership and control of their cryptographic assets. Signing keys and firmware images are generated within the customer’s secure environment. Only the corresponding verification data—such as public key hashes—is programmed into the device’s secure hardware storage, including eFUSE or one-time programmable (OTP) memory.
During every boot cycle, the hardware validates the signed FSBL against the fused verification data. If authentication fails, execution is halted, preventing unauthorized firmware from running on the device. This approach combines customer-controlled key management with iWave’s expertise in secure provisioning and manufacturing, ensuring both security and scalability in production environments.
In an era of connected and distributed embedded systems, Secure Boot is not optional; it is the foundation for device integrity, IP protection, and long-term customer trust.
For more information, reach out to us through mktg@iwave-global.com
We appreciate you contacting iWave.
Our representative will get in touch with you soon!