Search code examples
fpgahdlvivadobitstream

Bitstream Encryption


I have a question related to bitstream encryption using eFUSE option. If my FPGA has bitstream encryption key stored in the eFUSE, how Vivado will know the encryption key when generating new encrypted bitstream? Does Vivado has a method to readback the key from eFUSE and use it for encryption?


Solution

  • How can Vivado know the encryption key?

    Vivado uses an NKY file that is generated when setting the encryption key. For instance when executing

     set_property BITSTREAM.ENCRYPTION.KEY0 56’h12345678ABCDDCBA12345678ABCDDCBA12345678ABCDDCBA12345678ABCDDCBA current_design]
    

    An NKY file will be create, whose format is:

    KEY 0 <hex string> (256 bit AES key)
    

    For example: (top.nky)

    Device xc7k325t;
    Key 0 12345678ABCDDCBA12345678ABCDDCBA12345678ABCDDCBA12345678ABCDDCBA;
    Key StartCBC 7115e9aa80085ea3ed65d26d3a8ab608;
    Key HMAC d293d51c6058430262b05521f8f67279c9abce27d5fcafcf839bbe1af46713cc;
    

    Can Vivado read back the key?

    Quoting XAPP1239

    The encryption key can only be loaded onto a device through the JTAG interface

    After the key is programmed and the key-access mode is exited, the key cannot be read out of the device by any means, and it cannot be reprogrammed without clearing the entire device.