Xapp1239 Fpga Bitstream Encryption PDF
Xapp1239 Fpga Bitstream Encryption PDF
Summary
This application note describes a simple step-by-step process to generate an encrypted
bitstream and encryption key using the Xilinx® Vivado® Design Suite. Steps to program that
encryption key and encrypted bitstream into a Xilinx 7 series FPGA using the Vivado Design
Suite are included.
Introduction
Xilinx 7 series devices have on-chip Advanced Encryption Standard (AES) decryption logic to
provide a high degree of design security. Encrypted 7 series FPGA designs cannot be copied or
reverse engineered for use on unintended FPGAs. The 7 series FPGA AES system consists of
software-based bitstream encryption and on-chip bitstream decryption with dedicated memory
for storing the encryption key. Xilinx Vivado tools are optionally used to generate the
encryption key and the encrypted bitstream. A user-generated key from a truly random source
is recommended. The 7 series devices store the encryption key internally in either dedicated
RAM, backed up by a small externally connected battery (BBRAM), or in the eFUSE. The
encryption key can only be programmed onto the device through the JTAG port. The 7 series
device performs the reverse operation, decrypting the incoming bitstream during
configuration. The 7 series FPGA AES encryption logic uses a 256-bit encryption key. The
on-chip AES decryption logic cannot be used for any purpose other than bitstream decryption.
AES decryption logic is not available to the user design and cannot be used to decrypt data
other than the configuration bitstream.
The AES supported in 7 series FPGAs is identical to that supported in Xilinx Virtex®-6 devices.
(The AES support has been validated, see the Advanced Encryption Standard Algorithm
Validation List at http://csrc.nist.gov/groups/STM/cavp/documents/aes/aesval.html#2363.) A
256-bit encryption key is loaded into the eFUSE bits or battery-backed RAM by the user. The
Xilinx bitstream writer, using AES, encrypts the bitstream. This feature allows you to encrypt
your bitstream using 256-bit AES encryption in cipher block chaining (CBC) mode. You can
supply a 128-bit Initial Vector and 256-bit key, or let the software choose a random key.
Allowing the Vivado Design Suite to generate the key is not as secure as generating your own
key by means of a a truly random process (see XAPP1084 [Ref 1]). Some security features such
as the ability for the FPGA logic to clear the AES key from battery-backed RAM require that the
part is configured with an encrypted bitstream in order to function.
7 series devices also have an on-chip bitstream keyed-Hash Message Authentication Code
(HMAC) algorithm implemented in hardware to provide additional security beyond that
provided by the AES decryption alone. (See FIPS PUB 198-1, HMAC Federal Information
Processing Standards at http://www.nist.gov/itl/upload/FIPS-198-1_final.pdf.) The additional
security provides cryptographically strong authentication of the decrypted bitstream to prove
that not even a single bit was modified. Without knowledge of the AES and HMAC keys, the
bitstream cannot be loaded, modified, intercepted, or cloned. AES provides the basic design
security to protect the design from copying or reverse engineering, while HMAC provides
assurance that the bitstream provided for the configuration of the FPGA was the unmodified
bitstream allowed to load. Any bitstream tampering, including single bit flips, are detected.
The HMAC algorithm uses a key that is provided to the Xilinx software. Alternately, the software
can automatically generate a random key. The HMAC key is separate and different from the AES
key. The Xilinx software then utilizes the key and the Secure Hash Algorithm (SHA) to generate
a 256-bit result called the Message Authentication Code (MAC). The MAC and HMAC key are
transmitted as part of the AES encrypted bitstream, verifying both data integrity and
authenticity of the bitstream. Authentication covers the entire bitstream for all types of control
and data. When used, the 7 series FPGA security solution always consists of both HMAC and
AES.
1. Choose an AES key storage location: BBRAM or eFUSE; and corresponding security options
(see XAPP1084 [Ref 1] for trade-off between BBRAM and eFUSE).
2. Implement the hardware requirements in your board design, based on your AES key storage
selection.
3. Using Vivado Design Suite software, generate an AES key or provide your own custom AES
and HMAC keys to the software (which is always the most secure approach) and encrypted
bitstream.
4. Program the AES key into the FPGA using JTAG interface.
5. Program the encrypted bit file into the FPGA via JTAG or other configuration mode such as
SPI or BPI, and ensure that the DONE pin asserts.
6. Perform hardware validation to ensure proper operation.
Software Requirements
Vivado Design Suite 2014.3.1 or newer is required.
BBRAM
When an encryption key is stored in the FPGA's battery-backed RAM, the encryption key
memory cells are volatile and must receive continuous power to retain their contents. During
normal operation, these memory cells are powered by the auxiliary voltage input (V CCAUX). A
separate VCCBATT power input is recommended for retaining the key when VCCAUX is removed.
Therefore it is recommended that the AES key be programmed in-system on a board that has
the battery back-up. Otherwise, the key is lost when power/battery is removed. BBRAM storage
location advantages and disadvantages are identified in Table 1.
eFUSE
eFUSE is a nonvolatile one-time-programmable technology used for selected configuration
settings. The fuse link is programmed (or burned or blown) by flowing a large current for a
specific amount of time. User-programmable eFUSEs can be programmed with the Xilinx
configuration tools. Again it is important to mention that eFUSE bits are one-time
programmable (OTP). After they are programmed, they cannot be unprogrammed. For example,
if access to a register is disabled, it cannot be re-enabled. The FPGA logic can access only the
FUSE_USER register value. All other eFUSE bits are not accessible from the FPGA logic. eFUSE
storage location advantages and disadvantages are identified in Table 2.
eFUSE Registers
A 7 series FPGA has a total of four eFUSE registers: FUSE_KEY, FUSE_CNTL, FUSE_USER, and
FUSE_DNA. For the purpose of this application note we will only focus on the FUSE_KEY,
FUSE_CNTL, and FUSE_USER registers. eFUSE registers are described in Table 3.
This register contains user programmable bits. These bits, described in Table 4, are used to
select AES key usage and set the read/write protection for other eFUSE registers.
CAUTION! When FUSE_CNTL[0] is programmed, only bitstreams encrypted with the eFUSE key can be used
to configure the FPGA through external configuration ports. This precludes device configuration from Xilinx
test bitstreams and Xilinx pre-built bitstreams. Thus, Xilinx does not support RMA requests nor Vivado tools
indirect SPI/BPI flash programming for devices that have the FUSE_CNTL[0] bit programmed.
External configuration ports are blocked from accessing the configuration memory after initial
configuration if FUSE_CNTL[1] is programmed. The only way to reconfigure the device is to
power cycle, issue a JPROGRAM or IPROG command, or pulse the PROGRAM_B pin.
BITSTREAM.ENCRYPTION.HKEY Pick Pick, <hexstring> HKEY sets the HMAC authentication key for
bitstream encryption. 7 series devices have an
on-chip bitstream-keyed Hash Message
Authentication Code (HMAC) algorithm
implemented in hardware to provide additional
security beyond AES decryption alone. These
devices require both AES and HMAC keys to load,
modify, intercept, or clone the bitstream. The pick
setting tells the bitstream generator to select a
pseudo-random number for the value. To use this
option, you must first set Encrypt to Yes.
BITSTREAM.ENCRYPTION.KEY0 Pick Pick, <hexstring> Key0 sets the AES encryption key for bitstream
encryption. The pick setting tells the bitstream
generator to select a pseudo-random number for
the value. To use this option, you must first set
Encrypt to Yes.
BITSTREAM.ENCRYPTION.KEYFILE None <string> Specifies the name of the input encryption file
(with a .nky file extension). To use this option, you
must first set Encrypt to Yes.
BITSTREAM.ENCRYPTION.STARTCBC Pick Pick,<32-bit Sets the starting cipher block chaining (CBC) value.
hexstring> The pick setting enables selection of a
pseudo-random number for the value.
The following is an example XDC file showing BBRAM Key storage and a custom user-defined
AES key. These encryption properties are also available in the Edit Device Properties GUI.
24 #Encryption Settings
25
26 set_property BITSTREAM.ENCRYPTION.ENCRYPT YES [current_design]
27 set_property BITSTREAM.ENCRYPTION.ENCRYPTKEYSELECT BBRAM [current_design]
28 #set_property BITSTREAM.ENCRYPTION.ENCRYPTKEYSELECT eFUSE [current_design]
29 set_property BITSTREAM.ENCRYPTION.KEY0 256’h12345678ABCDDCBA1234578ABCDDCBA1234578
ABCDDCBA1234578ABCDDCBA [current_design]
30
The NKY file generation occurs at the same time as bitstream generation. The NKY file takes the
same top_level name as the bit file and is placed in the same implementation directory.
BBRAM key programming solutions include a Vivado Design Suite and JTAG cable.
Note: Any attempted read or write access to the BBRAM via JTAG causes the BBRAM contents to be
cleared and the entire configuration of the FPGA to be erased prior to access being enabled (being
able to enter key access mode).
Note: For the eFUSE solution, it is also recommended to take the following precautions for in-system
programming of the AES key:
° Prevent or clear the FPGA of a configured design to minimize power supply noise within
the FPGA.
° If possible, stop board-level system clocks to also minimize system power supply noise.
After connection to a valid hardware target using the Vivado tools HW_Manager, right-click on
the 7 series FPGA and select either Program BBR Key...(to use BBRAM storage) or Program eFUSE
Registers...(to use eFUSE storage), depending on which storage option you have previously
chosen (see Figure 1).
X-Ref Target - Figure 1
BBRAM Key
When the Program BBR Key is selected you have the ability to browse to the recently generated
NKY file in the project directory. After you add the .NKY file, the key value appears in the AES
key field as shown in Figure 2. This allows you to check the key value and verify that this is the
correct key you intend to program into the device.
X-Ref Target - Figure 2
After successfully programming the NKY file into the FPGA via JTAG, the TCL console reports the
following:
set_property ENCRYPTION.FILE
{C:/config/series-7/Encryption/ecryption_test_325T.runs/impl_1/top.nky} [get_property
PROGRAM.HW_BITSTREAM [lindex [get_hw_devices] 0]]
program_hw_devices -key {bbr} [lindex [get_hw_devices] 0]
INFO: [Labtools 27-3088] BBR Key programmed:
12345678ABCDDCBA12345678ABCDDCBA12345678ABCDDCBA12345678ABCDDCBA
INFO: [Labtools 27-3087] Key programming succeeded
INFO: [Labtools 27-3087] Key programming succeeded
IMPORTANT: For 7 series FPGAs, programming the AES key and the lower 8 bits [7:0] of the FUSE_USER
register occurs at the same time. Therefore if you program the AES key and do not specify a pattern for the
FUSE_USER [7:0] bits, they cannot be programmed at a later time. Similarly, if you program the lower
FUSE_USER bits and not the AES key then you cannot program the key at a later time.
RECOMMENDED: Program all 32 bits of the FUSE_USER register when you program the AES key. Refer to
Table 4, page 5 for a description of the FUSE_CNTL register bits. The eFUSE Programming GUI/Control
Register Setup is shown in Figure 4).
• FUSE_CNTL bits:
program_hw_devices -control_efuse {xxxxxx} [lindex [get_hw_devices] 0]
After the eFUSE registers have been successfully programmed you can see the values of the
FUSE_CNTL and FUSE_USER registers in the Hardware Device Properties/EFUSE register
dropdown menu (see Figure 5), or by typing the following Tcl commands into the Tcl console:
Most methods of configuration are not affected by encryption. The 7 series FPGAs allow for
bitstreams to be created with both compression and encryption. An encrypted bitstream can be
delivered through any configuration interface: JTAG, serial, SPI, BPI, SelectMAP, and ICAPE2.
However, an encrypted bitstream has a few limitations or timing differences for some of the
configuration methods. The Slave SelectMAP and ICAPE2 interfaces accept encrypted
bitstreams only through the x8 bus (x16 and x32 Slave SelectMAP are not allowed). The Master
SelectMAP and Master BPI interfaces accept encrypted bitstreams through either the x8 or x16
data bus, but for the x16 bus width, the master CCLK frequency is slowed to half of the
ConfigRate, or half of the EMCCLK rate when ExtMasterCCLK_en is used. The slower CCLK
begins early in the bitstream when the DEC (AES encryptor enable) bit is read, before the CCLK
is updated based on the ConfigRate frequency or the external EMCCLK frequency.
To confirm in hardware that the encrypted design loaded successfully, check that the DONE pin
is High or verify using other visual indicators that your design is functioning (LEDs, UARTs, etc.).
To confirm in software that the encrypted design loaded successfully you can refer to the
Config_Status register included in the Hardware Device Properties list. Bits 1
(DECRYPTOR_ENABLE), 4 (EOS), and 14 (DONE_PIN) are the main indicators for confirmation
(see Figure 6).
Hardware Verification
You will most likely want to verify that the AES key was properly programmed into either the
BBRAM or eFUSE bits properly. The following is a check list of verification steps:
1. Generate bitstreams using Vivado Design Suite 2014.3.1 or later: Unencrypted bitstream,
encrypted bitstream with your personalized key, encrypted bitstream with an all-ones key,
finally an encrypted bitstream with an all-zeros key
2. Review the generated bitstreams to validate encryption took place. (See Figure 7, page 15
for an example of encrypted and unencrypted bit files.)
3. On an FPGA that has not yet had its eFUSE programmed:
a. Check hardware: Use Vivado Device Programmer to connect to the FPGA, download the
unencrypted BIT file via JTAG. Does the design function as expected?
b. Test FPGA decryptor: Download the encrypted BIT file with the all-zeros key (for eFUSE).
c. Test encrypted bitstream security: Download the encrypted BIT file with your
personalized key. A configuration failure is expected.
4. Program the eFUSE key and options:
a. Power-cycle the board to assure any errors from the above tests have been cleared from
the FPGA and that the FPGA is not configured.
b. Program the AES key via JTAG. (If using eFUSE, first do steps 3b and 3c with the BBRAM
key as a validation check. Then program the eFUSE for a final test.)
c. Check key cannot be read: Use the Vivado tool to check the Hardware
Device>Property>Registers>eFUSE>FUSE_CNTL and that bit 3 is programmed to 1.
Also, check that the other FUSE_CNTL bits are programmed as selected during the
programming operation.
5. On the FPGA with the programmed eFUSE key and options:
a. Test key: Download the encrypted BIT file with your personalized key.
b. Test key: Download encrypted BIT file associated with the all-zeros key. A configuration
failure is expected.
c. Test key settings: Download the unencrypted BIT file. Results vary depending on
security settings.
Conclusion
This application note describes AES encryption and authentication standards and identifies the
advantages and disadvantages of the different key storage options available. Most importantly,
it functions as an easy how to guide to create an AES encryption key and an encrypted bit file
and to program these files into a 7 series FPGA using Vivado Design Suite software.
References
1. Developing Tamper Resistant Designs with Xilinx Virtex-6 and 7 Series FPGAs (XAPP1084)
2. 7 Series FPGAs Configuration User Guide (UG470)
3. Using Advanced Encryption Standard Keys with the Battery-Backed (BBRAM Tutorial
http://www.xilinx.com/training/vivado/using-encryption-keys-with-bbram.htm
Revision History
The following table shows the revision history for this document.