Xilinx® 7 series FPGAs use the embedded, PL-based, hash-based message authentication code (HMAC) and an advanced encryption standard (AES) module with a cipher block chaining (CBC) mode. For UltraScale devices and beyond, AES-256/Galois Counter Mode (GCM) are used, and HMAC is not required.
Encryption Example
To create an encrypted bitstream, the AES key file is specified in the BIF
using the attribute aeskeyfile. The attribute encryption=aes
should be specified against the bitstream
listed in the BIF file that needs to be
encrypted.
bootgen -arch fpga -image secure.bif -w -o securetop.bit
The BIF file looks like the following:
the_ROM_image:
{
[aeskeyfile] encrypt.nky
[encryption=aes] top.bit
}
Authentication Example
A Bootgen command to authenticate an FPGA bitstream is as follows:
bootgen -arch fpga -image all.bif -o rsa.bit -w on -log error
The BIF file is as follows:
the_ROM_image:
{
[sskfile] rsaPrivKeyInfo.pem
[authentication=rsa] plain.bit
}
Family or Obfuscated Key
To support obfuscated key encryption, you must register with Xilinx support and request the family key file for the target device family. The path to where this file is stored must be passed as a bif option before attempting obfuscated encryption. Contact secure.solutions@xilinx.com to obtain the Family Key.
image:
{
[aeskeyfile] key_file.nky
[familykey] familyKey.cfg
[encryption=aes] top.bit
}