Encryption and Authentication - 2020.2 English

Bootgen User Guide (UG1283)

Document ID
UG1283
Release Date
2020-12-15
Version
2020.2 English

Xilinx® 7 series FPGAs use the embedded, PL-based, hash-based message authentication code (HMAC) and an advanced encryption standard (AES) module with a cipher block chaining (CBC) mode. For UltraScale devices and beyond, AES-256/Galois Counter Mode (GCM) are used, and HMAC is not required.

Encryption Example

To create an encrypted bitstream, the AES key file is specified in the BIF using the attribute aeskeyfile. The attribute encryption=aes should be specified against the bitstream listed in the BIF file that needs to be encrypted.

bootgen -arch fpga -image secure.bif -w -o securetop.bit

The BIF file looks like the following:

the_ROM_image:
{
	[aeskeyfile] encrypt.nky
	[encryption=aes] top.bit
}

Authentication Example

A Bootgen command to authenticate an FPGA bitstream is as follows:

bootgen -arch fpga -image all.bif -o rsa.bit -w on -log error

The BIF file is as follows:

the_ROM_image:
{
	[sskfile] rsaPrivKeyInfo.pem
	[authentication=rsa] plain.bit
}

Family or Obfuscated Key

Note: Obfuscated key encryption is not supported in Versal devices.

To support obfuscated key encryption, you must register with Xilinx support and request the family key file for the target device family. The path to where this file is stored must be passed as a bif option before attempting obfuscated encryption. Contact secure.solutions@xilinx.com to obtain the Family Key.

image:
{
	[aeskeyfile] key_file.nky
	[familykey] familyKey.cfg
	[encryption=aes] top.bit
}
A sample aeskey file is shown in the following image.
Figure 1. AES Key Sample