An attack can be mitigated by enforcing encryption of the bitstream by programming the FUSE_SHAD_SEC[0] eFUSE register (force AES). The corresponding key can be either stored in BBRAM or in the FUSE_KEY eFUSE register.
For scenarios where the confidentiality of the bitstream is not necessary, no specific requirements are needed regarding the handling of that key.
For additional information, please contact your local FAE. An extended security response paper can be provided under NDA from your local FAE.