000036039 - Design Advisory for UltraScale/UltraScale+ FPGA Series: RSA Authentication Vulnerability (JustSTART)

Release Date
1.0 English

This Design Advisory describes an issue in the RSA authentication feature of AMD UltraScale™ and UltraScale+™ FPGA series devices. Devices that use RSA authentication without encryption, or devices that use RSA authentication, but the encryption is not enforced (by programming an eFUSE register) may be vulnerable to an attack that enables adversaries to load arbitrary bitstreams onto the device without causing an authentication error.

The researchers that discovered this issue use the term “JustSTART” to describe the vulnerability. The configuration found to be affected is:

  • RSA Authentication is enforced by programming the RSA_AUTH eFUSE register, but the FUSE_SHAD_SEC[0] eFUSE forcing AES encryption is unprogrammed.

The following three configurations were not found to be affected:

  1. AES encryption is enforced by programming the FUSE_SHAD_SEC[0] eFUSE , but RSA authentication is not enforced by leaving RSA_AUTH unprogrammed.
  2. Both RSA authentication and AES encryption are enforced by programming both RSA_AUTH and FUSE_SHAD_SEC[0]
  3. Neither AES encryption nor RSA authentication is enforced with both RSA_AUTH and FUSE_SHAD_SEC[0] unprogrammed.

AMD believes that the confidentiality of bitstreams or the confidentiality of AES keys stored in eFUSEs or Battery-Backed RAM (BBRAM) are not impacted even if an adversary were able to load an arbitrary bitstream onto the device as no read-back path for the AES keys exists and security checks can prevent any access to the AES engines if the issue is exploited. 
The impact of a successful attack is equivalent to an attack where the adversary replaces the original part with a new part.

This issue has been found to affect FPGA devices of the AMD UltraScale™ and UltraScale+™ series. Zynq UltraScale+™ SoC devices are not affected as the vulnerable state machine is not present in SoC type devices,