After the device has been programmed with the correct encryption key, the device can be configured with an encrypted bitstream. After configuration with an encrypted bitstream, it is not possible to read the configuration memory through JTAG or SelectMAP readback, regardless of the bitstream security setting.
While the device holds an encryption key, a
non-encrypted bitstream can be used to configure the device only after
PROGRAM_B or power-on reset (after a power cycle)
is asserted, thus clearing out the configuration memory. In this case the
key is ignored. After configuring with a non-encrypted bitstream, readback
is possible (if allowed by the readback security setting). The encryption
key still cannot be read out of the device, preventing the use of Trojan
Horse bitstreams to defeat the FPGA encryption scheme.
An encrypted bitstream can be delivered
through any configuration interface: JTAG, serial, SPI, BPI, SelectMAP, and
ICAP. For encrypted bitstreams using an obfuscated key with the JTAG
interface, do not pause bitstream loading by temporary excursion from the
JTAG Shift-DR state to the JTAG Pause-DR state. Instead, stay within the
JTAG Shift-DR state and stop the JTAG TCK
clock to pause bitstream loading. For encrypted bitstreams using an
obfuscated key with the SelectMAP or ICAP interfaces, do not pause bitstream
loading by temporary de-assertion of the configuration interface chip-select
(CSI_B). Instead, keep CSI_B asserted and stop the CCLK to pause bitstream loading. See answer
record 73656 for details.
Bitstreams can be created with both
compression and encryption. After configuration, the device cannot be
reconfigured without toggling the PROGRAM_B pin, cycling
power, or issuing the JPROGRAM instruction. Fallback reconfiguration and
IPROG reconfiguration are enabled even when encryption is turned on.
Fallback and IPROG reconfiguration images loaded from the external
configuration port or through ICAP can be encrypted or unencrypted images,
and they do not have to match the original image encryption option. Partial
reconfiguration images loaded from the external configuration port must
match the original image encryption option. For example, if the original
image is encrypted the partial reconfiguration image must be encrypted and
if the original image is unencrypted the partial reconfiguration image must
be unencrypted. Readback is available through the ICAPE3 primitive. None of
these events resets the BBRAM key if VBATT or
V
CCAUX
is
maintained.
A mismatch between the key in the encrypted bitstream and the key stored in the device causes configuration to fail with the INIT_B pin pulsing Low and then back High if fallback is enabled, and the DONE pin remaining Low.