UltraScale FPGAs allow you to break up the bitstream into multiple AES encryption modules, each encrypted with its own unique key. The initial key is stored on-chip, while keys for each successive module are encrypted (wrapped) in the previous module. This feature, known as rolling keys, increases security against side-channel attacks such as differential power analysis (DPA). The bitstream option BITSTREAM.ENCRYPTION.KEYLIFE defines the number of encryption blocks per key. An encryption block is 128 bits (four 32-bit words). Fewer encryption blocks per key offers greater security but exponentially increases bitstream size and therefore configuration time. Selecting a value such as 1,024 or higher increases configuration size by about 15%, a value of 64 can increase bitstream size by 50%, and a value of 32 can double the bitstream size.
When using RSA authentication, certain block RAMs might be used to hold interim rolling keys, which impacts the ability to initialize those blocks. For a given block RAM column, each 36K block that resides in the bottom of a clock region is affected; essentially the first 36K block RAM starting at the bottom of a device and then every 12th 36K block RAM after that in a column (BRAM36_X*Y0, BRAM36_X*Y12, BRAM36_X*Y24, etc.). Those block RAMs can not be initialized to user-defined values when using RSA authentication. Those block RAMs are always initialized to 0 after configuration.