Generate PUF KEK for hardware devices
Syntax
generate_puf_kek [‑input_json <arg>] [‑output_json <arg>] [‑force]
[‑verbose] [‑pufhd_file <arg>] [‑quiet] [<hw_device>...]Returns
Hardware devices
Usage
| Name | Description |
|---|---|
[-input_json]
|
input JSON file path for PUF KEK generation |
[-output_json]
|
output JSON file to store generated PUF KEK settings |
[-force]
|
overwrites output file if it exists |
[-verbose]
|
enable verbose debug output during PUF KEK generation |
[-pufhd_file]
|
output text file to store PUF HD data string |
[-quiet]
|
Ignore command errors |
[<hw_device>]
|
list of hardware devices Default: current hardware device |
Categories
Description
Generate PUF (Physically Unclonable Function) KEK (Key Encryption Key) for the specified hardware device object or objects on the open hardware target of the current hardware server. This command generates cryptographic keys using the unique physical characteristics of the device silicon.
PUF technology leverages the inherent manufacturing variations in integrated circuits to create unique, device-specific cryptographic keys. The PUF KEK generation process uses device-specific parameters such as key and initialization vector (IV) values to produce secure keys including PUF KEK, PUF hash, PUF auxiliary data, and PUF ID values.
To access an AMD FPGA through the Hardware Manager, you must use the following Tcl command sequence:
-
open_hw- Opens the Hardware Manager in the AMD Vivado Design Suite. -
connect_hw_server- Makes a connection to a local or remote Vivado hardware server application. -
current_hw_target- Defines the hardware target of the connected server. -
open_hw_target- Opens a connection to the hardware target. -
current_hw_device- Specifies the AMD FPGA to use for PUF KEK generation.
The generate_puf_kek command requires both input and output JSON file arguments. Input parameters (key and IV) must be provided through a JSON configuration file, and an output JSON file must be specified to store the generated keys. The command generates multiple PUF-related outputs including:
-
PUF KEK- The primary key encryption key derived from PUF -
PUF Hash- Cryptographic hash of the PUF data -
PUF Auxiliary Data- Supporting cryptographic material -
PUF Challenge Hash- Hash of PUF challenge data -
PUF ID- Unique identifier derived from PUF
The generated keys can be exported to a JSON file for later use or integration with security workflows. Additionally, the PUF HD (Helper Data) can be exported to a separate text file for key reconstruction purposes. This command is particularly useful for establishing hardware-rooted trust and implementing secure boot sequences.
This command returns a transcript of its actions, or returns an error if it fails.
Arguments
-input_json <file> - (Required) Specify a JSON file containing input
parameters for PUF KEK generation. The JSON file must contain key
and IV values in hexadecimal format. This argument is mandatory for
PUF KEK generation.
-output_json <file> - (Required) Specify an output JSON file to store the
generated PUF KEK and related cryptographic data. The file will contain
all generated keys in hexadecimal format. The file must have a .json
extension. This argument is mandatory.
-force - (Optional) Overwrite the specified output files if they already
exist. This applies to both the output JSON file and the PUF HD text file.
Without this option, the command will fail if either output file exists.>
-verbose - (Optional) Enable verbose debug output during PUF KEK generation.
This provides detailed logging of the generation process including key derivation steps and intermediate values.
-pufhd_file <file> - (Optional)
Specify an output text file to store the PUF HD (Helper Data) string. The PUF HD
data is written as plain text to the specified file and can be used for PUF key
reconstruction operations. If not specified, PUF HD data is only included in the
JSON output. If the file already exists, the -force flag is required to overwrite
it.
-quiet - (Optional) Execute the command quietly, returning no messages from the command. The command also returns TCL_OK regardless of any errors encountered during execution.
hw_device - List of hardware devices. Default is the current hardware
device.
Examples
Generate PUF KEK using required input and output JSON files.
generate_puf_kek -input_json {C:/Data/puf_input.json} \
-output_json {C:/Data/puf_output.json} \
[current_hw_device]minimum required arguments with explicit device specification.
generate_puf_kek -input_json {C:/Data/puf_params.json} \
-output_json {C:/Data/puf_keys.json} \
[current_hw_device]Use a JSON input file to exports results to specific output files, including PUF HD data to a text file.
generate_puf_kek -input_json {C:/Data/puf_params.json} \
-output_json {C:/Data/puf_keys.json} \
-pufhd_file {C:/Data/puf_hd.txt} \
-force [current_hw_device]Generate PUF KEK with verbose output and export both JSON and text file outputs:
generate_puf_kek -input_json {C:/Data/puf_params.json} \
-output_json {C:/Data/puf_keys.json} \
-pufhd_file {C:/Data/puf_hd.txt} \
-verbose [current_hw_device]Generate PUF KEK for multiple devices and save PUF HD data to separate files:
set devices [get_hw_devices]
foreach dev $devices {
set dev_name [get_property NAME $dev]
generate_puf_kek -input_json {C:/Data/puf_params.json} \
-output_json "C:/Data/puf_keys_${dev_name}.json" \
-pufhd_file "C:/Data/puf_hd_${dev_name}.txt" \
-force $dev
}