Note: For additional information, refer to
Using Encryption to Secure a 7 Series FPGA
Bitstream (XAPP1239).
To generate an encrypted bitstream, open an implemented design in Vivado IDE. From the main toolbar Select to make the Settings dialog box appear. At the top of the dialog box click Configure Additional Bitstream Settings.
Figure 1. 7 Series Settings
This brings up the Edit Device Properties dialog box. Select Encryption in the left-hand pane.
Figure 2. 7 Series Configure Encryption Settings
In the Edit Device Properties dialog box, specify the encryption and key settings:
- Encryption Settings
- Set Enable Bitstream Encryption to YES.
- Set Select location of encryption key to either
BBRAM or EFUSE.
- The key location is embedded in the encrypted bitstream.
- When the encrypted bitstream is downloaded to the device, it instructs the FPGA to use the key loaded into the BBR or the eFUSE key register to decrypt the encrypted bitstream.
- Key Settings
- Specify HMAC authentication key and Starting cipher block
chaining (CBC) value.
- If these values are unspecified, Vivado generates a random value for you.
- These values are embedded in the encrypted bitstream and do not have to be programmed into the FPGA.
Note: These values are stored in the current project constraints file unless an input encryption file is specified. To avoid storing this value in the constraints file, specify the input encryption file.
- Specify the AES encryption
key to use when encrypting the bitstream. You can use up to
64 hex characters to specify the 256-bit key.
- The key is written to a file with the .nky file extension. Use this file when loading the key into the BBR or when programming the key into the eFUSE key register.
Note: These values are stored in the current project constraints file unless an input encryption file is specified. To avoid storing this value in the constraints file, specify the input encryption file. - Specify Input encryption file.
- Specify an existing .nky file to obtain the encryption key settings. This field is optional and can be omitted if specifying the AES, HMAC, and CBC manually.
After specifying the encryption settings, click OK to apply the settings to the project, and regenerate your bitstream. Upon completing the
write_bitstream
operation, you get a programming file and a .nky, encryption file. - Specify HMAC authentication key and Starting cipher block
chaining (CBC) value.