Generating Encrypted and Authenticated Files for 7 Series Devices - 2024.1 English

Vivado Design Suite User Guide: Programming and Debugging (UG908)

Document ID
UG908
Release Date
2024-05-30
Version
2024.1 English
Note: For additional information, refer to Using Encryption to Secure a 7 Series FPGA Bitstream (XAPP1239).

To generate an encrypted bitstream, open an implemented design in Vivado IDE. From the main toolbar Select Flow > Bitstream Settings to make the Settings dialog box appear. At the top of the dialog box click Configure Additional Bitstream Settings.

Figure 1. 7 Series Settings

This brings up the Edit Device Properties dialog box. Select Encryption in the left-hand pane.

Figure 2. 7 Series Configure Encryption Settings

In the Edit Device Properties dialog box, specify the encryption and key settings:

  • Encryption Settings
    • Set Enable Bitstream Encryption to YES.
    • Set Select location of encryption key to either BBRAM or EFUSE.
      • The key location is embedded in the encrypted bitstream.
      • When the encrypted bitstream is downloaded to the device, it instructs the FPGA to use the key loaded into the BBR or the eFUSE key register to decrypt the encrypted bitstream.
  • Key Settings
    • Specify HMAC authentication key and Starting cipher block chaining (CBC) value.
      • If these values are unspecified, Vivado generates a random value for you.
      • These values are embedded in the encrypted bitstream and do not have to be programmed into the FPGA.
      Note: These values are stored in the current project constraints file unless an input encryption file is specified. To avoid storing this value in the constraints file, specify the input encryption file.
    • Specify the AES encryption key to use when encrypting the bitstream. You can use up to 64 hex characters to specify the 256-bit key.
      • The key is written to a file with the .nky file extension. Use this file when loading the key into the BBR or when programming the key into the eFUSE key register.
      Note: These values are stored in the current project constraints file unless an input encryption file is specified. To avoid storing this value in the constraints file, specify the input encryption file.
    • Specify Input encryption file.
      • Specify an existing .nky file to obtain the encryption key settings. This field is optional and can be omitted if specifying the AES, HMAC, and CBC manually.

    After specifying the encryption settings, click OK to apply the settings to the project, and regenerate your bitstream. Upon completing the write_bitstream operation, you get a programming file and a .nky, encryption file.