UltraScale FPGAs enable you to load your AES key into the device in an obfuscated format. This enables you to give the obfuscated key to a contract manufacturer without having to expose your true AES-256 key to the contract manufacturer. When you set the BITSTREAM.ENCRYPTION.OBFUSCATEKEY property, Vivado write_bitstream software creates a new key, ObfuscateKey, in the output NKY file. This obfuscated key is created by encrypting your AES-256 key with a metalized family key stored in the silicon. The same key is used on all UltraScale devices and all UltraScale+ FPGAs. (The UltraScale FPGA family key is different from the UltraScale+ FPGA family key.)
AMD does not provide the family key as part of the Vivado tools. Customers must send a request for the family key to secure.solutions@amd.com. It will then be distributed to qualified customers through the Product Licensing site on www.amd.com.
BITSTREAM.ENCRYPTION.FAMILY_KEY_FILEPATH C:/<any directory>/familyKey_us.cfg [current_design]You can give the obfuscated key to your contract manufacturer rather than the
actual AES-256 key. When the key is programmed into either the eFUSE or BBRAM, if the
NKY file contains an KeyObfuscate field, a flag is automatically set in
the storage location indicating that this key is obfuscated. The resulting bitstream
also contains additional instructions informing the chip to decrypt the appropriate
AES-256 key storage location prior to using the key to decrypt the rest of the
bitstream. The obfuscated key settings in the location that the bitstream selects must
match the obfuscated key settings of the bitstream. The
BITSTREAM.ENCRYPTION.OBFUSCATEKEY property is not compatible with the Configuration
Counting DPA countermeasure for BBRAM key storage.