AES-GCM is a self-authenticating algorithm with a symmetric key, meaning that the key to encrypt is the same as the one to decrypt. This key must be protected as it is secret (hence storage to internal key space). The UltraScale architecture provides for an alternative form of authentication in the form of RSA-2048. RSA is an asymmetric algorithm, meaning that the key to verify is not the same key used to sign. The verification is done with a public key. This public key does not need to be protected and does not need special secure storage. If desired, this form of authentication can be used in conjunction with encryption to provide both authenticity and confidentiality. RSA-2048 can be used with either an encrypted or unencrypted bitstreams. RSA not only has the advantage of using a public key, it also has the advantage of authenticating prior to decryption. The hash of the RSA Public key must be stored in the eFUSE.
UltraScale FPGAs support RSA-2048 for the purpose of authenticating the bitstream data before it is sent to the decryptor. This method can be used to help prevent attacks on the decryption engine itself by ensuring that the data is authentic before performing any decryption. RSA authentication can be used independent of bitstream encryption, meaning it can authenticate either an unencrypted or encrypted bitstream. The RSA configuration control logic reads the encrypted bitstream, including a public key and bitstream signature, into the device memory. The RSA configuration control logic then instructs the RSA engine to calculate the expected digest based on the public key and signature.
After the bitstream is buffered and the RSA engine has calculated the expected digest, the actual digest is compared against that result. If RSA authentication passes and the configuration was not encrypted, the FPGA is released for operation. If RSA authentication passes and the configuration data was encrypted, then the FPGA is released for decryption of the bitstream. If RSA authentication fails, an error equivalent to an AES-GCM authentication error is generated. At this point the device either locks down or, if enabled, a fallback occurs.
A device configured with an RSA authenticated bitstream can take up to three times as long to configure as a standard uncompressed bitstream for that device. The actual time depends on the mode of configuration. RSA authentication cannot be used in conjunction with bitstream compression, partial reconfiguration, or configuration over the PCIe ® interface, including tandem solutions.
RSA authentication is supported in UltraScale and UltraScale+ devices with certain configuration modes and widths. For UltraScale FPGA devices and configuration modes that support RSA authentication, see the RSA Authentication section in the UltraScale Architecture Configuration User Guide (UG570) [Ref 3] .