eFUSE Security Register (FUSE_SEC) Description

Using Encryption and Authentication to Secure an UltraScale/UltraScale+ FPGA Bitstream Application Note (XAPP1267)
Document ID
XAPP1267
Release Date
2023-02-10
Revision
1.6 English

This register contains user programmable bits used to select eFUSE security settings and to enable RSA Authentication, if desired. Table: eFUSE Control Register Bit (FUSE_SEC) Description provides bit descriptions and recommended settings.

Table  5: eFUSE Control Register Bit (FUSE_SEC) Description

Bit

Bit Name

Description

Recommended Setting

0

FUSE_SHAD_SEC[0]

(CFG_AES_Only)

Only allow encrypted bitstreams.

CAUTION! If this bit is programmed to 1, the device cannot be used unless the AES key is known. Return material authorization (RMA) returns cannot be accepted and the Vivado Indirect SPI/BPI flash programming flow cannot be used if this bit is programmed. You must have external configuration memories programmed BEFORE you blow this fuse if you intend to use Vivado for this programming.

No
(keep at 0)

RECOMMENDED:
Keep as 0 pending customer security requirements.

1

FUSE_SHAD_SEC[1]

Force use of AES key stored in eFUSE (BBRAM keys disabled). When this bit is NOT programmed, encryption and the key source can be selected via bitstream options – the FPGA can be configured using an unencrypted bitstream, or a bitstream encrypted with a key value stored in battery-backed RAM (BBRAM) or eFUSE.

No
(keep at 0)

2

RSA_AUTH

Force RSA Authentication.

CAUTION! If this bit is programmed to 1, the device cannot be used unless the RSA key is known. Return material authorization (RMA) returns cannot be accepted and the Vivado Indirect SPI/BPI flash programming flow cannot be used if this bit is programmed. You must have external configuration memories programmed BEFORE you blow this fuse if you intend to use Vivado for this programming.

Pending customer security requirements

4

SCAN_DISABLE

Disable Xilinx test access.

No
(keep at 0)

5

CRYPT_DISABLE

Permanently disable the decryptor.

No
(keep at 0)

6

FUSE_BKS_ENABLE

Enable key obfuscation.

Automatically set by Vivado design Suite

7–31

Reserved

Reserved

-

When FUSE_SHAD_SEC[0:1] are NOT programmed:

° Encryption can be enabled or disabled via the bitstream options.

° The AES key stored in eFUSE or battery-backed SRAM (BBRAM) can be selected via the bitstream options.

When FUSE_SHAD_SEC[1:0] are programmed.

° Only bitstreams encrypted with the eFUSE key can be used to configure the FPGA through external configuration ports.

CAUTION! When FUSE_SHAD_SEC[0] or RSA_AUTH is programmed, only AES encrypted or RSA authenticated bitstreams, respectively, can be used to configure the FPGA through external configuration ports. This precludes device configuration from Xilinx test bitstreams and Xilinx pre-built bitstreams. Thus, Xilinx does not accept return material authorization (RMA) requests or support indirect flash programming for devices that have the FUSE_SHAD_SEC[0] or RSA_AUTH bit programmed.