eFUSE Security Register (FUSE_SEC) Description - eFUSE Security Register (FUSE_SEC) Description - XAPP1267

Using Encryption and Authentication to Secure an UltraScale/UltraScale+ FPGA Bitstream (XAPP1267)
Document ID
XAPP1267
Release Date
2025-05-22
Revision
1.8 English

This register contains user programmable bits used to select eFUSE security settings and to enable RSA Authentication, if desired. The following table provides bit descriptions and recommended settings.

Table 1. eFUSE Control Register Bit (FUSE_SEC) Description
Bit Bit Name Description Recommend Setting
0

FUSE_SHAD_SEC[0] (CFG_AES_Only)

 Only allow encrypted bitstreams.
Important: If this bit is programmed to 1, the device cannot be used unless the AES key is known. Return material authorization (RMA) returns cannot be accepted and the Vivado Indirect SPI/BPI flash programming flow cannot be used if this bit is programmed. You must have external configuration memories programmed BEFORE you blow this fuse if you intend to use Vivado for this programming.
 Yes (program to 1)
1 FUSE_SHAD_SEC[1] Force use of AES key stored in eFUSE (BBRAM keys disabled). When this bit is NOT programmed, encryption and the key source can be selected via bitstream options – the FPGA can be configured using an unencrypted bitstream, or a bitstream encrypted with a key value stored in battery-backed RAM (BBRAM) or eFUSE. No (keep at 0)
2 RSA_AUTH Force RSA Authentication.
Important: If this bit is programmed to 1, the device cannot be used unless the RSA key is known. Return material authorization (RMA) returns cannot be accepted and the Vivado Indirect SPI/BPI flash programming flow cannot be used if this bit is programmed. You must have external configuration memories programmed BEFORE you blow this fuse if you intend to use Vivado for this programming.
 Pending customer security requirements
3 FUSE_SHAD_SEC[3] Disables external JTAG pins. Pending customer security requirements
4 SCAN_DISABLE Disable AMD test access. No (keep at 0)
5 CRYPT_DISABLE Permanently disable the decryptor. No (keep at 0)
6 FUSE_BKS_ENABLE Enable key obfuscation. Automatically set by Vivado Design Suite
7–31 Reserved Reserved. -
  • When FUSE_SHAD_SEC[0:1] are NOT programmed:
    • Encryption can be enabled or disabled via the bitstream options.
    • The AES key stored in eFUSE or battery-backed SRAM (BBRAM) can be selected via the bitstream options.
  • When FUSE_SHAD_SEC[1:0] are programmed.
    • Only bitstreams encrypted with the eFUSE key can be used to configure the FPGA through external configuration ports.
Important: When FUSE_SHAD_SEC[0] or RSA_AUTH is programmed, only AES encrypted or RSA authenticated bitstreams, respectively, can be used to configure the FPGA through external configuration ports. This precludes device configuration from AMD test bitstreams and AMD pre-built bitstreams. Thus, AMD does not accept return material authorization (RMA) requests or support indirect flash programming for devices that have the FUSE_SHAD_SEC[0] or RSA_AUTH bit programmed.