I have a question related to bitstream encryption using eFUSE option. If my FPGA has bitstream encryption key stored in the eFUSE, how Vivado will know the encryption key when generating new encrypted bitstream? Does Vivado has a method to readback the key from eFUSE and use it for encryption?
Asked
Active
Viewed 283 times
1 Answers
2
How can Vivado know the encryption key?
Vivado uses an NKY file that is generated when setting the encryption key. For instance when executing
set_property BITSTREAM.ENCRYPTION.KEY0 56’h12345678ABCDDCBA12345678ABCDDCBA12345678ABCDDCBA12345678ABCDDCBA current_design]
An NKY file will be create, whose format is:
KEY 0 <hex string> (256 bit AES key)
For example: (top.nky)
Device xc7k325t;
Key 0 12345678ABCDDCBA12345678ABCDDCBA12345678ABCDDCBA12345678ABCDDCBA;
Key StartCBC 7115e9aa80085ea3ed65d26d3a8ab608;
Key HMAC d293d51c6058430262b05521f8f67279c9abce27d5fcafcf839bbe1af46713cc;
Can Vivado read back the key?
Quoting XAPP1239
The encryption key can only be loaded onto a device through the JTAG interface
After the key is programmed and the key-access mode is exited, the key cannot be read out of the device by any means, and it cannot be reprogrammed without clearing the entire device.
Fra93
- 1,992
- 1
- 9
- 18
-
Thanks a lot for your response. So, anyone who wants to map a new encrypted bitstream on that device (using the same eFuse key) must have the NKY file? – Tanvir Hossain Jul 07 '22 at 17:01
-
Yes, and that also makes sense because you need the same key. You can also copy manually and re run the command "set property... " P.S. consider upvoting and accepting good answers, is a kind practice here :) – Fra93 Jul 07 '22 at 20:53