After what may seem like ages on many projects, our FPGA designs are ready to be deployed in the field. Of course, by this time, our employers have spent a considerable amount of resources and investment developing the product. With this in mind, it makes perfect sense that FPGAs, which are deployed in the field, have bit stream protection to prevent reverse engineering and unauthorized reuse.
To protect our 7 series designs, AMD FPGAs provide support for the Advanced Encryption Standard (AES). This offers a high level of security as the bit stream is encrypted with a 256-bit AES key and decoded internally within the FPGA as the device is programmed. The AES key for the decryption is stored within the FPGA either in a one-time programmable eFuse or battery-backed RAM (BBRAM). In this blog, we are going to use an Arty S7-50 and demonstrate how we are able to program the AES key to the BBRAM. Even without a battery on the Arty S7-50, the BBRAM is powered and it will enable me to demonstrate the concept.
However, before I jump into the exact steps required to do this, I want to reiterate that developing secure and safe systems is a complex subject. For example, the best security comes from using a truly random key so I recommend also reading XAPP1239 and XAPP1084 along with this blog.
I have created a simple MicroBlaze design for this application which outputs an incrementing count over the serial port every second infinitely. This ELF file has been merged with the bit stream and will start outputting the count once the FPGA is configured.
To encrypt a bit stream, we need to open the implemented design and set in the bit stream generation options that we wish to encrypt the bit stream. At this point, you can enter your cryptographic key information if you desire (and I highly recommend doing so). If this is left blank, Vivado will generate the necessary information which is less secure. If Vivado generates your keys, it will produce a *.nky file within your implementation directory. You can then add in this file for future runs on your design. Of course, you can also use the same format to define your generated keys.
Device xc7s50;
Key 0 25e2e0380c53f3a3f068baa326733a1e6f5e589a7185339fd73a922e218de87f;
Key StartCBC 9af2391ad0118907e5ba7d4b16a6c3d0;
Key HMAC 37fe8c2b9ab49da759b7cad0687d05b20c2b1a5f09f74441c2201ebfdecb0db3;Saving these options will add additional elements into the target XDC file.
set_property BITSTREAM.ENCRYPTION.ENCRYPT YES [current_design]
set_property BITSTREAM.ENCRYPTION.KEYFILE {C:\hdl_clients\s7_enc\s7_enc.runs\impl_1\design_1_wrapper.nky} [current_design]With the Arty connected to the hardware manager, we can program either the BBRAM or the eFuse key.
In this example, we will select the program BBR key and this will open a dialog enabling us to program the NKY file.
With the NKY file selected, the AES key will be visible to allow you to confirm that the correct key is being loaded. When the dialog is closed, the key will be programmed and the TCL console will show the success or failure of this action.
We can now program the design with the bit stream over JTAG which has been encrypted with the same key.
This will start the program in the MicroBlaze running from 0 again as the new configuration is loaded.
If we power cycle or reset the BBR key and then try to program the encrypted bit stream, we will see that the programming does not complete because there is no decryption key stored in the FPGA.
Using this flow enables us to begin to secure our deployed systems. If you are programming the encryption key using the eFuse, be careful to ensure that you follow the rules set out in XAPP1239 as the AES key and associated registers must be programmed at the same time.
We will look at securing UltraScale+ FPGAs, Zynq-7000 SoCs and UltraScale+ MPSoC heterogeneous SoCs in a future blog.
Workshops and Webinars
If you enjoyed the blog why not take a look at the free webinars, workshops and training courses we have created over the years. Highlights include
Professional PYNQ Learn how to use PYNQ in your developments
Introduction to Vivado learn how to use AMD Vivado
Ultra96, MiniZed & ZU1 three day course looking at HW, SW and Petalinux
Arty Z7-20 Class looking at HW, SW and Petalinux
Mastering MicroBlaze learn how to create MicroBlaze solutions
HLS Hero Workshop learn how to create High Level Synthesis based solutions
Perfecting Petalinux learn how to create and work with petalinux OS
Embedded System Book Do you want to know more about designing embedded systems from scratch? Check out our book on creating embedded systems. This book will walk you through all the stages of requirements, architecture, component selection, schematics, layout, and FPGA / software design. We designed and manufactured the board at the heart of the book! The schematics and layout are available in Altium here Learn more about the board (see previous blogs on Bring up, DDR validation, USB, Sensors) and view the schematics here.
Sponsored by AMD