Xilinx® 7 series FPGAs use the embedded, PL-based, hash-based message authentication code (HMAC) and an advanced encryption standard (AES) module with a cipher block chaining (CBC) mode. For UltraScale devices and beyond, AES-256/Galois Counter Mode (GCM) are used, and HMAC is not required.
To create an encrypted bitstream, the AES key file is specified in the BIF
using the attribute aeskeyfile. The attribute
encryption=aes should be specified against the bitstream
listed in the BIF file that needs to be
bootgen -arch fpga -image secure.bif -w -o securetop.bit
The BIF file looks like the following:
A Bootgen command to authenticate an FPGA bitstream is as follows:
bootgen -arch fpga -image all.bif -o rsa.bit -w on -log error
The BIF file is as follows:
Family or Obfuscated Key
To support obfuscated key encryption, you must register with Xilinx support and request the family key file for the target device family. The path to where this file is stored must be passed as a bif option before attempting obfuscated encryption. Contact firstname.lastname@example.org to obtain the Family Key.