To generate an encrypted bitstream, open an implemented design in Vivado IDE. From the main toolbar select to make the Settings dialog box appear. At the top of the dialog box, click Configure Additional Bitstream Settings.
This brings up the Edit Device Properties dialog box. Select Encryption in the left-hand pane.
In the Edit Device Properties dialog box, specify the Encryption Settings and Key Settings as follows.
- Set Enable Bitstream Encryption to YES.
- Set Select location of encryption
key to either BBRAM or
- The key location is embedded in the encrypted bitstream.
- When the encrypted bitstream is downloaded to the device, it instructs the FPGA to use the key loaded into the BBR or the eFUSE key register to decrypt the encrypted bitstream.
- Specify the Starting AES encryption key
(key0) to use when encrypting the bitstream. You can use up
to 64 hex characters to specify the 256-bit key.
Note: This value will be stored in the current project constraints file unless an input encryption file is specified. To avoid storing this value in the constraints file, specify the input encryption file.
- The key will be written to a file with an .nky file extension. Use this file when loading the key into the BBR or when programming the key into the eFUSE key register.
- Specify Input encryption file: Specify an existing .nky file to obtain the encryption key settings. This field is optional and can be omitted if specifying the AES, HMAC, and CBC manually.
- Specify Starting AES initial vector (IV0)
value. Select initialization vector for the first key.
Note: Each key needs a separate initialization vector value that can be supplied through the input encryption file.Note: This value will be stored in the current project constraints file. To avoid storing this value in the constraints file, specify the input encryption file.
- Specify the Starting obfuscate initial vector (Obfuscate IV0) value. Select the
initialization vector for the obfuscated key.Note: This value will be stored in the current project constraints file. To avoid storing this value in the constraints file, specify the input encryption file.
Key Rolling Settings
- Specify if a debug file to report all the keys generated in KDF mode should be generated.
- Specify a Fixed Input Data for KDF key rolling. This is an optional 60 byte fixed input value, specified as a 120-digit hexadecimal value. This 60-Byte input along with the 4-Byte counter serves as the 64 byte input to the KDF pseudo-random fixed input value via RAND_bytes.
- Specify Seed for KDF Key rolling. This is an optional 32 byte seed value for the KDF, specified as a 64 digit hexadecimal value.
- Specify Number of encryption blocks per key and Number of frames per AES-256 key. The number of encryption blocks and frames are used to specify how many sections a bitstream will be broken into with distinct keys.
For authentication settings select Authentication in the left-hand pane
In the Edit Device Properties-Authentication dialog box, specify the encryption and key settings as follows:
- Set Enable Bitstream Authentication to YES.
- Specify the Input file containing RSA Private Key.
Provide an RSA private key file after specifying the encryption and authentication settings, Click OK to apply the settings to the project. Re-run Implementation and regenerate the bitstream file. Upon successful completion of the
write_bitstreamoperation, the generated .nky encryption key file appears in the same directory as the encrypted bitstream file.
You can protect IP in bitstreams by encrypting the bitstreams with a 256-bit Advanced Encryption Standard (AES) key, and downloading the bitstreams to run only on authorized FPGAs. Do this by programming the 256-bit key into the BBR register of the authorized FPGAs before downloading the encrypted bitstream.