BBRAM Storage Location

Using Encryption and Authentication to Secure an UltraScale/UltraScale+ FPGA Bitstream Application Note (XAPP1267)

Document ID
XAPP1267
Release Date
2023-02-10
Revision
1.6 English

When an encryption key is stored in the FPGA's battery-backed RAM, the encryption key memory cells are volatile and must receive continuous power to retain their contents. During normal operation, these memory cells are powered by the auxiliary voltage input (V CCAUX ).

RECOMMENDED: A separate V BATT power input is needed to retain the key if and when V CCAUX is removed. Therefore it is recommended that the AES key be programmed in-system on a board that has the battery back-up. Otherwise, the key is lost when the power/battery is removed.

IMPORTANT: Program the BBRAM to a known state before attempting to configure with an encrypted bitstream that uses the BBRAM as the key source. If you attempt to download an encrypted bitstream on power-up before the BBRAM key is programmed, the FPGA device might lock up. You must power-cycle the device and then load the BBRAM key before configuring with an encrypted bitstream.

Table: BBRAM Storage Location Advantages and Disadvantages identifies BBRAM storage location advantages and disadvantages.

Table  1: BBRAM Storage Location Advantages and Disadvantages

Advantages

Disadvantages

Volatile and re-programmable

Passive and active key clearing (i.e., the evidence can be removed)

Tamper resistant (1)

BBRAM can use either RSA authentication or Configuration Counting for DPA protection

Cannot readback the BBRAM key as there is no readback path

Requires an external battery.

Many battery vendors do not specify operation at high temperatures and/or long lifetimes.

Notes:

1. There is no physical path to read the key out of BBRAM (write only access).