The following is a list of seven fundamental steps needed to implement an encrypted design in an UltraScale FPGA:
1. Choose an AES key storage location: BBRAM or eFUSE; and corresponding security options. (See Developing Tamper-Resistant Designs with UltraScale FPGAs Application Note (XAPP1098) [Ref 5] for trade-offs between BBRAM and eFUSE).
2. Choose an authentication method: AES-GCM or RSA. (See XAPP1098 [Ref 5] for trade-offs between AES-GCM and RSA Authentication).
3. Implement the hardware requirements in your board design based on your AES key storage location selection.
4. Using Vivado Design Suite software, generate an AES key or provide your own custom AES key to the software (which is always the most secure approach) and encrypt the bitstream.
a. Generate/create the AES key.
b. If RSA was chosen as the authentication method, generate an RSA public/private key pair using OpenSSL [Ref 6] or other key generation software.
5. Program the AES key into the FPGA using the JTAG interface.
6. Program the encrypted bit file into the FPGA via JTAG or another configuration mode such as SPI or BPI.
Note: For UltraScale FPGA devices and configuration modes that support RSA authentication, see the RSA Authentication section in the UltraScale Architecture Configuration User Guide (UG570) [Ref 3] .
7. Perform hardware validation to ensure proper operation.