UltraScale devices have on-chip AES-GCM decryption and authentication logic to provide a high degree of design security. Encrypted UltraScale FPGA designs cannot be copied or reverse-engineered. The UltraScale FPGA AES system comprises software-based bitstream encryption and on-chip bitstream decryption with dedicated memory for storing the encryption key and encrypted bitstream. The encryption key and the encrypted bitstream are generated using the Vivado tools.
UltraScale devices store the encryption key internally in either dedicated RAM, backed up by a small externally connected battery (BBRAM), or in the eFUSE. If using RSA authentication, the hash of the RSA Public key must be programmed into the eFUSE. The encryption key can only be programmed into the device through the JTAG port. Neither the BBRAM or eFUSE can be read back. During configuration, the UltraScale device performs the reverse operation, decrypting the incoming bitstream. The UltraScale FPGA AES encryption logic uses a 256-bit encryption key. The on-chip AES decryption logic cannot be used for any purpose other than bitstream decryption; i.e., the AES decryption logic is not available to the user design and cannot be used to decrypt any data other than the configuration bitstream.