UltraScale FPGAs allow you to break up the bitstream into multiple AES encryption messages, each encrypted with its own unique key. With this feature, known as rolling keys , the initial key is stored on-chip, while keys for each successive message are encrypted (wrapped) in the previous message. Rolling keys increases security against side-channel attacks such as differential power analysis (DPA). The bitstream option BITSTREAM.ENCRYPTION.KEYLIFE defines the number of encryption blocks per key. Fewer encryption blocks per key offers greater security but greatly increases bitstream size and therefore configuration time. Selecting a value such as 1,024 or higher increases configuration size by about 15%, a value of 64 can increase bitstream size by 50%, and a value of 32 (default) can more than double the bitstream size. See This Figure for a graph showing bitstream size multiplier vs. block per key.
Xilinx strongly recommends to create your own AES key, however if you choose to allow the Vivado software to generate your pseudo-random keys, you will see the number of Keys (Key0, Key1, Keyn...) included in the resulting NKY file. To define multiple custom keys you must provide them in a .NKY file and use the BITSTREAM.ENCRYPTION.KEYFILE write_bitstream property. For additional information regarding this write_bitstream property refer to Table: Write_bitstream Properties or see the Vivado Design Suite User Guide: Programming and Debugging (UG908) [Ref 4] .
IMPORTANT: See Xilinx Design Advisory 76171 for important updates about generating your own keys for fielded systems and providing the keys in the development tools.
When using RSA authentication, certain block RAMs might be used to hold interim rolling keys, which impacts the ability to initialize those blocks. For any given block RAM column, each 36K block that resides in the bottom of a clock region is affected; essentially the first 36K block RAM starting at the bottom of a device and then every 12th 36K block RAM after that in a column (BRAM36_X*Y0, BRAM36_X*Y12, BRAM36_X*Y24, etc.). Those block RAMs cannot be initialized to user-defined values when using RSA authentication. Those block RAMs are always initialized to 0 after configuration. A DRC will trigger if you are using block RAM in your design affected by this RSA block RAM usage.
If you are using the more secure approach and defining your own keys, and have not provided the correct amount of keys determined by your BITSTREAM.ENCRYPTION.KEYLIFE option (could potentially be thousands of keys), Vivado will generate the necessary keys on your behalf and include them in your NKY file. Xilinx recommends that you always generate a complete set of your own keys.