After the device has been programmed with the correct encryption key, the device can be configured with an encrypted bitstream. After configuration with an encrypted bitstream, it is not possible to read the configuration memory through JTAG or SelectMAP readback, regardless of the bitstream security setting. Although the device holds an encryption key, a non-encrypted bitstream can be used to configure the device (only if the FUSE_SHAD_SEC[0] bit is not programmed) and only after INIT_B or PROGRAM_B is asserted, thus clearing out the configuration memory. In this case the key is ignored. After configuring with a non-encrypted bitstream, readback is possible (if allowed by the write_bitstream security settings). However, the encryption key still cannot be read out of the device, preventing the use of Trojan Horse bitstreams to defeat the UltraScale FPGA encryption scheme.
None of the supported configuration methods are affected by encryption. UltraScale FPGAs do not allow bitstreams to be created with both compression and RSA authentication. An encrypted bitstream can be delivered through any configuration interface: JTAG, Serial, SPI, BPI, SelectMAP, or ICAPE3. After configuration, the device cannot be reconfigured without toggling the PROGRAM_B pin, cycling power, or issuing the IPROG or JPROGRAM instruction. The Fallback and IPROG reconfiguration are enabled even when encryption is turned on. The Fallback and IPROG reconfiguration images can either be encrypted or unencrypted images.Readback is available through the ICAPE3 primitive. None of these events resets the BBRAM key if V BATT or V CCAUX is maintained.
A mismatch between the key in the encrypted bitstream and the key stored in the device causes configuration to fail with the INIT_B pin pulsing Low and then back High if fallback is enabled, and the DONE pin remaining Low. Advanced configuration solutions such as tandem configuration and partial reconfiguration are supported with encrypted bitstreams. Partial bitstreams can be delivered unencrypted to the ICAP, or encrypted (with the same AES key) to any configuration port, as long as the latter has not been explicitly forbidden by the designer. Setting Security Level2 (via set_property BITSTREAM.READBACK.SECURITY Level2 [current_design]) or programming the FUSE_SHAD_SEC[0] "CFG_AES_Only" bit to a 1 prevents partial reconfiguration over external configuration ports.
IMPORTANT: An RSA authenticated encrypted bitstream must be programmed from one of these configuration interfaces: SelectMAP, SPI or BPI. Direct JTAG programing of RSA authenticated bitstreams with Vivado HW Manager is not supported. For UltraScale FPGA devices and configuration modes that support RSA authentication, see the RSA Authentication section in the UltraScale Architecture Configuration User Guide (UG570) [Ref 3] .