UltraScale FPGAs enable you to load your AES key into the device in an obfuscated format. This enables you to give the obfuscated key to a contract manufacturer without having to expose your true AES-256 key to the contract manufacturer. When you set the BITSTREAM.ENCRYPTION.OBFUSCATEKEY property, Vivado write_bitstream software creates a new key, ObfuscateKey , in the output NKY file. This obfuscated key is created by encrypting your AES-256 key with a metalized family key stored in the silicon. The same key is used on all UltraScale devices and all UltraScale+ FPGAs. (The UltraScale FPGA family key is different from the UltraScale+ FPGA family key).
Xilinx does not provide the family key as part of the Vivado tools. Customers must send a request for the family key to secure.solutions@xilinx.com. It will then be distributed to qualified customers through the Product Licensing site on www.xilinx.com .
To specify the location of the family key you must set the following write_bitstream property:
set_property BITSTREAM.ENCRYPTION.FAMILY_KEY_FILEPATH
C:/<
any directory
>/familyKey_us.cfg [current_design]
.
You can give the obfuscated key to your contract manufacturer rather than the actual AES-256 key. When the key is programmed into either the eFUSE or BBRAM, if the NKY file contains an KeyObfuscate field, a flag is automatically set in the storage location indicating that this key is obfuscated. The resulting bitstream also contains additional instructions informing the chip to decrypt the appropriate AES-256 key storage location prior to using the key to decrypt the rest of the bitstream. The obfuscated key settings in the location that the bitstream selects must match the obfuscated key settings of the bitstream. The BITSTREAM.ENCRYPTION.OBFUSCATEKEY property is not compatible with the Configuration Counting DPA countermeasure for BBRAM key storage.