eFUSE Programming General Recommendations

Using Encryption and Authentication to Secure an UltraScale/UltraScale+ FPGA Bitstream Application Note (XAPP1267)
Document ID
XAPP1267
Release Date
2023-02-10
Revision
1.6 English

Apply the following recommendations for eFUSE programming projects:

Required: Use Vivado Design Suite 2017.1 or newer.

Recommended: Set the FPGA configuration mode pins to the JTAG only setting during eFUSE programming, if the board design allows.

Required: Use separate eFUSE programming operations, i.e., separate passes through the Program eFUSE GUI wizard or separate Tcl commands, to program applicable eFUSE values and options in the following order:

1. Program eFUSE operation pass #1: Program NKY values (AES, RSA) and FUSE_USER values

2. Program eFUSE operation pass #2: (If applicable) Program the Security Register (FUSE_SEC) options, except for JTAG disable.

3. Program eFUSE operation pass #3: (If Applicable) Program the Control Register (FUSE_CNTL) options, except for the W_DIS_CNTL (write-disable control register).

Note: If you need to program the Security Register JTAG Disable option in the final step (5), do not program the Control Register W_DIS_SEC option.

4. Program eFUSE operation pass #4: (If Applicable) Program the Control Register W_DIS_CNTL (write-disable FUSE_CNTL register. See Vivado Design Suite User Guide: Programming and Debugging (UG908) [Ref 4] .

5. Last program eFUSE operation pass: (If Applicable) Program the Security Register JTAG Disable. See Vivado Design Suite User Guide: Programming and Debugging (UG908) [Ref 4] .

Recommended: For the first programmed device, validate the eFUSE results after each of the preceding steps, and then re-validate the eFUSE results after completing all steps to ensure that the final results from a complete eFUSE programming procedure is as expected.

If AES and/or RSA values are programmed, then validate that the device loads an AES-encrypted and/or RSA-signed bitstream successfully.

If FUSE_USER value is programmed, then validate that you read the correct JTAG FUSE_USER and/or EFUSE_USER primitive value.

If FUSE_SEC settings are programmed, then validate the correct device behavior for the chosen settings.

If FUSE_CNTL settings are programmed, then check the resulting REGISTERS.EFUSE.FUSE_CNTL value in Vivado to verify the settings, and check that the read-protected REGISTER.EFUSE.* registers in Vivado do not show your actual values.

Note: It is expected that Vivado will show some FUSE_CNTL reserved bit locations which are previously programmed to '1' by the Xilinx factory.

Verify that you can, or cannot, access the device JTAG, depending on your choice for step 5.