Description
Achronix provides the ability to generate encrypted bitstreams created by designers wishing to protect their intellectual property. This is accomplished by incorporating two types of encryption keys into the bitstream encryption scheme. These are:
- A symmetric AES secret key
- An asymmetric public/private key pair
These keys are used when generating the user bitstream during the implementation phase in ACE and also written to the eFuses in the FPGA before programming the bitstream. Unique keys should be generated to guarantee no attempts to recover their intellectual property are successful. Refer to the Speedster7t Configuration User Guide (UG094) for additional details about the Achronix encryption scheme.
Encrypting a bitstream can help protect the intellectual property contained within by making it more difficult to access and reverse engineer the design. While it may add some complexity to the programming process, encryption can be an important measure for those wanting to ensure the security of their designs. It is ultimately up to the user to decide whether the benefits of encrypting the bitstream outweigh the additional complexity. If an encrypted bitstream is required, follow the procedures in this document to take advantage of the Achronix-provided encryption scheme.
A working JTAG connection to a Speedster7t device is required as well as familiarity with issuing commands in the ACE Tcl console before following the steps in this document. For detailed instructions on how to establish a JTAG connection and issue commands, please refer to the ACE User Guide (UG070).
AC7t1500
Generating a Public and Private Key Pair
The Athena key generator tool is included with ACE and can be found here:
- Linux:
/<ACE_INSTALL_DIR>/Achronix-linux/system/cmd64/geneckey
- Windows:
C:\<ACE_INSTALL_DIR>\Achronix\system\cmd64\geneckey.exe
The following are example invocations of the geneckey tool:
Linux:
$ cd <ACE_INSTALL_DIR>Achronix-linux/system/cmd64
cmd64 $ ./geneckey <path to output file>my_eckey
Windows:
C:\>cd <ACE_INSTALL_DIR>Achronix\system\cmd64
<ACE_INSTALL_DIR>\Achronix\system\cmd64>geneckey my_eckey
For this example, the key generator outputs three files:
-
my_eckey.privkey.pem
– the private key. Used with the bitstream implementation optionbitstream_encryption_pem_key_file
in ACE. The.pem
file type is typically used for secure protocols such as with encryption.The following is an example
.pem
file generated with the the Athena authentication key generator:-----BEGIN PRIVATE KEY-----
< PEM key value here >
-----END PRIVATE KEY----- my_eckey.pubkey.txt
– 768-bit hash of the public key. Used when writing to the FPGA eFuses before programming.my_eckey.pubkey.pem
– the public key. Only created by the key generator. It is not necessary to write this value during bitstream creation or when writing to the eFuses.
Encrypting an AC7t1500 Bitstream with ACE
-
From the ACE options panel, select Bitstream Generation:
Figure: ACE Options Panel
-
Configure the AES Encryption options:
Figure: AC7t1500 AES Encryption Configuration Options
- Check the Encrypt Bitstream option.
- Enter a file name and path in the 256-bit AES Encryption Key Filepath box to encrypt the bitstream data. The file must be:
- An absolute or relative path to the current ACE project
- A .txt file type
-
AES hexadecimal value within the
.txt
file:For ACE 9.0 or later installations, any 256-bit or 64-character value.
For ACE installations prior to 9.0, any 256-bit or 64-character value with a new line character at the end of the AES sequence. This makes the total file 260 bits or 65 characters.
This option is ignored if Achronix Default Keys is selected as the Decryption Key Source in step 4.
- Enter a file name and path to the PEM Private Key Filepathbox to encrypt the bitstream data. This must be an absolute or relative path to the current ACE project and should be a
.pem
file type that was created in the Generating a Public and Private Key Pair section. This option is ignored if Achronix Default Keys is selected as the Decryption Key Source in step d. -
Select Decryption Key Source. Select whether to use E-Fuse Keys (0) or Achronix Default Keys (1). This option specifies whether the E-Fuse keys (0) or the default Achronix keys (1) on the target device are used for decryption.
Note: If Achronix Default Keys is selected, any values entered in the AES Encryption Key Filepath or PEM Private Key Filepath are ignored. This is because the Achronix Default Keys are pre-programmed onto the target device and are used as the encryption key source.
-
Select the Decryption Key Type. Select whether to Use PUF black key (0) or Use red key (1). This option specifies whether to use PUF to create the red key from the black key (0) or treat the red key as the source during encryption (1).
Note: When using the Achronix default keys as the decryption key source, the red keys must be treated as the source, and PUF is not allowed.
- Select the E-Fuse Key Index. This option specifies which key to use. Bitstreams have the ability to be encrypted with 4 different AES keys. The E-Fuse Key Index is the AES key index whose key value should be assigned to the 256-bit AES Encryption Key Filepath. This also requires Decryption Key Source to be set to "0" which would specify ACE to use E-fuse keys. The Key Index value can be "0", "1", "2", or "3". In order to decrypt the target FPGA, the AES key must be written to the corresponding Key Index in the FCU. Additional details on using the Key Index are in the next section for Programming the Encryption Keys.
-
Check the Enforce Same Key option if programming multiple encrypted bitstreams. This option specifies whether or not subsequent bitstreams can be programmed with the same encryption types and keys without resetting the FPGA. If Enforce Same Key is enabled (1), subsequent bitstreams must use the same Key Source, Key Type, and Key Index unless the FPGA has been reset.
Alternatively, the following commands may be entered in the ACE project file or the .tcl console:
set_impl_option -project <ace project name> -impl impl_1 bitstream_encrypted "1"
set_impl_option -project <ace project name> -impl impl_1 bitstream_encryption_aes_key_file "key_files/aes.txt"
set_impl_option -project <ace project name> -impl impl_1 bitstream_encryption_pem_key_file "key_files/my_eckey.privkey.pem"
set_impl_option -project <ace project name> -impl impl_1 bitstream_encryption_key_source "0"
set_impl_option -project <ace project name> -impl impl_1 bitstream_encryption_key_type "1"
set_impl_option -project <ace project name> -impl impl_1 bitstream_encryption_key_index "0"
set_impl_option -project <ace project name> -impl impl_1 bitstream_encryption_same_key "0"
Programming the Encryption Keys into AC7t1500 eFuses
The following eFuse programming steps are a one-time process, as an eFuse can only be programmed once. These steps only need to be repeated if it is desired to write a new key value in an eFuse that was not previously programmed with encryption keys.
- Apply power to the Speedster7t FPGA from a powered-off state or initiate a FCU reset by asserting the
FCU_CONFIG_RSTN
pin. Refer to the Speedster7t AC7t1500 Pin Table for the specific ball number. - Establish a JTAG connection. For detailed instructions on how to establish a JTAG connection and issue commands, please refer to the ACE User Guide (UG070).
-
If using the Achronix Default Keys, there is no need to use the following commands. If using your own E-Fuse Keys, issue the following commands in the ACE Tcl console with the AES and PEM key values.
jtag::write_ecdsa_authentication_key_efuse $jtag_id <Public PEM key>
jtag::write_aes_encryption_key_efuse $jtag_id <E-Fuse Key Index> <256-bit AES Encryption Key>- <Public PEM key> is the value in the
my_eckey.pubkey.txt
file generated in the first section withgeneckey
and the Athena key generator. - The <E-Fuse Key Index> and <256-bit AES Encryption Key> values are those set in the ACE options while encrypting a bitstream.
- <Public PEM key> is the value in the
- Reset the FPGA by cycling the power to the device.
Programming an AC7t1500 Encrypted Bitstream
After writing the eFuses, the encrypted bitstream can be programmed.
- Establish a JTAG connection. For detailed instructions on how to establish a JTAG connection and issue commands, please refer to the ACE User Guide (UG070).
-
Program the encrypted bitsteam using the following Tcl command with the
-encrypted
switch.ac7t1500::program_hex_file <path to bitstream> -encrypted
-
Verify the encrypted bitstream has been configured by checking that the FCU_CONFIG_USER_MODE ball is high indicating that the device has transitioned into user mode.
FCU_CONFIG_USER_MODE only transitions from 0 to 1 when the programmed encrypted bitstream is a full bitstream and not a stage 0 or partial reconfiguration. Refer to the Speedster7t AC7t1500 Pin Table for the specific ball number.
Additionally, VectorPath Card users can verify that the device is configured by reading the configuration status register in the BMC. To read the BMC on the VectorPath Card, it is necessary to install the BittWare software development kit. Refer to Where Can I Download the Software Development Kit for a VectorPath Card? for additional information. After installing the SDK, run the following command in the Tcl console:
bw_bmc_configure fpga
If the device has successfully configured and entered user mode, the console displays the following message:
FPGA Configuration: Configured Normal
FPGA Boot Source: User