UPGRADE YOUR BROWSER

We have detected your current browser version is not the latest one. Xilinx.com uses the latest web technologies to bring you the best online experience possible. Please upgrade to a Xilinx.com supported browser:Chrome, Firefox, Internet Explorer 11, Safari. Thank you!

cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted
Observer tamzid
Observer
2,289 Views
Registered: ‎12-29-2015

possible method of programming eFUSE key internally

Jump to solution

Hi,

Is it possible to store the AES decryption key in eFUSE using a design mapped onto the FPGA? 

I know that one can reprogram the FPGA through the ICAP. Using this access, could we also

have some mechanism to store the key onto the eFUSE? Information about any possible alternative would be helpful.

 

Thanks. 

Tags (2)
0 Kudos
1 Solution

Accepted Solutions
Xilinx Employee
Xilinx Employee
3,346 Views
Registered: ‎08-13-2007

Re: possible method of programming eFUSE key internally

Jump to solution

Which device family?

 

On UltraScale & UltraScale+, you can do this internally via MASTER_JTAG.

see here for details

http://www.xilinx.com/support/documentation/application_notes/xapp1283-internalprogramming-bbram-efuses.pdf

 

On previous families, you can do it from the FPGA (e.g. MicroBlaze or statemachine) but would need an external connection (e.g. board-level) back to the JTAG pins - which may not be ideal for a variety of reasons you might imagine.

5 Replies
Xilinx Employee
Xilinx Employee
3,347 Views
Registered: ‎08-13-2007

Re: possible method of programming eFUSE key internally

Jump to solution

Which device family?

 

On UltraScale & UltraScale+, you can do this internally via MASTER_JTAG.

see here for details

http://www.xilinx.com/support/documentation/application_notes/xapp1283-internalprogramming-bbram-efuses.pdf

 

On previous families, you can do it from the FPGA (e.g. MicroBlaze or statemachine) but would need an external connection (e.g. board-level) back to the JTAG pins - which may not be ideal for a variety of reasons you might imagine.

Observer tamzid
Observer
2,255 Views
Registered: ‎12-29-2015

Re: possible method of programming eFUSE key internally

Jump to solution
Thanks for your reply @barriet. This is helpful. There is no particular family that I am looking at currenctly. 
 

 

On previous families, you can do it from the FPGA (e.g. MicroBlaze or statemachine) but would need an external connection (e.g. board-level) back to the JTAG pins - which may not be ideal for a variety of reasons you might imagine.


Yes, I am trying to avoid this external communication because this provides an opportunity for probing. 

 

Do you think this feature will be available on futrure FPGA families? 

 

Thank you again.  

 

0 Kudos
Xilinx Employee
Xilinx Employee
2,247 Views
Registered: ‎08-13-2007

Re: possible method of programming eFUSE key internally

Jump to solution

Have physical access (the external PL->JTAG) to this loopback connection may not be a problem when the e-fuses are programmed in a secure area and there are other system level protections for fielded systems.

But we added the internal method to address some concerns here - you can do this now on US/US+ via the app note I mentioned.

 

For US/US+, we also have this which is likely the best place to start for security considerations:

https://www.xilinx.com/support/documentation/application_notes/xapp1098-tamper-resist-designs.pdf

and

http://www.xilinx.com/support/documentation/application_notes/xapp1267-encryp-efuse-program.pdf

 

for 7 series:

http://www.xilinx.com/support/documentation/application_notes/xapp1084_tamp_resist_dsgns.pdf

and

http://www.xilinx.com/support/documentation/application_notes/xapp1239-fpga-bitstream-encryption.pdf

 

and for ZU+ MPSoC:

http://www.xilinx.com/support/documentation/application_notes/xapp1323-zynq-usp-tamper-resistant-designs.pdf

http://www.xilinx.com/support/documentation/application_notes/xapp1320-isolation-methods.pdf

http://www.xilinx.com/support/documentation/application_notes/xapp1319-zynq-usp-prog-nvm.pdf

 

Lots of good resources here for security... ;)

Good luck.

Observer tamzid
Observer
2,180 Views
Registered: ‎12-29-2015

Re: possible method of programming eFUSE key internally

Jump to solution


@barriet wrote:

Have physical access (the external PL->JTAG) to this loopback connection may not be a problem when the e-fuses are programmed in a secure area and there are other system level protections for fielded.



If the FPGA is being programmed in an untrusted facility, what system level protection could be leveraged to secure the use of external JTAG for eFUSE programming?

 

Thanks for the resources. 

0 Kudos
Observer tamzid
Observer
1,822 Views
Registered: ‎12-29-2015

Re: possible method of programming eFUSE key internally

Jump to solution

Hi @barriet

it is mentioned in the XAPP1283 the internal programmability gives the opportunity to send the eFUSE key in encrypted form. (please see the snippet). Now where the decryption key of the eFUSE key would come from? Would that be initially transferred to the FPGA through the "secure key exchange function"? I believe it would be a custom protocol developed by the users themselves? Just wanted to make sure I understood.

keyExc.PNG
0 Kudos