Showing results for 
Show  only  | Search instead for 
Did you mean: 

eFUSE AES key verification steps

4 0 1,244

eFUSE is one-time programmable which means that once the FUSE is blown with a particular key it can never be programmed with other keys. 

eFUSE is used for a large number of production devices, typically in scenarios where customers are looking to supply AES programmed FPGAs to their third party vendors which is why we are covering it here.

Issues have arisen in the past where users have incorrectly programmed the wrong eFUSE key, resulting in programming failure of the encrypted bitstream. In this scenario, there is no way we can retrieve the eFUSE as it is already blown.

Below we are going to discuss some of the AES key verification steps you should follow before programming the eFUSE key physically on the device.

1. Use EFUSE_TEST_MODE to test programming the AES key.

This will send the eFUSE programming software commands to the device but will NOT actually program any fuses.

2. To enable EFUSE_TEST_MODE, right click on server properties in the Hardware manager and check the ‘EFUSE_TEST_MODE’ option as shown below:


3. Once the eFUSE key is programmed with EFUSE_TEST_MODE enabled, there should be a .nkz file created in the Vivado installation directory.

Check if the AES key is displayed properly in the .nkz file.

4.  If this is successful, uncheck the EFUSE_TEST_MODE box and actually physically program ONLY the AES key into the device.

Do not program any of the other control or security registers or the RSA. The .nkz file will be written again but it should contain the same contents as before.

Please verify if both of the .nkz files' contents are same or not.

5. If the content of both of the .nkz files is the same then program the encrypted bitstream file.

6. Verify the .nky and encrypted bitstream by running the below commands:

create_hw_bitstream -hw_device [current_hw_device ] -nky mtl1_c1.nky mtl1_c1.bit
verify_hw_devices -key efuse

Note: To clarify, in step 3, the same output .nkz file will be overwritten unless you change the .nkz file name in the eFUSE wizard. So, you should copy the first .nkz to another file or change the .nkz file name in the wizard for comparison of the files afterwards.

EFUSE_TEST_MODE is for verification only. If that programming test works, and you uncheck EFUSE_TEST_MODE and follow the same programming steps from the test, the correct AES key will be programmed into the device.

Do not program the control or security registers bits while following the above steps. These bits can be set once the verification has completed successfully.