cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
ndnsoulja
Participant
Participant
1,137 Views
Registered: ‎10-24-2018

Can I use the same AES-256 encryption key for all my builds?

Jump to solution

I'm trying to encrypt my bitstream.  I plan to use the efuse, which from my understanding are one time use only. I'll have to encrypt my future builds with the same key. (correct?)

I see vivado will generate a .nyk file with the encrypted bitstream. As i continue to debug my logic, will it generate a new nyk file with every bitstream?

I don't want a new key for each of my builds. Could I generate a key at the very begining of my program( calling it main.nyk), load it to the FPGA (efuse), and use this key(main.nyk) from now on to encrypt my builds? 

Tags (2)
0 Kudos
1 Solution

Accepted Solutions
thakurr
Moderator
Moderator
1,093 Views
Registered: ‎09-15-2016

Hi @ndnsoulja 

>>I'm trying to encrypt my bitstream.  I plan to use the efuse, which from my understanding are one time use only. I'll have to encrypt my future builds with the same key. (correct?)

Yes, that is correct. In this case, programming bitstream which is encrypted with some other key will led to bitstream failure with device getting locked.

>>I see vivado will generate a .nyk file with the encrypted bitstream. As i continue to debug my logic, will it generate a new nyk file with every bitstream?

Yes, it will create new .nky file for every bitstream. Please note that if you explicity specify same key (like below) in the bitstream settings for each build then the .nky file will be same.

set_property BITSTREAM.ENCRYPTION.KEY0
256'h1234567812345678123456781234567812345678123456781234567812345678 [current_design]

But if you don't specify it explicity then tool may create different keys for each run.

>>I don't want a new key for each of my builds. Could I generate a key at the very begining of my program( calling it main.nyk), load it to the FPGA (efuse), and use this key(main.nyk) from now on to encrypt my builds? 

You need to specify the below constraint for every new build, once you have created .nky file with first build:

set_property BITSTREAM.ENCRYPTION.KEYFILE <file_path>/test1.nky [current_design]

 

Regards
Rohit
----------------------------------------------------------------------------------------------
Kindly note- Please mark the Answer as "Accept as solution" if information provided is helpful.

Give Kudos to a post which you think is helpful and reply oriented.
----------------------------------------------------------------------------------------------

View solution in original post

4 Replies
mattwaltz
Adventurer
Adventurer
1,125 Views
Registered: ‎06-05-2017

I would recommend reading what UG908 says, specifically the section (Generating Encrypted and Authenticated Files for UltraScale and UltraScale+) https://www.xilinx.com/support/documentation/sw_manuals/xilinx2017_1/ug908-vivado-programming-debugging.pdf

Anyway, to summarize it you generally want to store the .nky file on your hard disk, and then you can use the method described in UG908 to encrypt your bitstream with that same key.

Hope this helps!

thakurr
Moderator
Moderator
1,094 Views
Registered: ‎09-15-2016

Hi @ndnsoulja 

>>I'm trying to encrypt my bitstream.  I plan to use the efuse, which from my understanding are one time use only. I'll have to encrypt my future builds with the same key. (correct?)

Yes, that is correct. In this case, programming bitstream which is encrypted with some other key will led to bitstream failure with device getting locked.

>>I see vivado will generate a .nyk file with the encrypted bitstream. As i continue to debug my logic, will it generate a new nyk file with every bitstream?

Yes, it will create new .nky file for every bitstream. Please note that if you explicity specify same key (like below) in the bitstream settings for each build then the .nky file will be same.

set_property BITSTREAM.ENCRYPTION.KEY0
256'h1234567812345678123456781234567812345678123456781234567812345678 [current_design]

But if you don't specify it explicity then tool may create different keys for each run.

>>I don't want a new key for each of my builds. Could I generate a key at the very begining of my program( calling it main.nyk), load it to the FPGA (efuse), and use this key(main.nyk) from now on to encrypt my builds? 

You need to specify the below constraint for every new build, once you have created .nky file with first build:

set_property BITSTREAM.ENCRYPTION.KEYFILE <file_path>/test1.nky [current_design]

 

Regards
Rohit
----------------------------------------------------------------------------------------------
Kindly note- Please mark the Answer as "Accept as solution" if information provided is helpful.

Give Kudos to a post which you think is helpful and reply oriented.
----------------------------------------------------------------------------------------------

View solution in original post

ndnsoulja
Participant
Participant
1,066 Views
Registered: ‎10-24-2018

@thakurr Thanks for the great reply! that helped a lot. But I do have a follow up question. What about the StartIV0 that's produced in the .nky file? it's different with each build, do i need to set the StartIV0 in the .xdc to what it is in the .nky (that's loaded into the efuse)?

0 Kudos
thakurr
Moderator
Moderator
1,028 Views
Registered: ‎09-15-2016

Hi @ndnsoulja 

>>What about the StartIV0 that's produced in the .nky file? it's different with each build, do i need to set the StartIV0 in the .xdc to what it is in the .nky (that's loaded into the efuse)?

You need not to specify StartIV0 explicitly in the xdc file as there is no security compromise doing so. Start1V0 will be always different for each build with same key. For your ease, you make two runs with same key and check whether StartIV0 is always different. It should be always different.

Regards
Rohit
----------------------------------------------------------------------------------------------
Kindly note- Please mark the Answer as "Accept as solution" if information provided is helpful.

Give Kudos to a post which you think is helpful and reply oriented.
----------------------------------------------------------------------------------------------