Securing Titanium Bitstreams

Titanium FPGAs have built-in security features to help you protect your intellectual property and to prevent tampering.
  • Encryption—Encrypt your bitstream using an AES-256 key.
  • Authentication—Sign your bitstream with an RSA-4096 private key.
  • JTAG Disable—Permanently disables all JTAG instructions except for those used to get device information.
  • JTAG Disable Efuse Only—Permanently disables the JTAG efuse instructions only.
Note: Refer to JTAG Command Support with Security Enabled for details on the JTAG disabling modes and which commands they support.

You use the following Efinity tools to implement these bitstream security features:

Table 1. Efinity Tools Used for Securing Bitstreams
Tool Used for
Create or specify an AES-256 key.
Create or specify an RSA-4096 private key.
Specify whether to disable JTAG.
Program the fuses in the Titanium FPGA with the AES-256 key and/or RSA certificate data.
After you blow the fuses with an RSA key, the FPGA only accepts a bistream signed with the correct private key.
After you blow fuses with an AES-256 key, the FPGA only accepts a plaintext bitstream or a bitstream signed with the correct key.
Program the JTAG fuse to disable JTAG function.
Turn on bitstream encryption and/or authentication, and specify the .bin file created by the Bitstream Security Key Generator.
Turn on bitstream authentication and specify the private key (.pem) file to sign the bitstream.

Figure 1. Bitstream Authentication

The public key is derived from the private key; the .pem is essentially a private/public key pair. The private key only exists in the .pem. The software uses it to sign the bitstream, but the bitstream and fuses only contain public key information. The FPGA uses the public key to validate the bitstream's signature; it cannot be used to re-sign a modified bitstream.

Figure 2. Bitstream Encryption

Figure 3. Disabling JTAG

The following sections describe how to use each of these tools to enable security features.