Workflow for Using Security Features

This topic describes some of the potential workflows you might use when developing applications that include bitstream security. You do not have to use all of the bitstream security features simultaneously. You can enable them sequentially or only use some of the features if that suits your workflow.

This iterative process has two parts: blowing fuses and securing the bitstream.

Blowing Fuses Iteratively

You can blow fuses in any order, and blow only some of them in any iteration. For example, you can:

  1. Blow fuses for only AES-256.
  2. Blow fuses for only RSA authentication.
  3. Blow fuses for AES-256 after doing step 2.
  4. Blow fuses for RSA authentication after doing step 1.
  5. Blow fuses for both AES-256 and RSA authentication, but do not blow JTAG fuse.
  6. Blow fuses for AES-256 and RSA authentication, and blow JTAG fuse (all in mode where you turn on everything).
  7. Blow JTAG fuse after doing steps 1, 2, 3, 4, or 5.
Important: Once you blow the JTAG fuse (steps 6 or 7), you cannot perform any further iterations!

Each time you want to blow fuses for a new iteration, you use the Efinity Bitstream Security Key Generator to create a new .svf file with the new options that you want to enable.

Important: Do not enable options that you have already turned on. For example, if you already blew the AES-256 fuses, do not try to blow them again.

Example 1: Blow Fuses for AES-256 First, Fuses for RSA Authentication Later

You already blew fuses for AES-256 and now you want to blow fuses for RSA authentication:

  1. Open the Efinity Bitstream Security Key Generator.
  2. Turn off the AES-256 Bitstream Encryption option.
  3. Turn on the RSA-4096 Asymmetric Bitstream Authentication option and generate or select a .pem.
  4. Click Generate to create a new .svf; discard the .bin file.
  5. Use the new .svf with the SVF Player to blow the RSA fuses; discard the .bin file.

Example 2: Blow Fuses for AES-256 and RSA Authentication First, Fuse for Disabling JTAG Later

You already blew fuses for AES-256 and RSA authentication and now you want to blow the JTAG fuse:

  1. Open the Efinity Bitstream Security Key Generator.
  2. Turn off the AES-256 Bitstream Encryption option.
  3. Turn off the RSA-4096 Asymmetric Bitstream Authentication option.
  4. Choose ON for JTAG Disabling.
  5. Click Generate to create a new .svf; discard the .bin file.
  6. Use the new .svf with the SVF Player to blow the JTAG fuse.

Securing Bitstreams Iteratively

You can secure the bitstream with encryption and/or authentication. When you enable either option (or both) in the Project Editor, you need to specify the .bin file you create with the Efinity Bitstream Security Key Generator.

Note: When working iteratively, you need to make sure that you use the same key data that you used in the previous iteration.

Example 3: Secure Bitstream for AES-256 First, RSA Authentication Later

You already enabled for AES-256 and now you want to enable RSA authentication:

  1. Open the Efinity Bitstream Security Key Generator.
  2. Turn on the AES-256 Bitstream Encryption option and enter the key from the previous iteration (this is why you should save it).
  3. Turn on the RSA-4096 Asymmetric Bitstream Authentication option and generate or select a .pem.
  4. Click Generate to create a new .bin file; discard the .svf file.
  5. Specify the new .bin file in the Project Editor.
  6. Generate the bitstream.

Example 1 and Example 3 both start with AES-256 and later add RSA authentication. However, you turn off AES-256 for Example 1 and turn on AES-256 for Example 3. Therefore, you need to run the Efinity Bitstream Security Key Generator twice: the first time with settings for blowing fuses; the second time with settings for bitstream security.

Example 2 only blows the JTAG fuse, so you use the .svf file with the SVF Player and discard the .bin file.