24 www.xilinx.com Virtex-4 FPGA Configuration User GuideUG071 (v1.12) June 2, 2017Chapter 1: Configuration Overview RCreating an Encrypted BitstreamThe Xilinx Bitstream Generator (BitGen, provided with the Xilinx ISE software) cangenerate encrypted as well as non-encrypted bitstreams. For AES bitstream encryption, theuser specifies a 256-bit key as an input to BitGen. BitGen in turn generates an encryptedbitstream file (.bit) and an encryption key file (.nky).For specific BitGen commands and syntax, refer to the Development System Reference Guide.Loading the Encryption KeyThe encryption key can only be programmed onto a Virtex-4 device through the JTAGinterface. The iMPACT tool, provided with the Xilinx ISE software, can accept the .nky fileas an input and program the device with the key through JTAG, using a supported Xilinxprogramming cable.To program the key, the device enters a special key-access mode using the ISC_PROGRAMinstruction, as detailed in the JTAG 1532 specification. In this mode, all FPGA memory,including the encryption key and configuration memory, is cleared. Once the key isprogrammed and the key-access mode is exited, it cannot be read out of the device by anymeans, and it cannot be reprogrammed without clearing the entire device. The key-accessmode is transparent to most users.Loading Encrypted BitstreamsOnce the device has been programmed with the correct encryption key, the device can beconfigured with an encrypted bitstream. After configuration with an encrypted bitstream,it is not possible to read the configuration memory through JTAG or SelectMAP readback,regardless of the BitGen security setting.After loading the encryption key, a non-encrypted bitstream can be used to configure thedevice; in this case the key is ignored. After configuring with a non-encrypted bitstream,readback is possible (if allowed by the BitGen security setting). The encryption key stillcannot be read out of the device, preventing the use of Trojan Horse bitstreams to defeat theVirtex-4 encryption scheme.However, once an encrypted bitstream has been used to configure a device, the devicecannot be reconfigured with a non-encrypted bitstream unless a full-chip reset isperformed first by pulling the PROGRAM_B pin Low, cycling power, or issuing aJPROGRAM instruction. Additional encrypted reconfigurations can be performed.The method of configuration is not affected by encryption. The configuration bitstream canbe delivered in any mode (Serial, SelectMAP, or JTAG) from any configuration solution(PROM, System ACE™ tool, etc.). Configuration timing and signaling are unaffected byencryption.The encrypted bitstream must configure the entire device, because partial reconfigurationthrough the external configuration interfaces is not permitted for encrypted bitstreams.After configuration, the device cannot be reconfigured without toggling the PROG pin,cycling power, or issuing the JTAG JSTART or JPROG instruction. Readback is availablethrough the ICAP primitive (see “Bitstream Encryption and Internal Configuration AccessPort (ICAP)”). None of these events resets the key if V BATT or V CCAUX is maintained.