Virtex-4 FPGA Configuration User Guide www.xilinx.com 25UG071 (v1.12) June 2, 2017Bitstream EncryptionRA mismatch between the key in the encrypted bitstream and the key stored in the devicecauses configuration to fail with the INIT pin remaining High and the DONE pinremaining Low. A mismatch between the key and bitstream can result in a high current onV CCINT.Note:1. Do not use or monitor BUSY when loading an encrypted bitstream.2. SelectMAP-32 mode is not supported with encrypted bitstreams.Bitstream Encryption and Internal Configuration Access Port (ICAP)The Internal Configuration Access Port (ICAP) primitive provides the user logic withaccess to the Virtex-4 configuration interface. The ICAP interface is similar to theSelectMAP interface, although the restrictions on readback and reconfiguration for theSelectMAP interface do not apply to the ICAP interface after configuration. Users canperform readback and reconfiguration through the ICAP interface even if bitstreamencryption is used. Unless the designer wires the ICAP interface to user I/O, this does notoffer attackers a method for defeating the Virtex-4 AES encryption scheme. ICAP is notsupported with an encrypted bitstream in the LX, SX, and FX12 devices.Users concerned about the security of their design should not:• Wire the ICAP interface to user I/O-or-• Not instantiate the ICAP primitive.Like the other configuration interfaces, the ICAP interface does not provide access to thekey register.VBATTThe encryption key memory cells are volatile and must receive continuous power to retaintheir contents. During normal operation, these memory cells are powered by the auxiliaryvoltage input (V CCAUX ), although a separate V BATT power input is provided for retainingthe key after VCCAUX is removed. Because VBATT draws very little current (on the order ofnano amperes), a small watch battery is suitable for this supply. (To estimate the batterylife, refer to VBATT DC Characteristics in the Virtex-4 FPGA Data Sheet and the batteryspecifications.) At less than a 100 nA load, the endurance of the battery should be limitedonly by its shelf life.V BATT does not draw any current and can be removed while VCCAUX is applied. VBATTcannot be used for any purpose other than retaining the encryption keys when V CCAUX isremoved.