The Unpatchable Silicon: A Full Break of the Bitstream Encryption of Xilinx 7-Series FPGAs Maik Ender*, Amir Moradi* and Christof Paar*† *Horst Goertz Institute for IT Security, Ruhr University Bochum, Germany †Max Planck Institute for Cyber Security and Privacy, Germany Abstract grammable gates. The bitstream configures this logic area; The security of FPGAs is a crucial topic, as any vulnera- in analogy to software, the bitstream can be considered the bility within the hardware can have severe consequences, if ‘binary code’ of the FPGA. On SRAM-based FPGAs, which they are used in a secure design. Since FPGA designs are are the dominant type of FPGA in use today, the bitstream is encoded in a bitstream, securing the bitstream is of the utmost stored on an external non-volatile memory and loaded into importance. Adversaries have many motivations to recover the FPGA during power-up. and manipulate the bitstream, including design cloning, IP In order to protect the bitstream against malicious actors, its theft, manipulation of the design, or design subversions e.g., confidentiality and authenticity must be assured. If an attacker through hardware Trojans. Given that FPGAs are often part of has access to the bitstream and breaks its confidentiality, he cyber-physical systems e.g., in aviation, medical, or industrial can reverse-engineer the design, clone intellectual property, devices, this can even lead to physical harm. Consequently, or gather information for subsequent attacks e.g., by finding vendors have introduced bitstream encryption, offering au- cryptographic keys or other design aspects of a system. If thenticity and confidentiality. Even though attacks against the adversary succeeds in violating the bitstream authentic- bitstream encryption have been proposed in the past, e.g., ity, he can then change the functionality, implant hardware side-channel analysis and probing, these attacks require so- Trojans, or even physically destroy the system in which the phisticated equipment and considerable technical expertise. FPGA is embedded by using configuration outside the specifi- In this paper, we introduce novel low-cost attacks against cations. These problems are particularly relevant since access the Xilinx 7-Series (and Virtex-6) bitstream encryption, re- to bitstream is often effortlessly possible due to the fact that, sulting in the total loss of authenticity and confidentiality. We for the vast majority of devices, it resides in the in external exploit a design flaw which piecewise leaks the decrypted bit- non-volatile memory, e.g., flash chips. This memory can of- stream. In the attack, the FPGA is used as a decryption oracle, ten either be read out directly, or the adversary wiretaps the while only access to a configuration interface is needed. The FPGA’s configuration bus during power-up. Alternatively, a attack does not require any sophisticated tools and, depending microcontroller can be used to configure the FPGA, and conse- on the target system, can potentially be launched remotely. In quently, the microcontroller’s firmware includes the bitstream. addition to the attacks, we discuss several countermeasures. When the adversary gains access to the microcontroller, he also gains access to the configuration interface and the bit- 1 Introduction stream. Thus, if the microcontroller is connected to a network, remotely attacking the FPGA becomes possible. Nowadays, Field Programmable Gate Arrays (FPGAs) are In order to protect the design, the major FPGA vendors common in consumer electronic devices, aerospace, financial introduced bitstream encryption around the turn of the mil- computing, and military applications. Additionally, given the lennium, a technique which nowadays is available in most trend towards a connected world, data-driven practices, and ar- mainstream devices [1,56]. In this paper, we investigate the se- tificial intelligence, FPGAs play a significant role as hardware curity of the Xilinx 7-Series and Virtex-6 bitstream encryption. platforms deployed in the cloud and in end devices. Hence, On these devices, the bitstream encryption provides authen- trust in the underlying platform for all these applications is ticity by using an SHA-256 based HMAC and also provides vital. Altera, who are (together with Xilinx) the FPGA market confidentiality by using CBC-AES-256 for encryption. By leader, was acquired by Intel in 2015. our attack, we can circumvent the bitstream encryption and FPGAs are reprogrammable ICs, containing a repetitive decrypt an assumedly secure bitstream on all Xilinx 7-Series logic area with a few hundred up to millions of repro- devices completely and on the Virtex-6 devices partially. Ad- ditionally, we are also able to manipulate the bitstream by the bitstream encryption is disabled, this readout function is adjusting the HMAC. Out attack setting in general is the same legitimately used for debugging the FPGA and its design. one as commonly encountered in mainstream practice: The In our attack, we manipulate the encrypted bitstream to adversary only needs access to the configuration interface redirect its (decrypted) content from the fabric to a configu- of a fielded FPGA. In this setting, the secret decryption key ration register. We then read out this configuration register, has already been loaded into the FPGA, e.g., after device which holds the unencrypted bitstream data; the readout of the manufacturing, the key is stored in internal battery-backed configuration register is not prevented even in the presence of RAM (BBRAM) or eFUSEs. As will be shown later, the ad- an encrypted bitstream anyway. versary uses the FPGA with the stored key as an oracle to For that purpose, we use the MultiBoot address register decrypt the bitstream. WBSTAR. This MultiBoot feature enables the FPGA to boot According to recent business reports, Xilinx shares 50% of from a different memory address in order to update the FPGA the FPGA market [16]. Also evident by Xilinx’s annual report safely, boot with different functionality or boot from a fall- in 2018 [55], around 35% of their current revenue originates back bitstream with a working design. The MultiBoot feature from the 7-Series (meanwhile, Virtex-6 devices are not stated uses the content of the WBSTAR register as the boot address independently in this report, but are veiled in the 50% revenue in the attached non-volatile memory. Hence, the register is of all old generations). Thus, the 7-Series and Virtex-6 devices not cleared during a reset. We now manipulate the encrypted are a popular choice for a variety of FPGA designs, many of bitstream to write a single 32-bit word which is part of the which are mission- or safety-critical. Besides, we note that encrypted bitstream to the WBSTAR register in decrypted similar to many other digital hardware devices, FPGAs have form. The bitstream’s manipulation exploits the malleability a lifespan of decades. Replacing legacy systems or using of the CBC mode of operation to alter the command in the high-performance products therefore might turn out to be a bitstream which writes data to the WBSTAR configuration costly and cumbersome undertaking. However, Xilinx’s new register. After the configuration with the encrypted bitstream, UltraScale and UltraScale+ devices, which are the new (high- the FPGA resets, since it detects an invalid HMAC. We use end) series and slowly replace the old ones, are not affected the WBSTAR configuration register for the readout, because by our attack. the reset procedure does not clear it. After the reset, we fi- In this paper, we introduce two novel attacks against this nally use a second bitstream to readout the WBSTAR register Xilinx 7-Series bitstream encryption, which result in a total to uncover the decrypted bitstream word by word. In sum- loss of authenticity and confidentiality. Furthermore, we dis- mary, the FPGA, if loaded with the encryption key, decrypts cuss the implications of these attacks and suggest potential the encrypted bitstream and writes it for the attacker to the countermeasures. While our attacks chiefly target the Xilinx readable configuration register. Hence, the FPGA is used as 7-Series, Virtex-6 devices are also vulnerable to our attack a decryption oracle. The fact that only single 32-bit words with the limitation that the first two bits of every 32-bit word can be uncovered in each iteration determines the duration are missing in the recovery process. of decrypting a whole bitstream: In our experiments, we are We communicated our findings to Xilinx in a vulnerability able to uncover a complete Kintex-7 XC7K160T bitstream in disclosure on 24 September 2019 and started cooperating 3 hours and 42 minutes, for instance. on the issue: Xilinx quickly confirmed the vulnerability on For the second attack, we can break the authenticity of the 25 September and that there is no patch possible without bitstream encryption. The attacker can use the decryption changing the silicon. Coinciding with the publication of this oracle to encrypt arbitrary messages due to the underlying paper, Xilinx plans to publish a design advisory that informs CBC mode. They can build the CBC chain starting with the their customers of this vulnerability. last block. For that, they encrypt a random message, uses the The paper is structured as follows: First, we give an execu- CBC malleability, and calculates the ciphertext block to turn tive summary of the attack. Then, we introduce the necessary the plaintext into the intended value. The attacker repeats background and related work in Section 2. In Section 3, we this process until the whole bitstream is encrypted. Since the introduce the attack with all details, whereupon we validate HMAC key is stored in the encrypted bitstream and is not the attack by a case study in Section 4. A discussion about verified, the attacker can manipulate the HMAC tag as well. the findings and countermeasures is given in Section 5.