A Full Break of the Bitstream Encryption of Xilinx 7-Series FPGAs

[llkiwi2006]

https://www.usenix.org/conference/usenixsecurity20/presentation/ender

3.5 Wrap-Up: What Went Wrong?

These two attacks show again that nowadays, cryptographic primitives hold their security assumptions, but their embedding in a real-world protocol is often a pitfall. Two issues lead to the success of our attacks: First, the decrypted data are interpreted by the configuration logic before the HMAC validates them. Generally, a malicious bitstream crafted by the attacker is checked at the end of the bitstream, which would prevent an altered bitstream content from running on the fabric. Nevertheless, the attack runs only inside the configuration logic, where the command execution is not secured by the HMAC.

Second, the HMAC key KHMAC is stored inside the encrypted bitstream. Hence, an attacker who can circumvent the encryption mechanism can read KHMAC and thus calculate the HMAC tag for a modified bitstream. Further, they can change KHMAC, as the security of the key depends solely on the confidentiality of the bitstream. The HMAC key is not secured by other means. Therefore, an attacker who can circumvent the encryption mechanism can also bypass the HMAC validation.

Epic fail by Xilinx?

[amyk]

Epic win for everyone else.

[brucehoult]

Epic win for everyone else.

Would love to be able to use Open Source tools on my Arty / Zynq boards!

[llkiwi2006]

Would love to be able to use Open Source tools on my Arty / Zynq boards!

There seems to be good progress on that with the SymbiFlow project, although not directly related to bitstream encryption. What we can get out of this is being able to modify / create custom bitstreams for products that employ bitstream encryption. Which I reckon is still a win for open source.

[asmi]

Would love to be able to use Open Source tools on my Arty / Zynq boards!

What does bitstream encryption have to do with OS tools? This is an optional feature which I'm yet to actually see used in the field.

[gnuarm]

I'm not sure I understand the significance of the second part, that the key is in the encrypted bit stream.  This key can only be read if you can "circumvent the encryption mechanism".  Isn't that the point?  If you can circumvent the encryption mechanism, do you care about the key?  I guess decrypting the bitstream "only" allows you to read the existing bit stream, while having the key lets you load a new one? 

[kmike]

1.: You can decrypt the whole bitstream and make clones of the device.

2.: If you can forge the HMAC, you can load a manipulated bitstream to the FPGA. This way you could install a backdoor, or change the program (in BRAM) of an instantiated CPU. If the manufacturer of the device using a compromised FPGA would use the same keys for all devices manufatured (very common...), you could make a malicous firmware update and install it where you can...

br,
kmike

[NorthGuy]

If you want the key, there's a different, older method, which involves sniffing current with EMI probe. This doesn't require access to JTAG pins. Once you have the key, you can build and sell any number of fake devices which will work with manufacturer's bitstreams, so they will be indistinguishable from the originals.