3.6 Digests

Digests are used for protecting data integrity. In PolarFire®, digests are used to protect the integrity of the user design programmed into the device as well as the programming files used for device programming. Digests are the result of the SHA-256 hash executed over the programmed device content. The resulting digest value is highly dependent on the device programming information and can be used with high confidence to determine a change in the content programmed into the device.

To assure the integrity of the user design programmed into the device, the device system controller generates digests, known as Component Digests, for each component in the device. These component digests are calculated and stored within the device during device programing. Multiple digests are calculated including factory and security segment digests, FPGA fabric component digest, sNVM and eNVM (for PolarFire SoC FPGA only) digests for pages marked as ROM. These digests can be verified on-demand by the user, either internally using a system service, or externally using a programming instruction. In addition, the user can automatically run digest checks on each power-up. These checks assure no device configuration changes occurred, either maliciously or naturally, since the component was last programmed. Any mismatch in the digests checks is an indication that the programmed content, currently residing in the device, does not match the content previously programmed into the device during device programming. The device must be reprogrammed to correct this mismatch.

The integrity of device programming bitstream files is also protected by digests. When the Libero® SoC design tool generates a programing bitstream file, a set of Bitstream Payload Digests are generated. These digests differ from the Component Digests. While the Bitstream Payload Digests are calculated over the component programing data and the meta data required to program the device, Component Digests include only the programmed data. When the programming bitstream file is generated by the Libero SoC design tool, the data for each component is hashed (SHA-256) and the resulting digest value is retained in an accompanying file along with the programming bitstream file.

During device programming the FPGA, flash cells are loaded with the programming file data and a Bitstream Payload Digest is calculated on the fly. This digest is compared to the Bitstream Payload Digest stored in the bitstream programming file to assure the device correctly received the bitstream programming file during the programming operation.

The following sections describe various options available to check digest. For more information about Digest Check System Services, see PolarFire FPGA and PolarFire SoC FPGA System Services User Guide.