Back-Level Protection (Bitstream Versioning)

The devices allow protection against a replay attack, where an earlier form of a bitstream (one perhaps with security vulnerabilities) may be reintroduced to gain information about a system. The user can assign a version number to each configuration bitstream, and add a back-level version using the Configure Programming Options, as shown in the following figure.

Figure 1. Setting Bitstream Version and Back Level Version

The back-level version value restricts the design version that the device accepts as an update. The Back Level version must be smaller than or equal to Design version. The back-level version number must be set higher than all of the (old) versions that the user wishes the device to reject. So, only (new) programming bitstreams with a Design version strictly greater than the current Back Level version stored on the device are allowed for programming. The new back-level version programmed along with an accepted bitstream affects any future bitstreams, and can be higher or lower than the back-level it overwrites, at the user's discretion. Back-level protection is secured by FlashLock/UPK1, which can be used to bypass it. The back-level protection must be enabled using the Configure Security Wizard > Update Policy as shown in the following figure. The Back Level version number is not programmed into the device if Back Level protection is disabled.

Figure 2. Back Level Protection