Key provisioning systems and methods for programmable logic devices

What is claimed is: 1. A secure programmable logic device (PLD) provisioning system, comprising: an external system comprising a processor and a memory and configured to be coupled to a secure PLD through a configuration input/output (I/O) of the secure PLD, wherein the memory comprises machine-readable instructions which when executed by the processor of the external system are adapted to cause the external system to perform a computer-implemented method comprising: generating a locked PLD comprising the secure PLD based, at least in part, on a request from a secure PLD customer, wherein the request from the secure PLD customer comprises a customer public key, wherein the generating comprises: providing the customer public key in the request from the secure PLD customer to a hardened security module (HSM) coupled to the external system, wherein the HSM is configured to generate a programming public key, a programming private key, and a programming secret in response to receiving the customer public key, receiving the programming private key, the programming secret, and an encrypted programming packet from the HSM, and providing the programming private key and the programming secret to the secure PLD; and providing a secured unlock package for the locked secure PLD, wherein the providing the secured unlock package for the locked secure PLD comprises providing the encrypted programming packet generated by the HSM to the secure PLD customer, wherein the encrypted programming packet comprises the programming secret that is encrypted using the customer public key and signed using the programming private key by the HSM, wherein the encrypted programming packet is configured for use by the secure PLD customer to generate an encrypted and signed configuration for the secure PLD. 2. The system of claim 1 , wherein the generating the locked PLD comprises: generating a customer programming key token corresponding to the secure PLD customer or the request from the secure PLD customer by providing the customer public key in the request to the HSM coupled to the external system and receiving the customer programming key token generated by the HSM. 3. The system of claim 1 , wherein the providing the secured unlock package for the locked secure PLD comprises: providing the encrypted programming packet generated by the HSM coupled to the external system to the secure PLD customer; and providing the programming public key generated by the HSM to the secure PLD customer. 4. The system of claim 1 , wherein the computer-implemented method further comprises: providing an authenticatable locked PLD manifest comprising a trace ID and a corresponding device public key associated with the locked secure PLD, wherein the authenticatable locked PLD manifest is signed using the programming private key generated by the HSM coupled to the external system. 5. The system of claim 1 , wherein the generating the locked PLD comprises: providing a customer programming key token to the HSM coupled to the external system; receiving the programming private key and the programming secret from the HSM and a device public key from the secure PLD; providing an initial programming image (IPI) configuration to the secure PLD; and programming a PLD fabric of the secure PLD according to the IPI configuration. 6. The system of claim 1 , wherein the computer-implemented method further comprises: generating or receiving a protected configuration for the locked secure PLD; and programming the locked secure PLD according to the protected configuration; wherein the protected configuration comprises an application configuration and a feature configuration, each signed by an application private key associated with the secure PLD customer and encrypted by an application encryption key associated with the secure PLD customer, and a programming key digest comprising an encrypted and signed combination of an application public key, the application encryption key, and the programming secret generated by the HSM coupled to the external system. 7. The system of claim 1 , further comprising: the secure PLD, wherein the secure PLD comprises a plurality of programmable logic blocks (PLBs) arranged in a PLD fabric of the secure PLD, a configuration engine configured to program the PLD fabric according to a configuration image stored in a non-volatile memory (NVM) of the secure PLD and/or coupled through the configuration I/O to the configuration engine, and a security engine configured to provide a plurality of security functions for the PLD fabric and/or the configuration engine, wherein the secure PLD is configured to perform a secure PLD-implemented method comprising: booting according to an initial programming image (IPI) configuration stored in the NVM and programmed into the PLD fabric; receiving a protected configuration through the configuration I/O, wherein the protected configuration comprises an application configuration and a feature configuration, each signed by an application private key associated with a secure PLD customer for the secure PLD and encrypted by an application encryption key associated with the secure PLD customer, and a programming key digest comprising an encrypted and signed combination of an application public key, the application encryption key, and the programming secret generated by the HSM coupled to the external system; decrypting and authenticating the programming key digest using the programming private key stored in the NVM and the application public key; verifying the programming secret from the programming key digest matches a programming secret stored in the NVM; decrypting and authenticating the application configuration and the feature configuration using the application encryption key and the application public key from the programming key digest; erasing the IPI configuration from the PLD fabric; and programming the PLD fabric according to the decrypted and authenticated application configuration and one or more portions of the NVM according to the decrypted and authenticated feature configuration. 8. A secure programmable logic device (PLD) provisioning system, comprising: a secure PLD, wherein the secure PLD comprises a non-volatile memory (NVM), a plurality of programmable logic blocks (PLBs) arranged in a PLD fabric of the secure PLD, a configuration engine configured to program the PLD fabric according to a configuration image stored in the NVM of the secure PLD and/or a NVM coupled through a configuration input/output (I/O) of the secure PLD to the configuration engine, and a security engine configured to provide a plurality of security functions for the PLD fabric and/or the configuration engine, wherein the secure PLD is configured to perform a computer-implemented method comprising: booting according to an initial programming image (IPI) configuration stored in the NVM and programmed into the PLD fabric, receiving a protected configuration through the configuration I/O, wherein the protected configuration comprises an application configuration and a feature configuration, each signed by an application private key associated with a secure PLD customer for the secure PLD and encrypted by an application encryption key associated with the secure PLD customer, and a programming key digest comprising an encrypted and signed combination of an application public key, the application encryption key, and a programming secret generated by a hardened security module (HSM), decrypting and authenticating the programming key digest using a programming private key stored in the NVM and the application public key, decrypting and authenticating the application configuration and the feature configuration using the application encryption key and the app