What bitstream is the FPGA currently configured with? The one in flash? Really? What's to say the bitstream made it to the FPGA correctly? Can you tell? What if it reconfigured itself [1]?
There's some research [2] into using authenticated, encrypted bitstreams, but even if the implementation matches the theory (and after all, it's crypto, we know how that goes...) this only reaches the same level of security as a fixed-configuration ASIC, since FPGAs are vulnerable to the same nefarious fab attacks as ASICs.
FPGA bitstreams are big, sometimes even big enough that you couldn't fit another bitstream in hardware anywhere. What's more, making even a small change to the bitstream and re-synthesising tends to completely change how the design is laid out in hardware - so launching an attack that targets a specific bitstream, like most of the obvious nefarious-fab attacks, isn't much good.
There's some research [2] into using authenticated, encrypted bitstreams, but even if the implementation matches the theory (and after all, it's crypto, we know how that goes...) this only reaches the same level of security as a fixed-configuration ASIC, since FPGAs are vulnerable to the same nefarious fab attacks as ASICs.
1: http://www.cmpe.boun.edu.tr/caslab/publications/selfreconf_f...
2: http://www.saardrimer.com/sd410/papers/bsauth.pdf