AN 556: Using the Design Security Features in Intel FPGAs

Download PDF
ID 683269
Date 5/21/2021
Public
Document Table of Contents
Document Table of Contents x
Using the Design Security Features in Intel® FPGAs
Using the Design Security Features in Intel® FPGAs x
Overview of the Design Security Feature Hardware and Software Requirements Steps for Implementing a Secure Configuration Flow Steps to Enable Tamper-Protection Bit Programming Supported Configuration Schemes Security Mode Verification Serial Flash Loader Support with Encryption Enabled Serial Flash Loader Support with Encryption Enabled for Single FPGA Device Chain JTAG Secure Mode for 28-nm and 20-nm FPGAs Document Revision History for AN 556: Using the Design Security Features in Intel® FPGAs
Overview of the Design Security Feature x
Security Encryption Algorithm Non-Volatile and Volatile Key Storage Key Programming Intel® Arria® 10 and Intel® Cyclone® 10 GX Qcrypt Security Tool
Intel® Arria® 10 and Intel® Cyclone® 10 GX Qcrypt Security Tool x
Using Qcrypt Tool Qcrypt Tool Options Security Levels of Qcrypt Tool Security Option
Hardware and Software Requirements x
Hardware Requirements Software Requirements
Steps for Implementing a Secure Configuration Flow x
Step 1: Generating .ekp File and Encrypting Configuration File Step 2a: Programming Volatile Key into the FPGAs Step 2b: Programming Non-Volatile Key into the FPGAs Step 3: Configuring the 40-nm, 28-nm, or 20-nm FPGAs with Encrypted Configuration Data
Step 1: Generating .ekp File and Encrypting Configuration File x
Generating Single-Device .ekp File and Encrypting Configuration File using Intel® Quartus® Prime Software Generating Single-Device .ekp File and Encrypting Configuration File using Command-Line Interface in Intel® Quartus® Prime Software Generating Multi-Device .ekp File and Encrypting Configuration File using Intel® Quartus® Prime Software
Step 2b: Programming Non-Volatile Key into the FPGAs x
Programming Volatile or Non-Volatile Key using Intel® FPGA Ethernet Cable and Intel® Quartus® Prime Software Programming Single-Device Volatile or Non-Volatile Key using Intel® Quartus® Prime Software Programming Single-Device Volatile or Non-Volatile Key using the Command-Line Interface in Intel® Quartus® Prime Software Programming Multi-Device Volatile or Non-Volatile Key using Intel® Quartus® Prime Software Programming Multi-Device Volatile or Non-Volatile Key using the Command-Line Interface in Intel® Quartus® Prime Software Programming Key using JTAG Technologies
Security Mode Verification x
Verification During JTAG Secure Mode
JTAG Secure Mode for 28-nm and 20-nm FPGAs x
Internal JTAG Interface Design Example for JTAG Secure Mode
Design Example for JTAG Secure Mode x
Design Example Intel® Quartus® Prime Design Components LOCK and UNLOCK JTAG Instructions Verifying JTAG Secure Mode
Using the Design Security Features in Intel® FPGAs

Using the Design Security Features in Intel® FPGAs

This application note describes how you can use the design security features in Intel® 40-, 28- and 20-nm FPGAs to protect your designs against unauthorized copying, reverse engineering, and tampering of your configuration files. This application note provides the hardware and software requirements for the 40-, 28- and 20-nm FPGAs design security features. This application note also provides steps for implementing secure configuration flow.

Note: This application note uses the term "40-nm","28-nm" or "20-nm" FPGAs. The following table lists the supported FPGAs and its applicable devices.
Table 1.  Supported FPGAs
FPGA Devices
40 nm Arria® II and Stratix® IV
28 nm Arria® V, Cyclone® V, and Stratix® V
20 nm Intel® Arria® 10 and Intel® Cyclone® 10 GX

In the commercial and military environments, design security is an important consideration for digital designers. As FPGAs start to play a role in larger and more critical system components, it is important to protect the designs from unauthorized copying, reverse engineering, and tampering. Intel FPGAs address these concerns by encrypting their configuration bitstreams with the 256-bit Advanced Encryption Standard (AES) algorithm.

Table 2.  AES Modes in Supported Intel® FPGAs
FPGA AES Mode
40 nm Counter Mode (CTR)
28 nm Cipher-block chaining (CBC)
20 nm CTR and keyed-hash message authentication code (HMAC)

During device operation, FPGAs store configuration data in SRAM configuration cells. Because SRAM memory is volatile, the SRAM cells must be loaded with configuration data each time the device powers up. Configuration data is typically sent from an external memory source, such as a flash memory or a configuration device, to the FPGA. It is possible to intercept the configuration data when it is being sent from the memory source to the FPGA. If the configuration data were not encrypted, you could use the intercepted configuration data to configure another FPGA.

Intel FPGAs offer both volatile and non-volatile key storage. The key is stored in FPGAs when using the design security feature. Depending on the security mode, you can configure the FPGAs with a configuration file that is encrypted with the same key, or for board testing, configure with a normal configuration file.

The design security feature is available when configuring the FPGAs with fast passive parallel (FPP) configuration scheme with an external host (such as a MAX® II or MAX V device or microprocessor) or when using active serial (AS) or passive serial (PS) configuration schemes.


Section Content
Overview of the Design Security Feature
Hardware and Software Requirements
Steps for Implementing a Secure Configuration Flow
Steps to Enable Tamper-Protection Bit Programming
Supported Configuration Schemes
Security Mode Verification
Serial Flash Loader Support with Encryption Enabled
Serial Flash Loader Support with Encryption Enabled for Single FPGA Device Chain
JTAG Secure Mode for 28-nm and 20-nm FPGAs
Document Revision History for AN 556: Using the Design Security Features in Intel FPGAs

Related Information
Level Two Title