Visible to Intel only — GUID: bhc1410500756183
Ixiasoft
Overview of the Design Security Feature
Hardware and Software Requirements
Steps for Implementing a Secure Configuration Flow
Steps to Enable Tamper-Protection Bit Programming
Supported Configuration Schemes
Security Mode Verification
Serial Flash Loader Support with Encryption Enabled
Serial Flash Loader Support with Encryption Enabled for Single FPGA Device Chain
JTAG Secure Mode for 28-nm and 20-nm FPGAs
Document Revision History for AN 556: Using the Design Security Features in Intel® FPGAs
Generating Single-Device .ekp File and Encrypting Configuration File using Intel® Quartus® Prime Software
Generating Single-Device .ekp File and Encrypting Configuration File using Command-Line Interface in Intel® Quartus® Prime Software
Generating Multi-Device .ekp File and Encrypting Configuration File using Intel® Quartus® Prime Software
Programming Volatile or Non-Volatile Key using Intel® FPGA Ethernet Cable and Intel® Quartus® Prime Software
Programming Single-Device Volatile or Non-Volatile Key using Intel® Quartus® Prime Software
Programming Single-Device Volatile or Non-Volatile Key using the Command-Line Interface in Intel® Quartus® Prime Software
Programming Multi-Device Volatile or Non-Volatile Key using Intel® Quartus® Prime Software
Programming Multi-Device Volatile or Non-Volatile Key using the Command-Line Interface in Intel® Quartus® Prime Software
Programming Key using JTAG Technologies
Visible to Intel only — GUID: bhc1410500756183
Ixiasoft
Generating Single-Device .ekp File and Encrypting Configuration File using Intel® Quartus® Prime Software
To generate a single device .ekp file and encrypt your configuration file, follow these steps:
- Obtain a license file to enable the design security feature from Intel® FPGA Technical Support.
- Start the Intel® Quartus® Prime software.
- On the Tools menu, click License Setup. The Options dialog box displays the License Setup options.
- In the License file field, enter the location and name of the license file, or browse to and select the license file.
- Click OK.
- Compile your design with one of the following options:
- On the Processing menu, click Start Compilation.
- On the Processing menu, point to Start and click Start Assembler.
An unencrypted SRAM Object File (.sof) is generated. - On the File menu, click Convert Programming Files. The Convert Programming Files dialog box appears.
- In the Convert Programming Files dialog box, select the programming file type from the Programming file type list.
- If applicable, select the appropriate configuration device from the Configuration device list.
- Select the mode from the Mode list.
- Type the file name in the File name field, or browse to and select the file.
- Under the Input files to convert section, click SOF Data.
- Click Add File to open the Select Input File dialog box.
- Browse to the unencrypted SOF file and click Open.
- Under the Input files to convert section, select- the SOF file name. The field is highlighted.
- Click Properties. The SOF Files Properties: Bitstream Encryption dialog box appears.
- In the SOF Files Properties: Bitstream Encryption dialog box, turn on Generate encrypted bitstream.
- Turn on Generate key programming file and type the .ekp file path and file name in the text area, or browse to and select <filename>.ekp .
- Additional step for 20-nm FPGAs only: Turn on Enable volatile security key check box to encrypt the .sof file with volatile security key or turn it off to use non-volatile security key.
- Additional step for 20-nm FPGAs only: Turn on Generate encryption lock file and insert the .qlk file path and file name in the text area, or browse to the desired <filename>.qlk.
- Add the keys to the pull-down list either with a .key file or the Add button. The Add and Edit buttons bring up the Key Entry dialog box. The Delete button deletes the currently selected key from the pull-down list.
Note: 40-nm FPGAs require entry of two 256-bit keys. The encryption derived from a combination of the two 256-bit keys. 28-nm and 20-nm FPGAs require entry of a single 256-bit key. The final encryption key is derived using a one-way function.Using the .key file option allows you to specify one or two key files in the corresponding drop-down box. You may use different files for the Key 1 and Key 2 fields, or use one .key file for both.The .key file is a plain text file in which each line represents a key unless the line starts with "#". The "#" symbol is used to denote comments. Each valid key line has the following format: <key identity><white space><256-bit hexadecimal key>.
# This is an example key file key1 0123456789ABCDEF0123456789ABCDEF0123456789ABCDEF0123456789ABCDEF key2 ABCDEF0123456789ABCDEF0123456789ABCDEF0123456789ABCDEF0123456789
The key identity is an alphanumeric name that is used to identify the keys (similar to the key file entry). The key is also the text displayed when the Show entered keys button is turned off. It is displayed together with the full key when Show entered keys is turned on.You can save the keys in the pull-down list to a .key file. You must click the corresponding Save button to save a key and to display the standard File dialog box. All keys in the pull-down list are saved to the selected or created .key file.Select the Key Entry Method to enter the encryption key either with the on-screen keypad or keyboard.The on-screen keypad allows you to enter the keys using the keypad. Select a key and click on the on-screen keypad to enter values. You have the option of allowing the keys to be shown as they are entered. If you use this option, you do not need to confirm the keys.While the on-screen keypad is being used, any attempt to use the keyboard to enter the keys generates a pop-up notification and the key press is ignored. Alternatively, you can enter the encryption key from the keyboard.- Read the design security feature disclaimer. If you agree to and acknowledge the design security feature disclaimer, turn on the acknowledgment box.
- Click OK.
- Additional step for 20-nm FPGAs only: Under Security Options, select the level from the Disable external partial reconfiguration list.
- Additional step for 20-nm FPGAs only: Under Security Options, select the level from the Disable key-related JTAG instructions list.
- Additional step for 20-nm FPGAs only: Under Security Options, select the level from the Disable other extended JTAG instructions list.
- In the Convert Programming Files dialog box, click OK. The <filename>.ekp and encrypted configuration file are generated in the same project directory.
- On the Tools menu, click Programmer. The Programmer dialog box appears.
- In the Mode list, select JTAG as the programming mode.
- Click Hardware Setup. The Hardware Setup dialog box appears.
- In the currently selected hardware list, select Intel® FPGA Ethernet Cable as the programming hardware.
- Click Done.
- Click Add File. The Select Programmer File dialog box appears.
- Type <filename>.ekp in the File name field.
- Click Open.
- Highlight the .ekp file you added and click Program/Configure.
- On the File menu, point to Create/Update and click Create JAM, SVF, or ISC File. The Create JAM, SVF, or ISC File dialog box appears.
- Select the file format required (JEDEC STAPL Format [.jam]), for the .ekp file in the File format field.
- Type the file name in the File name field, or browse to and select the file.
- Click OK to generate the .jam file.
- On the Tools menu, click Programmer Options. The Programmer Options dialog box appears.
Note: For non-volatile secure design feature, you must turn off the Configure volatile design security key option to generate a non-volatile .svf file of the .ekp file.
- Click OK.
- Repeat steps 15 to 17 to generate a .svf file of the .ekp file. Use the default setting in the Create JAM, SVF, or ISC File dialog box when generating a .svf file of the .ekp file.