AN 556: Using the Design Security Features in Intel FPGAs

Download PDF
ID 683269
Date 5/21/2021
Public
Document Table of Contents
Document Table of Contents x
Using the Design Security Features in Intel® FPGAs
Using the Design Security Features in Intel® FPGAs x
Overview of the Design Security Feature Hardware and Software Requirements Steps for Implementing a Secure Configuration Flow Steps to Enable Tamper-Protection Bit Programming Supported Configuration Schemes Security Mode Verification Serial Flash Loader Support with Encryption Enabled Serial Flash Loader Support with Encryption Enabled for Single FPGA Device Chain JTAG Secure Mode for 28-nm and 20-nm FPGAs Document Revision History for AN 556: Using the Design Security Features in Intel® FPGAs
Overview of the Design Security Feature x
Security Encryption Algorithm Non-Volatile and Volatile Key Storage Key Programming Intel® Arria® 10 and Intel® Cyclone® 10 GX Qcrypt Security Tool
Intel® Arria® 10 and Intel® Cyclone® 10 GX Qcrypt Security Tool x
Using Qcrypt Tool Qcrypt Tool Options Security Levels of Qcrypt Tool Security Option
Hardware and Software Requirements x
Hardware Requirements Software Requirements
Steps for Implementing a Secure Configuration Flow x
Step 1: Generating .ekp File and Encrypting Configuration File Step 2a: Programming Volatile Key into the FPGAs Step 2b: Programming Non-Volatile Key into the FPGAs Step 3: Configuring the 40-nm, 28-nm, or 20-nm FPGAs with Encrypted Configuration Data
Step 1: Generating .ekp File and Encrypting Configuration File x
Generating Single-Device .ekp File and Encrypting Configuration File using Intel® Quartus® Prime Software Generating Single-Device .ekp File and Encrypting Configuration File using Command-Line Interface in Intel® Quartus® Prime Software Generating Multi-Device .ekp File and Encrypting Configuration File using Intel® Quartus® Prime Software
Step 2b: Programming Non-Volatile Key into the FPGAs x
Programming Volatile or Non-Volatile Key using Intel® FPGA Ethernet Cable and Intel® Quartus® Prime Software Programming Single-Device Volatile or Non-Volatile Key using Intel® Quartus® Prime Software Programming Single-Device Volatile or Non-Volatile Key using the Command-Line Interface in Intel® Quartus® Prime Software Programming Multi-Device Volatile or Non-Volatile Key using Intel® Quartus® Prime Software Programming Multi-Device Volatile or Non-Volatile Key using the Command-Line Interface in Intel® Quartus® Prime Software Programming Key using JTAG Technologies
Security Mode Verification x
Verification During JTAG Secure Mode
JTAG Secure Mode for 28-nm and 20-nm FPGAs x
Internal JTAG Interface Design Example for JTAG Secure Mode
Design Example for JTAG Secure Mode x
Design Example Intel® Quartus® Prime Design Components LOCK and UNLOCK JTAG Instructions Verifying JTAG Secure Mode
Using the Design Security Features in Intel® FPGAs

Overview of the Design Security Feature

The design security feature for Intel FPGAs protects against unauthorized copying , reverse engineering, and tampering. The following table lists some of the design approaches to make the solution secure.

The 20-nm FPGAs have additional security features that you can enable by burning a fuse, or by setting an option bit in the configuration bit-stream by using the stand-alone Qcrypt tool or the Intel® Quartus® Prime Convert Programming File tool. Tamper-protection bit and JTAG Secure mode can be enabled separately in 20-nm FPGAs only.

Table 3.  Design Security Approach for 40-nm and 28-nm FPGAs
CAUTION:
Enabling the tamper-protection bit disables the test mode in 40-nm and 28-nm FPGAs. Disabling the test mode is irreversible and prevents Intel from carrying out failure analysis. To enable the tamper protection bit, refer to the Steps to Enable Tamper-Protection Bit Programming section.
Design Security Element 40-nm FPGA 28-nm FPGA 1
Non-Volatile key The non-volatile key is securely stored in fuses within the device. Proprietary security features make it difficult to determine this key.
Volatile Key The volatile key is securely stored in battery-backed RAM within the device. Proprietary security features make it difficult to determine this key.
Key Generation Two user provided 256-bit strings are processed to generate a 256-bit key that is programmed into the device. A user provided 256-bit key is processed by a one-way function before being programmed into the device.
Key Choice User only set either 1 security key type (non-volatile key or volatile key) into the device.
Tamper Protection Mode Tamper protection mode prevents the FPGA from being loaded with an unencrypted configuration file. When you enable this mode, the FPGA can only be loaded with a configuration that has been encrypted with your key. Unencrypted configurations and configurations encrypted with the wrong key result in a configuration failure. You can enable this mode by setting a fuse within the device.
Configuration Readback These devices do not support a configuration readback feature which makes readback of your unencrypted configuration data infeasible.
Table 4.  Design Security Approach for 20-nm FPGAs
Design Security Element Description
Non-Volatile key The non-volatile key is securely stored in fuses within the device. Proprietary security features make it difficult to determine this key.
Volatile Key The volatile key is securely stored in battery-backed RAM within the device. Proprietary security features make it difficult to determine this key.
Key Generation A user provided 256-bit key is processed by a one-way function before being programmed into the device.
Key Choice Both volatile and non-volatile key can exist in a device. User can choose which key to use by setting the option bits in encrypted configuration file through the Convert Programming File tool or the Qcrypt tool.
Tamper Protection Mode Tamper protection mode prevents the FPGA from being loaded with an unencrypted configuration file. When you enable this mode, the FPGA can only be loaded with a configuration that has been encrypted with your key. Unencrypted configurations and configurations encrypted with the wrong key result in a configuration failure. You can enable this mode by setting a fuse within the device.
Configuration Readback These devices do not support a configuration readback feature. From a security perspective, this makes readback of your unencrypted configuration data infeasible.
Security Key Control By using different JTAG instructions and the security option in the Qcrypt tool, you have the flexibility to permanently or temporarily disable the use of the non-volatile or volatile key. You can also choose to lock the volatile key to prevent it from being overwritten or reprogrammed.
JTAG Access Control

You can enable various levels of JTAG access control by setting the OTP fuses or option bits in the configuration file using the Qcrypt tool:

  1. Force full configuration or partial configuration to be done through HPS only.
  2. Bypass external JTAG pin or HPS JTAG. This feature disables external JTAG or HPS JTAG access, but can be unlocked through internal core access. 2
  3. Disable all AES key related JTAG instructions from external JTAG pins.
  4. Allows only a limited set of mandatory JTAG instruction to be accessed through external JTAG, similar to JTAG Secure mode.
Note: For additional details on these and other security features, contact Intel FPGA Technical Support.

Section Content
Security Encryption Algorithm
Non-Volatile and Volatile Key Storage
Key Programming
Intel Arria 10 and Intel Cyclone 10 GX Qcrypt Security Tool

Related Information
1 When you enable the tamper-protection bit in 28-nm FPGAs, the device is in the JTAG secure mode.
2 Intel® Cyclone® 10 GX does not support force full configuration or partial configuration through HPS and HPS JTAG Bypass.
Level Two Title