Security Mode Verification
Intel FPGAs support the KEY_VERIFY JTAG instruction that allows you to verify the existing security mode of the device. To check if you have successfully programmed the volatile key, use the .jam files to automate the security mode verification steps.
JTAG Instruction | Instruction Code | Description |
---|---|---|
KEY_VERIFY | 00 0001 0011 | Connects the key verification scan register between TDI and TDO. |
The KEY_VERIFY JTAG instruction allows you to read out the information on the security features that are enabled on the chip. This instruction scans out associated bit values.
Security Mode | Supported Device | Bit 0 | Bit 1 | Bit 2 | Bit 3 | Bit 4 | Bit 5 |
---|---|---|---|---|---|---|---|
No key | Arria® II GX | 0 | 0 | 0 | 0 | 0 | 0 |
|
0 | 0 | 0 | 0 | X | X | |
Volatile key | Arria® II GX | 1 | 0 | 0 | 0 | 0 | 0 |
|
1 | 0 | 0 | 0 | X | X | |
Volatile key with tamper protection | Arria® II GX | 1 | 0 | 0 | 0 | 1 | 0 |
|
X | X | X | X | X | X | |
Non-volatile key | Arria® II GX | 0 | 1 | 0 | 1 | 0 | 0 |
|
0 | 1 | 0 | 1 | X | X | |
Non-volatile key with tamper protection bit | Arria® II GX | 0 | 1 | 1 | 1 | 0 | 0 |
|
0 | 1 | 1 | 1 | X | X |
Security Mode | Bit 0 | Bit 1 | Bit 2 | Bit 3 | Bit 4 | Bit 5 | Bit 6 | Bit 7 | Bit 8 |
---|---|---|---|---|---|---|---|---|---|
No key | 0 | 0 | 0 | 0 | 0 | X | X | X | X |
Volatile key | 1 | 0 | 0 | 0 | 0 | X | X | X | X |
Volatile key with tamper protection 14 | 1 | 0 | 0 | 0 | 1 | X | X | X | X |
Non-volatile key | 0 | 1 | 0 | 1 | 0 | X | X | X | X |
Non-volatile key with tamper protection bit 14 | 0 | 1 | 1 | 1 | 0 | X | X | X | X |
Bit | Security Feature or Settings | Description | Active value |
---|---|---|---|
0 | Volatile Key | This bit is set when a volatile key has been successfully programmed into the device. |
1 |
1 | Attempt Non-volatile Key Programming | This bit is set to indicate that someone attempted to burn a non-volatile key in the OTP fused. | 1 |
2 | Disable Non-volatile Key | This bit is set to disable use of the volatile key. | 1 |
3 | Non-volatile Key | This bit is set to indicate that someone has successfully burned a non-volatile key into the OTP fuses. | 1 |
4 | Tamper Protection | This bit is set when FPGA is in Tamper Protection mode with either Non-volatile or Volatile key. | 1 |
5 | Don’t Care | Don’t Care. | X |
6 | Volatile Key Lock | This bit is set to prevent the volatile key from being reprogrammed from external JTAG. | 1 |
7 - 10 | Don’t Care | Don’t Care. | X |
11 15 | Force Configuration from HPS only | This bit is set when configuration is allowed from HPS only. | 1 |
12 | External JTAG Bypass | This bit is set to indicate that external JTAG is disabled. | 1 |
13 16 | HPS JTAG Bypass | This bit is set to indicate that HPS JTAG is disabled. | 1 |
14 17 | Disable Partial Reconfiguration and Scrubbing | This bit is set to indicate that external PR and external scrubbing (including HPS PR and HPS scrubbing) are disabled. | 1 |
15 | Disable Volatile Key | This bit is set to indicate that the volatile key is disabled. | 1 |
16 | Don’t Care | Don’t Care. | X |
17 | Disable Key Related JTAG Instructions | This bit is set to indicate that external JTAG access to all key-related JTAG instructions is disabled. | 1 |
18 | JTAG Secure Mode | This bit is set to indicate that only mandatory JTAG instructions are allowed to be externally accessed. | 1 |
19 | Don’t Care | Don’t Care. | X |
20 | Volatile Key Clear | This bit is set when the volatile key is successfully cleared from the device. |
1 |
The following examples show the .jam files to verify the FPGAs security modes. The example .jam files are only applicable to single FPGA device in a JTAG chain. For SoC devices, add the following statements before the IRSCAN command.
PREIR 4;
PREDR 1;
JAM File for 40-nm FPGAs (Arria II GX Devices)
STATE RESET;
STATE IDLE;
'Security Mode Identification
BOOLEAN verify_reg[6];
IRSCAN 10, $013;
WAIT 100 USEC;
DRSCAN 6, $0, CAPTURE verify_reg[5..0];
JAM File for 40-nm FPGAs (Arria II GZ and Stratix IV Devices)
STATE RESET;
STATE IDLE;
'Key Verification
BOOLEAN verify_reg[4];
IRSCAN 10, $013;
WAIT 100 USEC;
DRSCAN 4, $0, CAPTURE verify_reg[3..0];
JAM File for 28-nm FPGAs
STATE RESET;
STATE IDLE;
'Key Verification in JAM format
BOOLEAN verify_reg[9];
IRSCAN 10, $013;
WAIT 100 USEC;
DRSCAN 9, $0, CAPTURE verify_reg[8..0];
JAM File for 20-nm FPGAs
STATE RESET;
STATE IDLE;
'Key Verification in JAM format
BOOLEAN verify_reg[21];
IRSCAN 10, $013;
WAIT 100 USEC;
DRSCAN 21, $0, CAPTURE verify_reg[20..0];