Visible to Intel only — GUID: bhc1410500754403
Ixiasoft
Overview of the Design Security Feature
Hardware and Software Requirements
Steps for Implementing a Secure Configuration Flow
Steps to Enable Tamper-Protection Bit Programming
Supported Configuration Schemes
Security Mode Verification
Serial Flash Loader Support with Encryption Enabled
Serial Flash Loader Support with Encryption Enabled for Single FPGA Device Chain
JTAG Secure Mode for 28-nm and 20-nm FPGAs
Document Revision History for AN 556: Using the Design Security Features in Intel® FPGAs
Generating Single-Device .ekp File and Encrypting Configuration File using Intel® Quartus® Prime Software
Generating Single-Device .ekp File and Encrypting Configuration File using Command-Line Interface in Intel® Quartus® Prime Software
Generating Multi-Device .ekp File and Encrypting Configuration File using Intel® Quartus® Prime Software
Programming Volatile or Non-Volatile Key using Intel® FPGA Ethernet Cable and Intel® Quartus® Prime Software
Programming Single-Device Volatile or Non-Volatile Key using Intel® Quartus® Prime Software
Programming Single-Device Volatile or Non-Volatile Key using the Command-Line Interface in Intel® Quartus® Prime Software
Programming Multi-Device Volatile or Non-Volatile Key using Intel® Quartus® Prime Software
Programming Multi-Device Volatile or Non-Volatile Key using the Command-Line Interface in Intel® Quartus® Prime Software
Programming Key using JTAG Technologies
Visible to Intel only — GUID: bhc1410500754403
Ixiasoft
Steps for Implementing a Secure Configuration Flow
To implement a secure configuration flow, follow these steps:
- Generate the .ekp file and encrypt the configuration data.
The Intel® Quartus® Prime configuration software always uses the user-defined 256-bit key to generate a key programming file and an encrypted configuration file. The encrypted configuration file is stored in an external memory, such as a flash memory or a configuration device. For details, refer to Step 1: Generating .ekp File and Encrypting Configuration File.Note: For the 20-nm FPGAs, you can also encrypt an .rbf by using the stand-alone Qcrypt tool with extended security options.
- Program the user-defined 256-bit key into the FPGAs.
For details, refer to Step 2a: Programming Volatile Key into the FPGAs and Step 2b: Programming Non-Volatile Key into the FPGAs.
- Configure the 40-nm, 28-nm or 20-nm FPGA device.
At power up, the external memory source sends the encrypted configuration file to the FPGA. The device uses the stored key to decrypt the file and to configure itself. For details about how to configure FPGAs with encrypted configuration data, refer to Step 3: Configuring the 40-nm, 28-nm, or 20-nm FPGAs with Encrypted Configuration Data.Figure 1. Secure Configuration Flow