AN 886: Intel Agilex® 7 Device Design Guidelines

ID 683634
Date 10/09/2023
Public
Document Table of Contents

4. Security Considerations

Table 20.  Security Considerations Checklist
Number Done? Checklist Item
1   Consider whether your design requires device security features to be enabled. If so, plan to provide power to the VCCFUSEWR_SDM rail for authentication fuse management.
2   Consider whether your design requires bitstream encryption, and whether the encryption keys are stored in Battery-Backed RAM (BBRAM). If so, plan to provide power to the VCCBAT pin using a battery on the board.
3   Consider whether your design requires bitstream encryption, and whether the encryption keys are wrapped by IID PUF and stored in QSPI. If so, configuration mode needs to be Active Serial x4 (Normal or Fast mode) and the QSPI memory needs to be large enough to support the configuration and have memory space available (64 kB) for the PUF helper data.
4   Consider whether your design requires Black Key Provisioning or Attestation. If so, ensure there is no pull-down resistor on the TCK pin. An optional 10-kΩ pull-up resistor may be used to aid in noise suppression.
5   Consider whether your design requires Attestation. If so, configuration mode needs to be Active Serial x4 (Normal or Fast mode) and the QSPI memory needs to be large enough to support the configuration and have memory space available (128 kB) for the authority certificates.
6   Consider whether your design requires Physical Anti-Tamper, and whether the optional external response pins are to be used. If so, plan to use the correct SDM Optional Signal pins for TAMPERDETECTION and TAMPERRESPONSESTATUS.
Note: Physical Anti-Tamper is available only on non-VID parts.
7   Consider licensing terms that best suit your requirements for the available device variants.
Intel Agilex® 7 devices provide flexible and robust security features to protect sensitive data, intellectual property, and the device itself under both remote and physical attacks. Intel Agilex® 7 devices provide two main categories of security features:
  • Authentication—Authentication ensures that the device firmware and optionally the configuration bitstream are from a trusted source. Authentication is fundamental to Intel Agilex® 7 security in that any other Intel Agilex® 7 security features cannot be enabled without first enabling owner authentication. Device firmware authentication is always performed. Additionally, integrity verification of device firmware and bitstream is always performed in order to prevent an Intel Agilex® 7 device from loading a bitstream with unexpected changes, such as from corruption or malicious attack.
  • Encryption—Encryption protects confidential information in the owner configuration bitstream and reduces the threat of intellectual property theft.

When designing a system with an Intel Agilex® 7 device that utilizes the device security features, you must consider provisions for authentication key storage, permissions, and cancellation. You may also need to consider encryption key storage and management. The hash of the owner root public key is always stored in eFuses on an Intel Agilex® 7 device, and both Intel firmware key cancellation and owner authentication key cancellation are managed through eFuses as well. Therefore, it is important to provide appropriate power to the VCCFUSEWR_SDM pin. For more information about powering on VCCFUSEWR_SDM , refer to Intel Agilex® 7 Pin Connection Guidelines.

If bitstream encryption is enabled on the Intel Agilex® 7 device, you need to store the encryption key on the device. The encryption key may be stored in eFuses, Battery-Backed RAM (BBRAM) or QSPI. Storing the encryption key in eFuses is permanent, while storing the encryption key in BBRAM allows for key wipe or reprovisioning. If the design requires encryption key storage in BBRAM, a non-volatile battery must be connected to the VCCBAT pin. For more information about connecting a battery to the VCCBAT pin, refer to the Intel Agilex® 7 Pin Connection Guidelines. Storing the encryption key in QSPI requires the encryption key being wrapped using Intrinsic ID PUF. The use of Intrinsic ID technology requires a separate license agreement with IntrinsicID.  Intel® Quartus® Prime Pro Edition software restricts PUF operations, including enrollment and key wrapping, without the appropriate license.

If Attestation or Black Key Provisioning (BKP) is enabled on the Intel Agilex® 7 device, you need to use updated SDM firmware and use updated guidelines for TCK (JTAG clock).
  • You must update to the SDM firmware delivered with Intel® Quartus® Prime Pro Edition software version 21.3 and beyond.
  • For the TCK pin, ensure there is no pull-up down resistor on the TCK pin. Optionally, you may connect the TCK pin to the V CCIO_SDM supply using a 10-kΩ pull-up resistor to help with noise suppression.
Note: The existing guidance in the Intel Agilex® 7 Device Family Pin Connection Guidelines to connect TCK to a 1-kΩ pull-down resistor is included for noise suppression. The change in guidance to a 10-kΩ pull-up resistor is not expected to affect the device functionally.

For more information about connecting the TCK pin, refer to Intel Agilex® 7 Device Family Pin Connection Guidelines.