HDMI Stratix® 10 FPGA IP Design Example User Guide

ID 683701
Date 4/09/2024
Public
Document Table of Contents

4.4. Protection of Encryption Key Embedded in FPGA Design

Many FPGA designs implement encryption, and there is often the need to embed secret keys in the FPGA bitstream. In newer device families, such as Stratix® 10 and Agilex™ 7, there is a Secure Device Manager block that can securely provision and manage these secret keys. Where these features do not exist, you can secure the content of the FPGA bitstream, including any embedded secret user keys, with encryption.

The user keys should be kept secure within your design environment, and ideally add to the design using an automated secure process. The following steps show how you can implement such a process with Quartus® Prime tools.
  1. Develop and optimize the HDL in Quartus® Prime in a non-secure environment.
  2. Transfer the design to a secure environment and implement an automated process to update the secret key. The on-chip memory embed the key value. When the key is updated, the memory initialization file (.mif) can change and the “quartus_cdb --update_mif” assembler flow can change the HDCP protection key without re-compiling. This step is very quick to run and preserves the original timing.
  3. The Quartus® Prime bitstream then encrypt with the FPGA key before transferring the encrypted bitstream back to the non-secure environment for final testing and deployment.
It is recommended to disable all debug access that can recover the secret key from the FPGA. You can disable the debug capabilities completely by disabling the JTAG port, or selectively disable and review that no debug features such as in-system memory editor or Signal Tap can recover the key. Refer to Intel Stratix 10 Device Security User Guide for further information on using FPGA security features including specific steps on how to encrypt the FPGA bitstream and configure security options such as disabling JTAG access.
Note: You can consider the additional step of obfuscation or encryption with another key of the secret key in the MIF storage.