Symmetric Cryptographic Intel FPGA Hard IP User Guide

ID 714305
Date 10/31/2022
Public

A newer version of this document is available. Customers should click here to go to the newest version.

Document Table of Contents

1.2.1. IP Core Applications

You can utilize the IP core in various applications dependent on the selected profile. Each profile enables you to process data using specific cryptographic settings.
The Symmetric Cryptographic IP core supports the following profiles:
  • MACsec profile
  • IPsec profile
  • Generic GCM profile
  • Generic XTS profile

The following diagrams depicts a few applications utilizing various profiles.

Figure 1. Example of a Network Storage and Confidential Computing Application

In this use case, a packet is received through the left-side HSSI subsystem, where a general packet classifier classifies the packet. If the packet is a key management packet, it is routed to the HPS. The key management packet then goes through a DDR lookup operation by using EML (Exact Match Lookup) IP for the key allocation, deletion, or modification process.

However, if the packet received from the left-side HSSI subsystem is a regular data packet, it is routed to a security protocol IP such as MACsec/IPsec IP for processing. Packets that are processed by MACsec/IPsec IP can then use the Symmetric Cryptographic Intel FPGA Hard IP for packet encryption/decryption. The processed packets are then sent out to another port through the right-side HSSI subsystem.

Figure 2. Example of a Hybrid Security ApplicationThe example depicts the usage of a GCM or XTS profile.

This example shows how Symmetric Cryptographic Intel FPGA Hard IP can be used as a Lookaside Crypto Accelerator from the host. A multichannel DMA is used to fetch the traffic from the host through the PCIe Subsystem.

The user data is then processed either through network storage or through confidential computing user logic, where it is encrypted or decrypted through Symmetric Cryptographic Intel FPGA Hard IP. The processed data can then be sent to the host through DMA.