Symmetric Cryptographic Intel FPGA Hard IP User Guide

ID 714305
Date 10/02/2023
Public
Document Table of Contents

3. Parameters

You customize the IP core by specifying parameters in the IP parameter editor.
Figure 3. IP Parameter Editor
Table 16.  IP Parameter Settings
Parameter Supported Values Default Setting Description
General
AES
  • Enable
  • Disable
Enable Enable or disable the AES algorithm.
SM4
  • Enable
  • Disable
Enable Enable or disable the SM4 algorithm.
XTS Options
XTS
  • Enable
  • Disable
Enable Enable or disable the XTS mode.
Cipher Text Stealing
  • Enable
  • Disable
Enable Enable or disable the Ciphertext Stealing (CTS) mode.
Allow XTS+other high-frequency interleaving
  • On
  • Off
On

When enabled, it counts the number of tweaks/CTS/decryption within a window of time on the AXI-ST TX interface.

If the threshold of either four tweaks occurs within 20 clocks, three CTS occurs within 20 cycles, or four decryption keys occur within 16 cycles, the interface is back pressured by de-asserting the tready signal.

During the back pressure, logic injects a dummy encryption key cycle using channel 1023 XTS profile until the number of tweaks/CTS/decryption keys within the window drops below the threshold.

This logic prevents the ICA hard IP from overflowing the number of outstanding tweaks/CTS/decryption key events that it can support.

This can be disabled (turned off) to improve throughput and reduce resource usage if the traffic doesn't interleave XTS with Generic GCM or IPSEC; or frame-based interleave XTS+Generic GCM, and key is always reprogrammed for each Generic GCM packet.

XTS+MACSEC interleaving is not supported in this release.

GCM Options
Number of MACsec streams 0-64 64 Specifies the number of streams supported for MACsec profile. 0 indicates disabling MACsec profile. There is no MACsec profile packet on the ingress AXI-ST interface.
Allow key pre-programming for GCM profiles interleaving XTS
  • On
  • Off
On Enable logic to monitor and control IV count from MACsec and Gen. GCM profiles when both XTS and "Allow XTS+other high-frequency interleaving" are enabled.
Enable Gen. GCM AAD-Bypass ingress padding
  • On
  • Off
Off Enable or disable Generic GCM ingress bypass and AAD padding for 16-byte alignment. When enabled, an entire Generic GCM packet must be sent at a time, allowing only idle cycles in the middle.
Enable authentication check
  • On
  • Off
On Enable or disable authentication check on a packet decryption flow.
Enable Gen. GCM egress depadding
  • On
  • Off
Off Enable Generic GCM egress padding removal on bypass, AAD and text. When enabled, an entire Generic GCM packet must be sent at a time, allowing only idle cycles in the middle and only XTS and Generic GCM profiles are supported.
Drop the MAC on applicable profile decryption
  • On
  • Off
Off Enable or disable dropping the MAC on decryption and not sending it out from the Symmetric Cryptographic IP core. When Gen. GCM egress depadding is enabled, it is applicable only to the Generic. GCM profile; otherwise it is applicable only to the MACsec profile.
AXI-ST Options
AXI-ST tvalid path additional latency 0-6 0

Specifies the additional number of pipelines needed for the tvalid/tdata signal path for timing convergence.

Applicable only to the responder TX side.

Maximum AXI-ST Tx Latency (ready path + valid path + mode base) is up to 12.

  • Mode base is 0 if XTS and CTS modes are enabled
  • Otherwise, mode base is 5
AXI-ST tready path additional latency 0-6 0

Specifies the additional number of pipelines needed for the tready signal path for timing convergence.

Applicable only to the responder TX side.

Maximum AXI ST TX Latency (Ready + valid signal path) is up to 13.

AXI-LITE Options
AXI_LITE ready latency 0-2 0 Specifies the additional number of pipelines needed for timing convergence.
  • 0: No register
  • 1: One register on valid path
  • 2: One register each on both, valid and ready paths

Applicable only to AXI-Lite responder side.

Example Design Options
Example Design Configuration
  • GCM 1 x 512-bit interface
  • MACSEC 1 x 512-bit interface
  • IPSEC 1 x 512-bit interface
  • XTS 1 x 512-bit interface
GCM 1 x 512-bit interface Selects the example design options.
Acknowledgement: The example design generates with only the Example Design Options specified in the drop-down menu. No other IP parameters that you specify applies to the example design generation.