AN 556: Using the Design Security Features in Intel FPGAs

Download PDF
ID 683269
Date 5/21/2021
Public
Document Table of Contents
Document Table of Contents x
Using the Design Security Features in Intel® FPGAs
Using the Design Security Features in Intel® FPGAs x
Overview of the Design Security Feature Hardware and Software Requirements Steps for Implementing a Secure Configuration Flow Steps to Enable Tamper-Protection Bit Programming Supported Configuration Schemes Security Mode Verification Serial Flash Loader Support with Encryption Enabled Serial Flash Loader Support with Encryption Enabled for Single FPGA Device Chain JTAG Secure Mode for 28-nm and 20-nm FPGAs Document Revision History for AN 556: Using the Design Security Features in Intel® FPGAs
Overview of the Design Security Feature x
Security Encryption Algorithm Non-Volatile and Volatile Key Storage Key Programming Intel® Arria® 10 and Intel® Cyclone® 10 GX Qcrypt Security Tool
Intel® Arria® 10 and Intel® Cyclone® 10 GX Qcrypt Security Tool x
Using Qcrypt Tool Qcrypt Tool Options Security Levels of Qcrypt Tool Security Option
Hardware and Software Requirements x
Hardware Requirements Software Requirements
Steps for Implementing a Secure Configuration Flow x
Step 1: Generating .ekp File and Encrypting Configuration File Step 2a: Programming Volatile Key into the FPGAs Step 2b: Programming Non-Volatile Key into the FPGAs Step 3: Configuring the 40-nm, 28-nm, or 20-nm FPGAs with Encrypted Configuration Data
Step 1: Generating .ekp File and Encrypting Configuration File x
Generating Single-Device .ekp File and Encrypting Configuration File using Intel® Quartus® Prime Software Generating Single-Device .ekp File and Encrypting Configuration File using Command-Line Interface in Intel® Quartus® Prime Software Generating Multi-Device .ekp File and Encrypting Configuration File using Intel® Quartus® Prime Software
Step 2b: Programming Non-Volatile Key into the FPGAs x
Programming Volatile or Non-Volatile Key using Intel® FPGA Ethernet Cable and Intel® Quartus® Prime Software Programming Single-Device Volatile or Non-Volatile Key using Intel® Quartus® Prime Software Programming Single-Device Volatile or Non-Volatile Key using the Command-Line Interface in Intel® Quartus® Prime Software Programming Multi-Device Volatile or Non-Volatile Key using Intel® Quartus® Prime Software Programming Multi-Device Volatile or Non-Volatile Key using the Command-Line Interface in Intel® Quartus® Prime Software Programming Key using JTAG Technologies
Security Mode Verification x
Verification During JTAG Secure Mode
JTAG Secure Mode for 28-nm and 20-nm FPGAs x
Internal JTAG Interface Design Example for JTAG Secure Mode
Design Example for JTAG Secure Mode x
Design Example Intel® Quartus® Prime Design Components LOCK and UNLOCK JTAG Instructions Verifying JTAG Secure Mode
Using the Design Security Features in Intel® FPGAs

Document Revision History for AN 556: Using the Design Security Features in Intel® FPGAs

Document Version Changes
2021.05.21 Added a note to Generating Single-Device .ekp File and Encrypting Configuration File using Command-Line Interface in Intel® Quartus® Prime Software.
2019.11.12 Updated the Key Programming section:
  • Updated the footnote for Intel® FPGA Download Cable II.
  • Added a note to state that the JTAG TCK pulse width (period) for other third-party non-volatile key programming must be regulated for proper polyfuse programming.
2018.12.11 Updated the Generating Single-Device .ekp File and Encrypting Configuration File using Intel® Quartus® Prime Software section to correct the key file examples.
2018.06.15
  • Updated the description in the Overview of the Design Security Feature section.
  • Updated the description in the Design Security Approach for 40-nm and 28-nm FPGAs table.
  • Removed the note to the design protection option in the Volatile and Non-Volatile Key Comparison table.
  • Corrected the note to Intel® FPGA Parallel Port Cable in the Key Programming Methods table.
  • Updated the description for --decrypt in the Basic Options in Qcrypt Tool table.
  • Updated the information on encrypting an .rbf by using the stand-alone Qcrypt tool in the Steps for Implementing a Secure Configuration Flow section.
  • Added steps in the Generating Single-Device .ekp File and Encrypting Configuration File using Intel® Quartus® Prime Software section.
  • Added the Steps to Enable Tamper-Protection Bit Programming section.
  • Updated the PS and JTAG configuration schemes in the Design Security Support for Each Configuration Scheme table.
  • Added description for the examples in the Security Mode Verification section.
  • Updated the Internal and External JTAG Interface Connection diagram.
  • Corrected the functions for the jtag_core_en_out, tck_out, tdi_out, and tms_out ports in the Input and Output Port of the User Logic table.
  • Renamed the following IP cores as per Intel rebranding:
    • Renamed Intel FPGA Parallel Flash Loader IP core to Parallel Flash Loader Intel FPGA IP core.
    • Renamed Intel FPGA Serial Flash Loader IP core to Serial Flash Loader Intel FPGA IP core.
Date Version Changes
December 2017 2017.12.18
  • Added support for Intel Cyclone 10 GX device family.
  • Updated the "Specifications for Key Programming" table: Updated the Non-Volatile Key and Volatile Key descriptions for TCK period.
  • Updated the "Security Mode Verification for 20-nm FPGAs" table: Added footnotes for bits 11 and 13 to clarify that these bits are not applicable Intel Cyclone 10 GX devices.
  • Updated for latest Intel® branding standards.
  • Updated --lockto=<FILE_NAME.qlk> security option description in Security Options in Qcrypt Tool table.
  • Made minor text edits to the document.
June 2016 2016.06.01
  • Added Arria 10 Qcrypt Tool information.
  • Added information about tamper-protection bit and JTAG Secure can be enabled separately in 20-nm FPGAs.
  • Added software requirements for 20-nm FPGAs.
  • Added two additional steps for 20-nm FPGAs in Generating Single-Device .ekp File and Encrypting Configuration File using Intel® Quartus® Prime Software.
  • Added 20-nm FPGA JTAG Secure verification methods.
  • Added note about EXTEST_PULSE, EXTEST_TRAIN, KEY_VERIFY JTAG instructions can be used during JTAG Secure mode.
  • Updated Arria 10 JTAG atom.
  • Added separate security approach for 20-nm FPGAs.
  • Added note about encryption and compression cannot be used simultaneously in 20-nm FPGAs.
  • Updated TCK period non-volatile key specification for 20-nm FPGAs.
  • Added note about USB-Blaster supports volatile and non-volatile key for 20-nm FPGAs.
November 2015 2015.11.02
  • Added note about user need set the TCK speed to required TCK period for EthernetBlaster II and added link EthernetBlaster II Communications Cable User Guide.
  • Changed instances of Quartus II to Quartus Prime.
June 2015 2015.06.15 Added link to JTAG Secure Mode Design Example.
May 2015 2015.05.04 Corrected the total number of character in .key file example.
January 2015 2015.01.23
  • Added 20-nm FPGAs (Arria 10) support.
  • Added JAM file example for 20-nm.
  • Added Security Mode Verification for 20-nm table.
  • Added JTAG WYSIWYG atom for Arria 10.
  • Added AES modes in Altera FPGAs.
December 2014 2014.12.15 Added USB-Blaster II support for non-volatile security key programming.
September 2014 2014.09.30
  • Added example .key file in How to Generate the Single-Device .ekp File and Encrypt the Configuration File using Quartus II Software.
  • Removed VCCBAT voltage guideline and added device family pin connection guidelines links for updated values in Hardware Requirements.
  • Added note to modes with tamper protection in Security Mode Verification for 28-nm FPGAs.
  • Added Verification During JTAG Secure Mode subsection to tamper bit protection settings during JTAG Secure mode.
May 2014 2014.05.19 Updated the Non-Volatile and Volatile Key Storage section to include information on using valid MSEL pin settings.
June 2013 2013.06.19
  • Updated the Design Security Approach for FPGAs table to include more design security features.
  • Updated the Non-Volatile and Volatile Key Storage section to include details on both volatile and non-volatile key storage.
  • Updated the Key Programming section to include support for both 28-nm and 40-nm FPGAs using the System General programming tool.
  • Updated the Hardware Requirements section to update the Specifications for Key Programming table.
  • Updated the Steps for Implementing a Secure Configuration Flow section.
  • Updated the Step 1: Generate the .ekp File and Encrypt Configuration File, Step 2a: Program the Volatile Key into the FPGAs, and Step 2b: Program the Volatile Key into the FPGAs sections.
  • Updated the How to Generate the Single-Device .ekp File and Encrypt the Configuration File using Quartus II Software to include information about the encryption key for 28-nm and 40-nm FPGAs.
  • Updated the Security Mode Verification section to update the security mode and its associated bit values for both 28-nm and 40-nm FPGAs.
  • Updated the JTAG Secure Mode for 28-nm FPGAs section to include more information about the mandatory and non-mandatory JTAG instructions, internal JTAG interface and external JTAG interface, WYSIWYG atom functions, and design example for JTAG secure mode.
  • Moved all links in all topics to the Related Information section for easy reference.
June 2012 2.1
  • Updated Table 1 and Table 3.
  • Updated .ekp file verification error information.
  • Updated "Hardware Requirements" section.
June 2011 2.0
  • Updated application note for the Quartus II software version 11.0 release.
  • Changed the specific device names to 40- or 28-nm FPGAs.
  • Added "Security Mode Verification" and "JTAG Secure Mode for 28-nm FPGAs" sections.
  • Added Table 1.
  • Added Table 5.
  • Added Example 3, Example 4, and Example 5.
  • Updated Figure 1.
  • Minor text edits.
June 2009 1.1
  • Updated "Introduction" on page 1.
  • Updated "Overview of the Design Security Feature" on page 2.
  • Updated "Security Encryption Algorithm" on page 2.
  • Updated "Non-Volatile and Volatile Key Storage" on page 3.
  • Updated (Note 3) of Table 2 on page 4.
  • Updated "Hardware and Software Requirements" on page 4.
  • Updated (Note 1) of Table 3 on page 5.
  • Updated "Steps for Implementing a Secure Configuration Flow" on page 5.
  • Updated "Step 2a: Program the Volatile Key into the Arria II GX or Stratix IV Devices" on page 17.
  • Updated "Step 2b: Program the Non-Volatile Key into the Arria II GX or Stratix IV Devices" on page 18.
  • Updated "Step 3: Configure the Arria II GX or Stratix IV Devices with Encrypted Configuration Data" on page 24.
  • Added Table 3 on page 28.
  • Updated Figure 1 on page 6 and Figue 26 on page 29.
March 2009 1.0 Initial release.
Level Two Title