- Generating Single-Device .ekp File and Encrypting Configuration File using Intel® Quartus® Prime Software
- Generating Single-Device .ekp File and Encrypting Configuration File using Command-Line Interface in Intel® Quartus® Prime Software
- Programming Volatile or Non-Volatile Key using Intel® FPGA Ethernet Cable and Intel® Quartus® Prime Software
- Programming Single-Device Volatile or Non-Volatile Key using the Command-Line Interface in Intel® Quartus® Prime Software
- Programming Multi-Device Volatile or Non-Volatile Key using the Command-Line Interface in Intel® Quartus® Prime Software
Using the Design Security Features in Intel® FPGAs
This application note describes how you can use the design security features in Intel® 40-, 28- and 20-nm FPGAs to protect your designs against unauthorized copying, reverse engineering, and tampering of your configuration files. This application note provides the hardware and software requirements for the 40-, 28- and 20-nm FPGAs design security features. This application note also provides steps for implementing secure configuration flow.
|40 nm||Arria® II and Stratix® IV|
|28 nm||Arria® V, Cyclone® V, and Stratix® V|
|20 nm||Intel® Arria® 10 and Intel® Cyclone® 10 GX|
In the commercial and military environments, design security is an important consideration for digital designers. As FPGAs start to play a role in larger and more critical system components, it is important to protect the designs from unauthorized copying, reverse engineering, and tampering. Intel FPGAs address these concerns by encrypting their configuration bitstreams with the 256-bit Advanced Encryption Standard (AES) algorithm.
|40 nm||Counter Mode (CTR)|
|28 nm||Cipher-block chaining (CBC)|
|20 nm||CTR and keyed-hash message authentication code (HMAC)|
During device operation, FPGAs store configuration data in SRAM configuration cells. Because SRAM memory is volatile, the SRAM cells must be loaded with configuration data each time the device powers up. Configuration data is typically sent from an external memory source, such as a flash memory or a configuration device, to the FPGA. It is possible to intercept the configuration data when it is being sent from the memory source to the FPGA. If the configuration data were not encrypted, you could use the intercepted configuration data to configure another FPGA.
Intel FPGAs offer both volatile and non-volatile key storage. The key is stored in FPGAs when using the design security feature. Depending on the security mode, you can configure the FPGAs with a configuration file that is encrypted with the same key, or for board testing, configure with a normal configuration file.
The design security feature is available when configuring the FPGAs with fast passive parallel (FPP) configuration scheme with an external host (such as a MAX® II or MAX V device or microprocessor) or when using active serial (AS) or passive serial (PS) configuration schemes.
Overview of the Design Security Feature
Hardware and Software Requirements
Steps for Implementing a Secure Configuration Flow
Steps to Enable Tamper-Protection Bit Programming
Supported Configuration Schemes
Security Mode Verification
Serial Flash Loader Support with Encryption Enabled
Serial Flash Loader Support with Encryption Enabled for Single FPGA Device Chain
JTAG Secure Mode for 28-nm and 20-nm FPGAs
Document Revision History for AN 556: Using the Design Security Features in Intel FPGAs
Did you find the information on this page useful?