7.5. Design Security
The Intel® Arria® 10 design security feature supports the following capabilities:
- Enhanced built-in advanced encryption standard (AES) decryption block to support 256-bit key industry-standard design security algorithm (FIPS-197 Certified)
- Volatile and non-volatile key programming support
- Secure operation mode for both volatile and non-volatile key through tamper protection mode
- Limited accessible JTAG instruction during power-up in the JTAG Secure mode
- Supports POF authentication and protection against Side-Channel Attack
- Provides JTAG access control and security key control through fuse bit or option bits
- Disables all JTAG instructions from power-up until the device is initialized
- Supports board-level testing
- Supports off-board key programming for non-volatile key
- Stand-alone Qcrypt tool to encrypt and decrypt with other security settings to configuration bit stream.
- Available in all configuration schemes except JTAG
- Supports remote system upgrades feature
|Design Security Element||Description|
|Non-Volatile key||The non-volatile key is securely stored in fuses within the device. Proprietary security features make it difficult to determine this key.|
|Volatile Key||The volatile key is securely stored in battery-backed RAM within the device. Proprietary security features make it difficult to determine this key.|
|Key Generation||A user provided 256-bit key is processed by a one-way function before being programmed into the device.|
|Key Choice||Both volatile and non-volatile key can exist in a device. User can choose which key to use by setting the option bits in encrypted configuration file through the Convert Programming File tool or the Qcrypt tool.|
|Tamper Protection Mode||Tamper protection mode prevents the FPGA from being loaded with an unencrypted configuration file. When you enable this mode, the FPGA can only be loaded with a configuration that has been encrypted with your key. Unencrypted configurations and configurations encrypted with the wrong key results in a configuration failure. You can enable this mode by setting a fuse within the device.|
|Configuration Readback||These devices do not support a configuration readback feature. From a security perspective, this makes readback of your unencrypted configuration data infeasible.|
|Security Key Control||By using different JTAG instructions and the security option in the Qcrypt tool, you have the flexibility to permanently or temporarily disable the use of the non-volatile or volatile key. You can also choose to lock the volatile key to prevent it from being overwritten or reprogrammed.|
|JTAG Access Control||
You can enable various levels of JTAG access control by setting the OTP fuses or option bits in the configuration file using the Qcrypt tool:
- You cannot enable encryption and compression at the same time for all configuration scheme.
- When you use design security with Intel® Arria® 10 devices in an FPP configuration scheme, it requires a different DCLK-to-DATA ratio.
Did you find the information on this page useful?