4. Security Considerations
|1||Consider whether your design requires device security features to be enabled. If so, plan to provide power to the VCCFUSEWR_SDM rail for authentication fuse management.|
|2||Consider whether your design requires bitstream encryption, and whether the encryption keys are stored in Battery-Backed RAM (BBRAM). If so, plan to provide power to the VCCBAT pin using a battery on the board.|
|3||Consider licensing terms that best suit your requirements for the available device variants .|
- Authentication—Authentication ensures that the device firmware and optionally the configuration bitstream are from a trusted source. Authentication is fundamental to Intel® Agilex™ security in that any other Intel® Agilex™ security features cannot be enabled without first enabling owner authentication. Device firmware authentication is always performed. Additionally, integrity verification of device firmware and bitstream is always performed in order to prevent an Intel® Agilex™ device from loading a bitstream with unexpected changes, such as from corruption or malicious attack.
- Encryption—Encryption protects confidential information in the owner configuration bitstream and reduces the threat of intellectual property theft.
When designing a system with an Intel® Agilex™ device that utilizes the device security features, you must consider provisions for authentication key storage, permissions, and cancellation. You may also need to consider encryption key storage and management. The hash of the owner root public key is always stored in eFuses on an Intel® Agilex™ device, and both Intel firmware key cancellation and owner authentication key cancellation are managed through eFuses as well. Therefore, it is important to provide appropriate power to the VCCFUSEWR_SDM pin. For more information about powering on VCCFUSEWR_SDM, refer to Intel® Agilex™ Pin Connection Guidelines.
If bitstream encryption is enabled on the Intel® Agilex™ device, you need to store the encryption key on the device. The encryption key may be stored in Battery-Backed RAM (BBRAM) or eFuses. Storing the encryption key in eFuses is permanent, while storing the encryption key in BBRAM allows for key wipe or reprovisioning. If the design requires encryption key storage in BBRAM, a non-volatile battery must be connected to the VCCBAT pin. For more information about connecting a battery to the VCCBAT pin, refer to the Intel® Agilex™ Pin Connection Guidelines.
- You must update to the SDM firmware delivered with Intel® Quartus® Prime Pro Edition software version 21.3 and beyond.
- For the TCK pin, you must either leave the TCK pin unconnected, or connect the TCK pin to the VCCIO_SDM supply using a 10-kΩ pull-up resistor.
For more information about connecting the TCK pin, refer to Intel® Agilex™ Device Family Pin Connection Guidelines.