AN 886: Intel® Agilex™ Device Design Guidelines

ID 683634
Date 8/26/2022

A newer version of this document is available. Customers should click here to go to the newest version.

Document Table of Contents
Give Feedback

4. Security Considerations

Table 20.  Security Considerations Checklist
Number Done? Checklist Item
1   Consider whether your design requires device security features to be enabled. If so, plan to provide power to the VCCFUSEWR_SDM rail for authentication fuse management.
2   Consider whether your design requires bitstream encryption, and whether the encryption keys are stored in Battery-Backed RAM (BBRAM). If so, plan to provide power to the VCCBAT pin using a battery on the board.
3   Consider licensing terms that best suit your requirements for the available device variants .
Intel® Agilex™ devices provide flexible and robust security features to protect sensitive data, intellectual property, and the device itself under both remote and physical attacks. Intel® Agilex™ devices provide two main categories of security features:
  • Authentication—Authentication ensures that the device firmware and optionally the configuration bitstream are from a trusted source. Authentication is fundamental to Intel® Agilex™ security in that any other Intel® Agilex™ security features cannot be enabled without first enabling owner authentication. Device firmware authentication is always performed. Additionally, integrity verification of device firmware and bitstream is always performed in order to prevent an Intel® Agilex™ device from loading a bitstream with unexpected changes, such as from corruption or malicious attack.
  • Encryption—Encryption protects confidential information in the owner configuration bitstream and reduces the threat of intellectual property theft.

When designing a system with an Intel® Agilex™ device that utilizes the device security features, you must consider provisions for authentication key storage, permissions, and cancellation. You may also need to consider encryption key storage and management. The hash of the owner root public key is always stored in eFuses on an Intel® Agilex™ device, and both Intel firmware key cancellation and owner authentication key cancellation are managed through eFuses as well. Therefore, it is important to provide appropriate power to the VCCFUSEWR_SDM pin. For more information about powering on VCCFUSEWR_SDM, refer to Intel® Agilex™ Pin Connection Guidelines.

If bitstream encryption is enabled on the Intel® Agilex™ device, you need to store the encryption key on the device. The encryption key may be stored in Battery-Backed RAM (BBRAM) or eFuses. Storing the encryption key in eFuses is permanent, while storing the encryption key in BBRAM allows for key wipe or reprovisioning. If the design requires encryption key storage in BBRAM, a non-volatile battery must be connected to the VCCBAT pin. For more information about connecting a battery to the VCCBAT pin, refer to the Intel® Agilex™ Pin Connection Guidelines.

If Attestation or Black Key Provisioning (BKP) is enabled on the Intel® Agilex™ device, you need to use updated SDM firmware and use updated guidelines for TCK (JTAG clock).
  • You must update to the SDM firmware delivered with Intel® Quartus® Prime Pro Edition software version 21.3 and beyond.
  • For the TCK pin, you must either leave the TCK pin unconnected, or connect the TCK pin to the VCCIO_SDM supply using a 10-kΩ pull-up resistor.
Note: The existing guidance in the Intel® Agilex™ Device Family Pin Connection Guidelines to connect TCK to a 1-kΩ pull-down resistor is included for noise suppression. The change in guidance to a 10-kΩ pull-up resistor is not expected to affect the device functionally.

For more information about connecting the TCK pin, refer to Intel® Agilex™ Device Family Pin Connection Guidelines.