Intel® Stratix® 10 Device Security User Guide

ID 683642
Date 12/15/2021
Public
Download
Document Table of Contents

5.4.1. Anti-Tamper Responses

You enable physical anti-tamper by selecting a response from the Anti-tamper response: dropdown on the Assignments > Device > Device and Pin Options > Security > Anti-Tamper tab. By default, the anti-tamper response is disabled.

Five categories of anti-tamper response are available. When you select your desired response, the options to enable one or more detection methods are enabled.
Figure 15. Available Anti-Tamper Response Options

You may individually select the Enable device self-kill response for each detection method.

If you enable Enable device self-kill response for any detection method, you must also generate a permit kill compact certificate, sign the compact certificate, and program the compact certificate to your device prior to loading a design with the self-kill response enabled.

Use one of the following commands to create a signature chain capable of signing a permit-type compact certificate. Note that permission bit 10 is used in this operation.
quartus_sign --family=stratix10 --operation=append_key \
--previous_pem=root_private.pem \
--previous_qky=root.qky \
--permission=0x400 \
--cancel=0 \
--input_pem=permit0_sign_public.pem permit0_sign_chain.qky
quartus_sign --family=stratix10 --operation=append_key --module=softHSM \
–module_args="--token_label=s10-token \
--user_pin=s10-token-pin \
--hsm_lib=/usr/local/lib/softhsm/libsofthsm2.so" \
--previous_keyname=root \
--previous_qky=root.qky \
--permission=0x400 \
--cancel=0 \
--input_keyname=permit0_sign permit0_sign_chain.qky
Use the following command to create an unsigned permit kill compact certificate.
quartus_pfg --ccert –o ccert_type=DEVICE_PERMIT_KILL unsigned_permit_kill.ccert
Use one of the following commands to sign the permit kill compact certificate.
quartus_sign --family=stratix10 --operation=sign \
--pem=permit0_sign_private.pem \
--qky=permit0_sign_chain.qky \
unsigned_permit_kill.ccert signed_permit_kill.ccert
quartus_sign --family=stratix10 --operation=sign --module=softHSM \
--module_args="--token_label=s10-token \
--user_pin=s10-token-pin \
--hsm_lib=/usr/local/lib/softhsm/libsofthsm2.so" \
--keyname=permit0_sign \
--qky=permit0_sign_chain.qky \
unsigned_permit_kill.ccert signed_permit_kill.ccert
Use the following command to program the compact certificate to your device.
quartus_pgm –c 1 –m jtag –o "p;signed_permit_kill.ccert"

When you enable an anti-tamper response, you may choose two available SDM dedicated I/O pins to output the tamper event detection and response status using the Assignments > Device > Device and Pin Options > Configuration > Configuration Pin Options window.

Figure 16. Available SDM dedicated I/O Pins for Tamper Event Detection