HPS Security Feature Differences
The Cyclone® V and Arria® V families offer basic security functionality with ARM TrustZone® and Advanced Encryption Standard (AES) encryption.
The Arria® 10 family improves on Cyclone® V and Arria® V security with the following features:
- Recognition of secure fuse configuration
- Secure state control and status check of security features
- Secure boot options
- Varying levels of debug visibility
- Anti-tamper support
The Stratix® 10, Agilex™ 7, Agilex™ 5, and Agilex™ 3 families includes the Secure Device Manager (SDM). The SDM implements the following functions:
- Device configuration
- Security features
- Booting the HPS
The SDM provides a robust, secure, and fully authenticated configuration scheme, allowing you to customize device configuration. Advantages of the SDM, compared to security features in earlier Altera SoC device families, include:
- Improved configuration time
- Improved response to single-event upset
- Reactive zeroization of data as a response to security breaches
- Key management and update
- Field upgrade support
This combination of features and flexibility enables you to create secure designs that protect sensitive intellectual property (IP) and data in both FPGA and SoC devices.
The following table summarizes the differences in the security features among the various SoC families.
| Security Feature Location | Cyclone® V SoC, Arria® V SoC |
Arria® 10 SoC | Stratix® 10 SoC, Agilex™ 7 F-Series/I-Series/ M-Series SoC, Agilex™ 5 E-Series/D-Series SoC, Agilex™ 3 C-Series SoC |
|---|---|---|---|
| Security Fuses | N/A | Security Manager | SDM |
| AES Decryption | N/A | Security Manager | SDM |
| Authentication | N/A | Security Manager | SDM |
| HPS Boot Reset | Reset Manager | Security Manager | SDM |
| Anti-tamper RAM Scramble | N/A | Security Manager | SDM |
| Control of Secure Boot | N/A | Security Manager | SDM |
For more information, refer to the Security Methodology User Guide (RDC Item #724441).
| Category | Device | Stratix® 10 SoC |
Agilex™ 7 F-Series/I-Series/ M-Series SoC |
Agilex™ 5 E-Series/D-Series SoC |
Agilex™ 3 C-Series SoC |
|---|---|---|---|---|---|
| Feature | |||||
| Authentication | Bitstream Authentication | Yes | Yes | Yes | Yes |
| Vendor Authorized Boot | No | Yes | Yes | Yes | |
| Authentication | Bitstream Encryption - AES-256-CTR | Yes | Yes | Yes | Yes |
| Encryption Key Storage: eFuse | Yes | Yes | Yes | Yes | |
| Encryption Key Storage: BBRAM | Yes | Yes | Yes | No | |
| Encryption Key Storage: PUF Wrapped (Flash) | Yes | Yes | Yes | Yes 15 | |
| Black Key Provisioning | Yes | Yes | Yes | Yes15 | |
| Attestation | Yes | Yes | Yes | Yes15 | |
| Advanced Features | Physical Anti-Tamper | Yes | Yes | Yes | Yes |
| Secure Data Object Storage | No | Yes | Yes | Yes15 | |
| Cryptographic Primitive Services | No | Yes 16 17 | Yes 18 | Yes15 |