4.4. Protection of Encryption Key Embedded in FPGA Design
Many FPGA designs implement encryption, and there is often the need to embed secret keys in the FPGA bitstream. In newer device families, such as Intel® Stratix® 10 and Intel Agilex, there is a Secure Device Manager block that can securely provision and manage these secret keys. Where these features do not exist, you can secure the content of the FPGA bitstream, including any embedded secret user keys, with encryption.
- Develop and optimize the HDL in Intel® Quartus® Prime in a non-secure environment.
- Transfer the design to a secure environment and implement an automated process to update the secret key. The on-chip memory embed the key value. When the key is updated, the memory initialization file (.mif) can change and the “quartus_cdb --update_mif” assembler flow can change the HDCP protection key without re-compiling. This step is very quick to run and preserves the original timing.
- The Intel® Quartus® Prime bitstream then encrypt with the FPGA key before transferring the encrypted bitstream back to the non-secure environment for final testing and deployment.