Intel® Stratix® 10 Device Design Guidelines

ID 683738
Date 8/24/2022
Document Table of Contents

Security Considerations

Table 60.  Security Considerations Checklist
Number Done? Checklist Item
1   Consider whether your design requires device security features to be enabled. If so, you must provide power to the VCCFUSEWR_SDM rail for authentication fuse management.
2   Consider whether your design requires bitstream encryption, and whether the encryption keys are stored in Battery-Backed RAM (BBRAM). If so, plan to provide power to the VCCBAT pin using a battery on the board.
3   Consider licensing terms that best suit your requirements for the available device variants.

Intel® Stratix® 10 devices provide flexible and robust security features to help protect sensitive data, intellectual property, and the device itself under both remote and physical attacks. Intel® Stratix® 10 devices provide two main categories of security features:

  • Authentication—Authentication helps ensure that the device firmware and optionally the configuration bitstream are from a trusted source. Device firmware authentication is always performed. Owner bitstream authentication must be enabled to use any other security features available on Intel® Stratix® 10 devices.
  • Encryption—Encryption helps protect confidential information in the owner configuration bitstream and reduces the threat of intellectual property theft.

When designing a system with an Intel® Stratix® 10 device that utilizes device security features, you must consider provisions for enabling and managing the features throughout the expected operating lifetime of the device. To enable owner bitstream authentication, you must program an owner root key hash into eFuses. For devices with design security features enabled, Intel strongly recommends updating to the latest available device firmware and canceling old firmware IDs as necessary. Cancellation of firmware and device design IDs are managed in eFuses. Therefore, you must provide appropriate power to the VCCFUSEWR_SDM pin if you enable device security features. Devices with design security features enabled are not able to respond to security vulnerabilities if they cannot blow fuses. For more information about powering on VCCFUSEWR_SDM, refer to the Intel® Stratix® 10 Device Family Pin Connection Guidelines. For more information about cancellation of firmware IDs, refer to the Intel® Stratix® 10 Device Security User Guide.

You may also need to consider encryption key storage and management. If bitstream encryption is enabled on the Intel® Stratix® 10 device, you need to store the encryption key on the device. The encryption key may be stored in Battery-Backed RAM (BBRAM) or eFuses. Storing the encryption key in eFuses is permanent, while storing the encryption key in BBRAM allows for key wipe or reprovisioning. If the design requires encryption key storage in BBRAM, a non-volatile battery must be connected to the VCCBAT pin. For more information about connecting a battery to the VCCBAT pin, refer to the Intel® Stratix® 10 Device Family Pin Connection Guidelines. Intel® Stratix® 10 devices with -BK suffix support black key provisioning which helps protect the confidentiality of the Advanced Encryption Standard (AES) root key during the provisioning process.

Table 61.  Authentication and Advanced Security Features Support for Intel® Stratix® 10 Devices

Security features are available in Intel® Stratix® 10 devices that support advanced security. Devices with advanced security enabled can only load firmware using the Intel® Quartus® Prime Pro Edition software.

Contact your Intel Sales representatives for more information about Intel® Stratix® 10 device security features.

Intel® Stratix® 10 Device Variant Authentication Advanced Security (Includes Encryption)
GX Yes -AS suffix devices
GX 10M Yes No
SX Yes -AS suffix devices
MX Yes -AS suffix devices
TX Yes -AS suffix devices
DX Yes Yes